SSH Tunneling


SSH Tunneling





It is basically a way to allow one system or service to tunnel to remote system or service Remotely.

What it means is

I am going to make a connection in one location and it automatically going to forward or tunnel over SSH to different location.

It allows us...for example ...to get around things like Firewalls that may restrict me  either in hotel or work ... wireless access points or other items that may be less secure or more restrictive.....

It allows us to securely run a service  that i might not otherwsie be  able to run.

Example: I can run localhost connection that actually tunnels out to our remote host.

It is very easy to setup ...we need localhost + local port and remotehost + remote port

Local Machine:

[root@bharath bharath]# hostname
bharath.local.machine
[root@bharath bharath]#


Remote Machien: Remote Machine IP: 54.165.30.239

[root@bharath bharath]# hostname
bharath.remote.machine
[root@bharath bharath]#

What i am going to do is... i want my local connection  & would like to be connect some other port( other than 22 ... any lets say 22222 ) and it   automatically forward to remote machine(bharath.remote.machine)  with remote port 22(SSH port).

In summary.... If I connect to localhost port 22222  and in background it actually connects to the remote machine on port 22 .


[bharath@bharath3 ~]$ hostname
bharath.local.machine
[bharath@bharath3 ~]$

[bharath@bharath3 ~]$ ssh -f -L 22222:54.165.30.239:22 localhost -N

The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 0e:f0:fe:af:1d:7d:c9:38:1a:e0:98:17:07:ec:29:fa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password: XXXX

If you don't want to ask the password while tunnelling  ... what you have to do is ssh-key exchange to yourself(localhost) ....add a ssh-copyid to localhost itself as below...

#ssh-keygen
#ssh-copy-id localhost


$ ssh -f -L 22222:54.165.30.239:22 localhost -N

-f  ==> Forward  the connection 

-L ==> Local connection 

to be establish on port 22222 and then Remote machine IP (54.165.30.239- name of host) and remote port (22)  and then local system that I wanted to alias for which in our case its localhost

-N ==>  just says don't execute the command on remote system.


That's it SSH tunnel done , if you just grep for the SSH you can see as below...


[bharath@bharath3 ~]$ ps aux | grep ssh
root       795  0.0  0.2  66620  1232 ?        Ss   09:24   0:00 /usr/sbin/sshd
root      1163  0.0  0.6  94180  4172 ?        Ss   09:26   0:00 sshd: bharath [priv]
bharath   1168  0.0  0.2  94180  1788 ?        S    09:26   0:00 sshd: bharath@pts/0
root      2526  0.0  0.6  94176  3796 ?        Ss   10:05   0:00 sshd: bharath [priv]
bharath   2531  0.0  0.1  60240  1004 ?        Ss   10:05   0:00 ssh -f -L 22222:54.165.30.239:22 localhost -N
bharath   2532  0.0  0.2  94176  1700 ?        S    10:05   0:00 sshd: bharath
bharath   2551  0.0  0.1 103248   948 pts/0    S+   10:11   0:00 grep --color=auto ssh
[bharath@bharath3 ~]$



Lemme connect using the port 22222 as below....just see what happened 


[bharath@bharath3 ~]$ hostname
bharath.local.machine

[bharath@bharath3 ~]$ ssh -p 22222 bharath@localhost
The authenticity of host '[localhost]:22222 ([127.0.0.1]:22222)' can't be established.
RSA key fingerprint is 1a:c1:1d:5d:6b:1a:c0:8d:71:ea:27:57:45:70:89:4f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:22222' (RSA) to the list of known hosts.
Password:XXXXX
Last login: Fri Nov 13 09:50:34 2015 from ec2-54-152-161-44.compute-1.amazonaws.com

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/
10 package(s) needed for security, out of 13 available
Run "sudo yum update" to apply all updates.

[bharath@bharath ~]$ hostname
bharath.remote.machine
[bharath@bharath ~]$



Tunnelling with out asking password:

[bharath@bharath .ssh]$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/bharath/.ssh/id_rsa):
/home/bharath/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/bharath/.ssh/id_rsa.
Your public key has been saved in /home/bharath/.ssh/id_rsa.pub.
The key fingerprint is:
53:71:1e:a3:4e:ac:1a:24:87:9a:a1:16:b1:b7:65:fc bharath@bharath.local.machine
The key's randomart image is:
+--[ RSA 2048]----+
| .        . +    |
|  o ..   . = o   |
| o..o+o   = .    |
| .o+++.  =       |
|..o.  .ES .      |
|.      o .       |
|      .          |
|                 |
|                 |
+-----------------+

[bharath@bharath .ssh]$ ssh-copy-id localhost

Password:
sudo: sorry, you must have a tty to run sudo
sudo: sorry, you must have a tty to run sudo
Now try logging into the machine, with "ssh 'localhost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[bharath@bharath .ssh]$ ssh -f -L 33333:54.165.30.239:22 localhost -N
[bharath@bharath .ssh]$

Now just telnet  the port 33333 as below , in background it shown openSSH connection only

[bharath@bharath .ssh]$ hostname
bharath.local.machine


[bharath@bharath .ssh]$ telnet localhost 33333
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1

Now just connect to port 33333 from local then you automatically connected to the remote machine(54.165.30.239) with port 22 as below..


[bharath@bharath .ssh]$ ssh -p 33333 bharath@localhost
Password:
Last login: Fri Nov 13 10:35:31 2015 from ec2-54-152-161-44.compute-1.amazonaws.com

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2015.09-release-notes/
10 package(s) needed for security, out of 13 available
Run "sudo yum update" to apply all updates.
[bharath@bharath ~]$ hostname
bharath.remote.machine
[bharath@bharath ~]$

The main use of SSH tunnelling is

Now i can use the tunnelled system(i.e. bharath.remote.machine) as a gateway for my local network to my another remote network....
So if i have other clients that i want to use... i can ssh into this server ( tunnelled machine i.e.  bharath.remote.machine) on port 33333 and connect through that my another remote host...
So all the traffic looks to be coming from and to on my  local network on port 3333 between my client and this particular server(tunnelled machine i.e.  bharath.remote.machine). But its actually been forwarded to another remote host.  

SSH tunnelling is to bypass certain type of restrictions. 

I can set this up for home for example , so that i could have SSH listening on port 80 to restrict port 22 ;) ;) ;) ;)

like  ssh -f -L 80:<<HOME_IP>>:22 localhost -N 

like 

[bharath@bharath .ssh]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1








Comments

  1. UnknownMay 2, 2018 at 12:06 AM

    I wish to show thanks to you just for bailing me out of this particular trouble.As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.
    Devops Training in Bangalore

    ReplyDelete

Post a Comment

Popular posts from this blog

Ansible for Devops

Image
          All my ansible code which is mentioned in this article is in my github repo in below link just download and run it in your own machine.        Link is i.e.   Ansible4devops Ansible is a IT automation tool useful to build and deploy from servers to applications to monitoring. let's say end-to-end IT automation tool. Unlike other automation tools like puppet,chef etc, Ansible doesn't need any agent setup in client side. Only thing ansible needs is python, by default all Linux flavours has python by default and Ansible works over SSH-KEYGEN exchange from control server to target server. Most importantly it easy to implement and understand. This blog is for how to work effectively with Ansible which will help to solve your day-2-day problem in IT. Install Ansible Assuming if you already have python in your Linux box.(Comes with OS itself :)  ) In order to install ansible just do #yum install ansibl...
Read more

python in liunx

           Installing Python-3 ,Running the Python interactive-console,Passing arguments to a script  Installing python-3 in centos-6 in Traditional Way and using yum Before this just add an EPEL repo to your cent-os yum list. Traditional way # yum install gcc  --> Its a just dependency package Down load here # cd /usr/src # wget https://www.python.org/ftp/python/3.4.3/Python-3.4.3.tgz Now extract the downloaded package. # tar xzf Python-3.4.3.tgz # cd Python-3.4.3 # ./configure # make altinstall make altinstall is used to prevent replacing the default python binary file /usr/bin/python. Now remove downloaded source archive file from your system # rm Python-3.4.3.tgz Check the latest version installed of python using below command # python3.4 -V Python 3.4.3   Using yum package: #sudo yum install https://centos6.iuscommunity.org/ius-release.rpm #sudo yum search python3 Most probably, you would install Python 3.4: #...
Read more

All About Amazon Web Services(AWS)

Image
AWS is made up of Regions and Availability Zones. AWS Essentials Storage Basics On AWS There are different types of storage available in Amazon Web Services. here i will give core understanding of storage devices when we are thinking to architecting our applications in AWS. 1.S3(Simple Storage Service-S3) : It's a scalable object & File storage.You can store objects & Files such as pdfs,jpgs, anything that a regular operating system files. You can store unlimited data as files in objects(objects are from 1 byte to 1 TeraByte) you can upload your data form your off-site to your AWS S3 account. you can do  amazon server side encryption for your data. you can host static files and websites as well. The data in S3 automatically syncs to different availability zones in a region. So that it can be useful for the high available purpose as well.Hence S3 can be used for an high available environment. You can host private content using ...
Read more