Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ssh (1)

ssh tunnel

Abbreviations used:

  • LPORT: local port
  • LADDR: local address
  • RPORT: remote port
  • RADDR: remote address

The -L flag sets up a ssh tunnel to forward port LPORT on the local host to RADDR:RPORT via the machine gateway (ssh tunnel endpoint).

# Forward local port to remote port on gateway.
ssh -L LPORT:RPORT gateway

# Forward local port to remote port on remote address via gateway.
ssh -L LPORT:RADDR:RPORT gateway

In this scenario, requests are issued on the local machine and target some remote resource, effectively making a remote resource accessible on the local machine, which may be hidden behind the tunnel endpoint (gateway).

The -R flag sets up a ssh tunnel to expose the local port LPORT as RPORT on the remote machine gateway.

# Expose local port via remote port on gateway.
ssh -R RPORT:LPORT gateway

# Expose local port of machine with local address via remote port on gateway.
ssh -R RPORT:LADDR:LPORT gateway

In this scenario, requests are issued on the gateway and target some resource in the local network, effectively exposing the local resource on the remote machine (gateway).

The trick to memorize the syntax is to read the forwarding rules left (source) to right (destination) while -L means that requests are issued locally and -R means that requests are issued remotely.

The following flags are useful for setting up ssh tunnels:

  • -N just stop before running the command on the remote side (w/o cmd dont drop into shell)
  • -f run ssh command in the background
  • -J jump host (useful for multi-hop connections)
  • -D dynamic port forwarding (SOCKS proxy)
  • -X enable X11 forwarding, useful for GUI applicationsA
  • -N do not execute a remote command
  • -P

Example

# Forward requests on localhost:8080 to moose:1234 and keep ssh in forground
# but dont drop into a shell.
ssh -N -L 8080:1234 moose

# Forward requests on moose:80 to localhost:8080 and keep ssh in forground but
# dont drop into a shell.
ssh -N -R 80:8080 moose

ssh keys

Utility script to generate ssh key pairs.

NAME=${1:?Pass new keyname as first arg}

TYPE=ed25519
FILE=${HOME}/.ssh/${NAME}-${TYPE}

if [[ -f ${FILE} || -f ${FILE}.pub ]]; then
    echo "Key with name '${NAME}' already exists, remove following files explicitly:"
    echo "  ${FILE} ${FILE}.pub"
    exit 1;
fi

set -x
ssh-keygen -C "${NAME}.${USER}@${HOSTNAME}" -f ${FILE} -t ${TYPE} -a 100

In case one needs to generate many keys at one, one can provide a passphrase by -N "toor" or an empty one as -N "".

ssh config - ~/.ssh/config

Frequently used configs for single match.

# When ssh-ing into FOO or BAR do it as user git with given key.
host foo bar
    user git
    identityfile ~/.ssh/some-key

# When ssh-ing into moose actually log into host with ip addr 1.2.3.4.
# Can be used as alias for machines w/o DNS entries.
host moose
    user root
    port 8022
    hostname 1.2.3.4
    identityfile ~/.ssh/some-key

Host r100-wfh
   HostName r100
   ProxyCommand ssh name@gatewayip -W %h:%p 2>/dev/null

Host lab-out
    Hostname gatewayip
    Port 6666
    LocalForward 8082 localhost:8082
    DynamicForward 12345

Copy files by ssh tunnel.

# First, open the tunnel
ssh -L 1234:remote2:22 -p 45678 user1@remote1

# Then, use the tunnel to copy the file directly from remote2
scp -P 1234 user2@localhost:file .

Pattern matching and evaluation order.

# For parameters, the first valued obtained will be used.
# Therefore, more host-specific blocks should come first.

host tree7
    user banana

hoste tree*
    user cherry
    # can reference matched hostname with %h
    hostname %h.some-dns-path

# ssh tree7 -> banana@tree7.some-dns-path
# ssh tree5 -> cherry@tree5.some-dns-path