Tunneling/Port Forwarding
Tunneling/Port ForwardingThe ssh utility allows you to forward a port (port forwarding, page 1049) through the encrypted connection it establishes. Because the data sent across the forwarded port uses the encrypted ssh connection as its data link layer (page 351), the term tunneling (page 1061) is applied to this type of connection: "The connection is tunneled through ssh." You can secure protocolsincluding POP, X, IMAP, and WWWby tunneling them through ssh. Forwarding X11
The ssh utility makes it easy to tunnel the X11 protocol. For X11 tunneling to work, you must enable it on both the server and the client. On the server, you enable X11 forwarding by setting the X11Forwarding declaration to yes in the /etc/ssh/sshd_config file (page 595). Trusted clients
In the past there was only one way for a client to enable X11 forwarding; today there are two ways. Previously, when you enabled X11 forwarding (by setting ForwardX11 to yes in a configuration file or by using the X option on the ssh command line) on a client, the client connected as a trusted client, which meant that the client trusted the server, and was given full access to the X11 display. With full access to the X11 display, in some situations a client may be able to modify other clients of the X display. Make a secure connection only when you trust the remote system. (You do not want someone tampering with your client.) If this concept is confusing, see the tip "The roles of X client and server may be counterintuitive" on page 235. Nontrusted clients
As of Centos Linux 3 and RHEL version 4 (OpenSSH 3.8 and later), an ssh client can connect to an ssh server as a trusted client or as a nontrusted client. A nontrusted client is given limited access to the X11 display and cannot modify other clients of the X display. Few clients work properly when they are run in nontrusted mode. If you are running an X client in nontrusted mode and you encounter problems, try running in trusted mode (assuming you trust the remote system). CentOS Linux sets up ssh clients to run in trusted mode by default. Running ssh
When you start an ssh client, you can use the Y option (page 587) on the command line to start the client in trusted mode. This option performs the same function as the X option did in earlier versions of ssh. Or you can set the ForwardX11trusted declaration to yes in a user's ~/.ssh/config configuration file (page 590) or, working as root, you can set ForwardX11trusted to yes in the global /etc/ssh/ssh_config file (page 590) to enable trusted X11 tunneling. To use nontrusted tunneling you can use the X option (page 587) or set the ForwardX11 declaration to yes in one of the configuration files (page 590). With X11 forwarding turned on, ssh tunnels the X11 protocol, setting the DISPLAY environment variable on the system it connects to and forwarding the required port. You must have the DISPLAY variable set. Typically you will be running from a GUI, which usually means that you are using ssh on a terminal emulator to connect to a remote system. When you give an X11 command from an ssh prompt, OpenSSH creates a new secure channel that carries the X11 data. The graphical output from the X11 program appears on your screen. [peach] $ ssh speedy [speedy] $ echo $DISPLAY localhost:10.0 By default, ssh uses X Window System display numbers 10 and higher (port numbers 6010 and higher) for forwarded X sessions. Once you connect to a remote system using ssh, you can give a command to run an X application. The application will then run on the remote system with its display appearing on the local system, so that it appears to run locally. Port forwarding
You can forward arbitrary ports using the L and R options. The L option forwards a local port to a remote system, so that a program that tries to connect to the forwarded port on the local system transparently connects to the remote system. The R option does the reverse: It forwards remote ports to the local system. The N option, which prevents ssh from executing remote commands, is generally used with L and R. When you specify N, ssh works only as a private network to forward ports. An ssh command line using one of these options has the following format:
where local-port is the number of the local port that is being forwarded to or from remote-host, remote-host is the name or IP address of the system that local-port gets forwarded to or from, remote-port is the number of the port on remote-host that is being forwarded from or to the local system, and target is the name or IP address of the system ssh connects to. As an example, assume that there is a POP mail client on the local system and that the POP server is on a remote network, on a system named pophost. POP is not a secure protocol; passwords are sent in cleartext each time the client connects to the server. You can make it more secure by tunneling POP through ssh (POP-3 connects on port 110; port 1550 is an arbitrary port on the local system): $ ssh -N -L 1550:pophost:110 pophost After giving the preceding command, you can point the POP client at localhost:1550, and the connection between the client and the server will be encrypted. (When you set up an account on the POP client, specify the location of the server as localhost, port 1550; details vary with different mail clients.) In this example, remote-host and target are the same system. Firewalls
The system specified for port forwarding (remote-host) does not have to be the same as the destination of the ssh connection (target). As an example, assume the POP server is behind a firewall and you cannot connect to it via ssh. If you can connect to the firewall via the Internet using ssh, you can encrypt the part of the connection over the Internet: $ ssh -N -L 1550:pophost:110 firewall Here remote-host, the system receiving the port forwarding, is pophost, and target, the system that ssh connects to, is firewall. You can also use ssh when you are behind a firewall (that is running sshd) and want to forward a port into your system without modifying the firewall settings: $ ssh -R 1678:localhost:80 firewall The preceding command forwards connections from the outside to port 1678 on the firewall to the local Web server. Forwarding connections in this manner allows you to use a Web browser to connect to port 1678 on the firewall in order to connect to the Web server on the local system. This setup would be useful if you ran a Webmail program (page 644) on the local system because it would allow you to check your mail from anywhere using an Internet connection. Compression
Compression, which is enabled with the C option, can speed up communication over a low-bandwidth connection. This option is commonly used with port forwarding. Compression can increase latency to an extent that may not be desirable for an X session forwarded over a high-bandwidth connection. |
Troubleshooting
|