This page looks best with JavaScript enabled

SSH TUNNELLING - TUNNEL OPTIONS

 ·   ·  ☕ 3 min read

    SSH TUNNELLING FOR FUN AND PROFIT: TUNNEL OPTIONS

    SSH Login shell

    Remember the following example:

    ssh -L 5000:localhost:3306 cytopia@everythingcli.org
    

    Once you have executed the above command, a tunnel is established. However, you will also be logged in into the remote server with a SSH session. If you simply want to do some port forwarding you will not need or might not even want a remote login session. You can disable it via -N, which is a very common option for SSH tunnels:

    ssh -N -L 5000:localhost:3306 cytopia@everythingcli.org
    

    The -N option is also very useful when you want to create SSH tunnels via cron

    Argument

    Explanation

    -N

    After you connect just hang there (you won’t get a shell prompt)
    SSH man: Do not execute a remote command.
    Note: Only works with SSHv2

    So if you are not going to execute remote commands and will not need a login shell, you also do not need to request a pseudo terminal in the first place.

    ssh -T -N -L 5000:localhost:3306 cytopia@everythingcli.org
    

    Argument

    Explanation

    -T

    Disable pseudo-terminal allocation.
    This makes it also safe for binary file transfer which might contain escape characters such as ~C.

    SSH tunnel via cron

    Imagine you want to have a SSH tunnel be established (or checked and if it doesn’t run re-opened) via cron every hour. For that to work, SSH must go into background. For that we use -f.

    ssh -f -L 5000:localhost:3306 cytopia@everythingcli.org
    

    Argument

    Explanation

    -f

    Requests ssh to go to background just before command execution.

    But hey, if SSH is in the background anyway, we do not need a login shell (-N) and therefore also do not need a tty (-T). So the full command ready for cron would be:

    ssh -f -T -N -L 5000:localhost:3306 cytopia@everythingcli.org
    

    Note: Be aware that this example requires private/public key authentication as cron will not be able to enter passwords.

    SSH tunnel on a non-standard port

    What if the SSH server is listening on a non-standard port (not tcp22). You can always add a port option. Let’s imagine SSH itself is listening on port 1022:

    ssh -T -N -L 5000:localhost:3306 cytopia@everythingcli.org -p 1022
    

    Argument

    Explanation

    -p

    Port to connect to on the remote host.

    SSH tunnel with a non standard private key

    Let’s assume you have many different private keys for different servers. If not explicitly specified, SSH will look for a file called ~/.ssh/id_rsa. In this case however, your file is called ~/.ssh/id_rsa-cytopia@everythingcli. So you will also pass this information to the tunnel command.

    ssh -T -N -L 5000:localhost:3306 cytopia@everythingcli.org -i ~/.ssh/id_rsa-cytopia@everythingcli
    

    SSH tunnel via SSH config

    The most complex example from this tutorial is:

    ssh -f -T -N -L 5000:localhost:3306 cytopia@everythingcli.org -p 1022 -i ~/.ssh/id_rsa-cytopia@everythingcli
    

    We all are lazy-ass and don’t want to type the whole thing every time we need a quick tunnel. This is where ~/.ssh/config comes into play.

    Adding user and host

    $ vim ~/.ssh/config
     Host cli
        HostName      everythingcli.org
        User          cytopia
    

    With this, we have created an alias cli for host everythingcli.org with user cytopia. Now our command can be written like this:

    ssh -f -T -N -L 5000:localhost:3306 cli -p 1022 -i ~/.ssh/id_rsa-cytopia@everythingcli
    

    Adding port and identity file

    $ vim ~/.ssh/config
     Host cli
        HostName      everythingcli.org
        User          cytopia
        Port          1022
        IdentityFile  ~/.ssh/id_rsa-cytopia@everythingcli
    

    Now the ssh command looks like this:

    ssh -f -T -N -L 5000:localhost:3306 cli
    

    Adding tunnel config

    In the above example we have a generic configuration for the host everthingcli.org which will work for normal ssh connection as well as for establishing a tunnel. Let’s copy all of the above block under a new alias cli-mysql-tunnel and add the tunnel specific configuration:

    $ vim ~/.ssh/config
     Host cli-mysql-tunnel
        HostName      everythingcli.org
        User          cytopia
        Port          1022
        IdentityFile  ~/.ssh/id_rsa-cytopia@everythingcli
        LocalForward  5000 localhost:3306
    

    Now we can create the tunnel in a much shorter way:

    ssh -f -T -N cli-mysql-tunnel
    

    Ohidur Rahman Bappy
    WRITTEN BY
    Ohidur Rahman Bappy
    📚Learner 🐍 Developer