[Wolves] ssh for eedjits?

David Goodwin dg at clocksoft.com
Wed Feb 2 08:17:41 GMT 2005


> ...but I gather there is a lot more to this.  For example, can I do
> VNC-style stuff?  If so, how?  I'm keen to be able to do this from
> web-based clients or from programs on my wonderful USB HDD, so I can
> look at files, do things remotely, etc, pref from GUIs rather than CLIs.
> 

SSH allows you to do port forwarding i.e. a port on a local machine can 
be forwarded to another.

There are two directions - either you want a port on a remote machine 
available locally (-L), or you wish to make a local port available 
remotely (-R)


E.g.

For the sake of argument, imagine we have a network where there are two 
firewalls - one at work, and your's at home. You have ssh access to 
machines at either end, and wish to:

1) Read your work email from home

2) Access a remote desktop (or vnc) server at work, from home while 
you're bored over the weekend.


Naff diagram time :


ServerAtWork <--> SSH server at work <--> Internet <--> ComputerAtHome
10.1.1.5     <--> 122.222.222.221    <--> 0.0.0.0  <--> 123.221.123.221

So :

If I'm logged into my computer at home, I can normally do an SSH to the 
server at work (i.e. ssh $user at 122.222.222.221). From there I can 
obviously reach the server 10.1.1.5, and access services on it.

If I wish to access e.g. a web server, on 10.1.1.5 using a web browser 
on my ComputerAtHome, I would normally be unable to do so - as there's a 
firewall in the way etc. However, because you have permission to access 
the SSH server at work, you can use port forwarding, where port 80 (www) 
on 10.1.1.5 is forwarded to a semi-random port (which you choose) on 
123.221.123.221... as follows :

[$user at 123.221.123.221] $ ssh -L 8888:10.1.1.5:80 $me at 122.222.222.221

After doing this, you can point your web browser at http://localhost:8888.

If security isn't a concern, add in the -g, which stops the forwarded 
port from being available only on localhost, so anyone on your LAN at 
home could access it (and if you have a naff firewall, anyone on the web 
too).



If you're at work, and wish to access VNC at home, you can do :

[$me at work] $ ssh -L 5010:localhost:5000 $user@$homeip.

Now point vncviewer to localhost:10 (or localhost:5010) and as long as 
you have a vnc server running on your home machine, listening on port 
5000 (localhost:0) you're all set.


Finally, to illustrate the -R notation...

If you're at work, and wish to ssh to your machine at home, and allow 
yourself from the machine at home then to access e.g. the subversion 
server at work :

ssh -R 8080:svnServer:80 $user@$homeip
Now you can do a :
svn co http://localhost:8080/svn/repositoryName

and work at home... from work. (not sure why you'd want to do that, but 
I can't think of any better examples at the moment).


Ah.. yes :

If you're supporting a Linux machine, and you don't want it to have any 
ports listening on the web... you therefore can't allow ssh to listen - 
so how do you connect to do remote admin? Well.. one way :

ssh is running, and listening on the localhost (127.0.0.1) ip only.

You give the user an icon on the desktop, which when they click, will 
open a connection to a remote server of yours (you unfortunately need to 
give them shell access :( ), using the -R style of port forwarding.
So the script beneath the icon runs :

ssh -R 12345:localhost:22 $user@$server

Now on $server, you can connect to port 12345, and actually get to the 
ssh daemon on the user's machine.


That's enough for now, longest post ever, I'm sure (for me).

David.

p.s. you can also check in a -C for compression to ssh, or a -X for X11 
forwarding.

-- 
David Goodwin
w: http://www.clocksoft.com
e: david.goodwin at clocksoft.com
t: 0121 313 3850

See http://www.PayThyme.com for an Open Source UK Payroll

intY has scanned this email for all known viruses (www.inty.com)




More information about the Wolves mailing list