[Wolves] ssh for eedjits?
David Goodwin
dg at clocksoft.com
Wed Feb 2 08:17:41 GMT 2005
> ...but I gather there is a lot more to this. For example, can I do
> VNC-style stuff? If so, how? I'm keen to be able to do this from
> web-based clients or from programs on my wonderful USB HDD, so I can
> look at files, do things remotely, etc, pref from GUIs rather than CLIs.
>
SSH allows you to do port forwarding i.e. a port on a local machine can
be forwarded to another.
There are two directions - either you want a port on a remote machine
available locally (-L), or you wish to make a local port available
remotely (-R)
E.g.
For the sake of argument, imagine we have a network where there are two
firewalls - one at work, and your's at home. You have ssh access to
machines at either end, and wish to:
1) Read your work email from home
2) Access a remote desktop (or vnc) server at work, from home while
you're bored over the weekend.
Naff diagram time :
ServerAtWork <--> SSH server at work <--> Internet <--> ComputerAtHome
10.1.1.5 <--> 122.222.222.221 <--> 0.0.0.0 <--> 123.221.123.221
So :
If I'm logged into my computer at home, I can normally do an SSH to the
server at work (i.e. ssh $user at 122.222.222.221). From there I can
obviously reach the server 10.1.1.5, and access services on it.
If I wish to access e.g. a web server, on 10.1.1.5 using a web browser
on my ComputerAtHome, I would normally be unable to do so - as there's a
firewall in the way etc. However, because you have permission to access
the SSH server at work, you can use port forwarding, where port 80 (www)
on 10.1.1.5 is forwarded to a semi-random port (which you choose) on
123.221.123.221... as follows :
[$user at 123.221.123.221] $ ssh -L 8888:10.1.1.5:80 $me at 122.222.222.221
After doing this, you can point your web browser at http://localhost:8888.
If security isn't a concern, add in the -g, which stops the forwarded
port from being available only on localhost, so anyone on your LAN at
home could access it (and if you have a naff firewall, anyone on the web
too).
If you're at work, and wish to access VNC at home, you can do :
[$me at work] $ ssh -L 5010:localhost:5000 $user@$homeip.
Now point vncviewer to localhost:10 (or localhost:5010) and as long as
you have a vnc server running on your home machine, listening on port
5000 (localhost:0) you're all set.
Finally, to illustrate the -R notation...
If you're at work, and wish to ssh to your machine at home, and allow
yourself from the machine at home then to access e.g. the subversion
server at work :
ssh -R 8080:svnServer:80 $user@$homeip
Now you can do a :
svn co http://localhost:8080/svn/repositoryName
and work at home... from work. (not sure why you'd want to do that, but
I can't think of any better examples at the moment).
Ah.. yes :
If you're supporting a Linux machine, and you don't want it to have any
ports listening on the web... you therefore can't allow ssh to listen -
so how do you connect to do remote admin? Well.. one way :
ssh is running, and listening on the localhost (127.0.0.1) ip only.
You give the user an icon on the desktop, which when they click, will
open a connection to a remote server of yours (you unfortunately need to
give them shell access :( ), using the -R style of port forwarding.
So the script beneath the icon runs :
ssh -R 12345:localhost:22 $user@$server
Now on $server, you can connect to port 12345, and actually get to the
ssh daemon on the user's machine.
That's enough for now, longest post ever, I'm sure (for me).
David.
p.s. you can also check in a -C for compression to ssh, or a -X for X11
forwarding.
--
David Goodwin
w: http://www.clocksoft.com
e: david.goodwin at clocksoft.com
t: 0121 313 3850
See http://www.PayThyme.com for an Open Source UK Payroll
intY has scanned this email for all known viruses (www.inty.com)
More information about the Wolves
mailing list