ssh (1)
ssh tunnel
Abbreviations used:
LPORT
: local portLADDR
: local addressRPORT
: remote portRADDR
: remote address
The -L
flag sets up a ssh tunnel to forward port LPORT
on the local host to
RADDR:RPORT
via the machine gateway
(ssh tunnel endpoint).
# Forward local port to remote port on gateway.
ssh -L LPORT:RPORT gateway
# Forward local port to remote port on remote address via gateway.
ssh -L LPORT:RADDR:RPORT gateway
In this scenario, requests are issued on the local machine and target some remote resource, effectively making a remote resource accessible on the local machine, which may be hidden behind the tunnel endpoint (gateway).
The -R
flag sets up a ssh tunnel to expose the local port LPORT
as RPORT
on the remote machine gateway
.
# Expose local port via remote port on gateway.
ssh -R RPORT:LPORT gateway
# Expose local port of machine with local address via remote port on gateway.
ssh -R RPORT:LADDR:LPORT gateway
In this scenario, requests are issued on the gateway and target some resource in the local network, effectively exposing the local resource on the remote machine (gateway).
The trick to memorize the syntax is to read the forwarding rules left
(source) to right (destination) while -L
means that requests are issued
locally and -R
means that requests are issued remotely.
The following flags are useful for setting up ssh tunnels:
-N
just stop before running the command on the remote side (w/o cmd dont drop into shell)-f
runssh
command in the background
Example
# Forward requests on localhost:8080 to moose:1234 and keep ssh in forground
# but dont drop into a shell.
ssh -N -L 8080:1234 moose
# Forward requests on moose:80 to localhost:8080 and keep ssh in forground but
# dont drop into a shell.
ssh -N -R 80:8080 moose
ssh keys
Utility script to generate ssh key pairs.
NAME=${1:?Pass new keyname as first arg}
TYPE=ed25519
FILE=${HOME}/.ssh/${NAME}-${TYPE}
if [[ -f ${FILE} || -f ${FILE}.pub ]]; then
echo "Key with name '${NAME}' already exists, remove following files explicitly:"
echo " ${FILE} ${FILE}.pub"
exit 1;
fi
set -x
ssh-keygen -C "${NAME}.${USER}@${HOSTNAME}" -f ${FILE} -t ${TYPE} -a 100
In case one needs to generate many keys at one, one can provide a passphrase by
-N "toor"
or an empty one as-N ""
.
ssh config - ~/.ssh/config
Frequently used configs for single match.
# When ssh-ing into FOO or BAR do it as user git with given key.
host foo bar
user git
identityfile ~/.ssh/some-key
# When ssh-ing into moose actually log into host with ip addr 1.2.3.4.
# Can be used as alias for machines w/o DNS entries.
host moose
user root
port 8022
hostname 1.2.3.4
identityfile ~/.ssh/some-key
Pattern matching and evaluation order.
# For parameters, the first valued obtained will be used.
# Therefore, more host-specific blocks should come first.
host tree7
user banana
hoste tree*
user cherry
# can reference matched hostname with %h
hostname %h.some-dns-path
# ssh tree7 -> banana@tree7.some-dns-path
# ssh tree5 -> cherry@tree5.some-dns-path