Wiki source code of SSH-Tunneling hints
Version 2.1 by christoph_lechleitner@iteg_at on 2015-09-16 01.49:11
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | === {{id name="SSH-Tunnelinghints-Motivation"/}}Motivation === | ||
| 2 | |||
| 3 | Sometimes it's very useful to directly connect tools (i.e. a database management tool) that runs on a developer or administrator PC, to a daemon on a server (i.e. mysql server) that is only available locally with the server for security reasons. | ||
| 4 | |||
| 5 | === {{id name="SSH-Tunnelinghints-Exampleintroduction"/}}Example introduction === | ||
| 6 | |||
| 7 | For the following tunnel examples we assume: | ||
| 8 | |||
| 9 | * A server, {{code language="none"}}www.clazzes.org{{/code}}, runs a mysql server listening on {{code language="none"}}127.0.0.1:3306{{/code}} | ||
| 10 | * It provides a database {{code language="none"}}testdb{{/code}}, accessible for user {{code language="none"}}dbtester{{/code}} with password {{code language="none"}}testsecret{{/code}}. | ||
| 11 | * The server provides a unix account, {{code language="none"}}webadmin{{/code}}, and we have a ssh key allowed to connect to {{code language="none"}}webadmin@www.clazzes.org{{/code}} (or we have password based ssh access) | ||
| 12 | * We want to access to the database {{code language="none"}}testdb{{/code}} through an ssh tunnel | ||
| 13 | * When logged in to the server, the local mysql client can connect to the database with: {{code language="none"}}mysql -h 127.0.0.1 -u dbtester --password=testsecret testdb{{/code}} | ||
| 14 | * We want to create a tunnel so when connection to port {{code language="none"}}3333{{/code}} on our local system, we actually connect to mysql-server's port {{code language="none"}}3306{{/code}} on {{code language="none"}}www.clazzes.org{{/code}} | ||
| 15 | |||
| 16 | DO NOT bother to try using those credentials, it might get your IP blocked! | ||
| 17 | |||
| 18 | === {{id name="SSH-Tunnelinghints-OpenSSH"/}}OpenSSH === | ||
| 19 | |||
| 20 | OpenSSH is the default ssh implementation for most Linux distros, and even Microsoft has announced an agreement to include it in Windows. | ||
| 21 | |||
| 22 | I'm not sure how equal or similar other Unix ssh clients (like BSD, MacOS) are. | ||
| 23 | |||
| 24 | To create a tunnel that stays in foreground: | ||
| 25 | |||
| 26 | {{code language="none"}} | ||
| 27 | # stay in forground, may be put in background by pressing Ctrl-Z and the command bg | ||
| 28 | ssh root@clazzes.org -L 3333:127.0.0.1:3306 -N | ||
| 29 | |||
| 30 | # go in background, a bit difficult to stop | ||
| 31 | ssh -f root@clazzes.org -L 3333:127.0.0.1:3306 -N | ||
| 32 | |||
| 33 | # evtl. check that ssh listens on 3333 | ||
| 34 | lsof -i -n |grep -i listen |grep 3333 | ||
| 35 | |||
| 36 | {{/code}} | ||
| 37 | |||
| 38 | Test connect to the database: | ||
| 39 | |||
| 40 | {{code language="none"}} | ||
| 41 | mysql -h 127.0.0.1 -P 3333 -u dbtester --password=testsecret testdb | ||
| 42 | {{/code}} | ||
| 43 | |||
| 44 | Voila! | ||
| 45 | |||
| 46 | To close the tunnel, abort or kill the according {{code language="none"}}ssh{{/code}} process ({{code language="none"}}ctrl-c{{/code}}, evtl. after {{code language="none"}}fg{{/code}} to get it back to the foreground). | ||
| 47 | |||
| 48 | === {{id name="SSH-Tunnelinghints-Putty"/}}Putty === | ||
| 49 | |||
| 50 | Putty is the most common ssh client for Windows. Hints for setting up key-based ssh access with Putty can be found everywhere on the internet, we'll focus on tunneling here. | ||
| 51 | Just one hint anyway: With ssh keys, have {{code language="none"}}pageant{{/code}} running. Simply double-klick the {{code language="none"}}.ppk{{/code}} file or even put it in your autostart group. | ||
| 52 | |||
| 53 | To setup the tunnel: | ||
| 54 | |||
| 55 | * Start Putty | ||
| 56 | * If you don't have a session yet (% style="line-height: 1.4285715;" %)that allows you to connect to (% style="line-height: 1.4285715;" %){{code language="none"}}www.clazzes.org{{/code}} as (% style="line-height: 1.4285715;" %){{code language="none"}}webadmin{{/code}}, set one up and don't forget to save the session before (re)trying to connect. | ||
| 57 | * In Session, load the session that allows you to connect to {{code language="none"}}www.clazzes.org{{/code}} as {{code language="none"}}webadmin{{/code}}. | ||
| 58 | * In "{{code language="none"}}Category{{/code}}", open {{code language="none"}}Connection{{/code}}, {{code language="none"}}SSH{{/code}}, {{code language="none"}}Tunnels{{/code}} | ||
| 59 | * In "{{code language="none"}}Source port{{/code}}", enter {{code language="none"}}3333{{/code}} | ||
| 60 | * In "{{code language="none"}}Destincation{{/code}}", enter {{code language="none"}}127.0.0.1:3306{{/code}} as shown in this screenshot (click to enlarge): | ||
| 61 | [[image:attach:putty-tunnel-example.png||thumbnail="true" height="150"]] | ||
| 62 | * If you really really want to DANGEROUSLY provide the tunnel for other colleages in you LAN, check "Local ports accept connections from other hosts". | ||
| 63 | * Click "{{code language="none"}}Add{{/code}}" | ||
| 64 | * In "{{code language="none"}}Category{{/code}}", click on "{{code language="none"}}Session{{/code}}", "{{code language="none"}}Save{{/code}}", then "{{code language="none"}}Open{{/code}}" | ||
| 65 | |||
| 66 | Now a putty window should open, you should be on {{code language="none"}}www.clazzes.org{{/code}} as {{code language="none"}}webadmin{{/code}}., and the tunnel should be up. | ||
| 67 | |||
| 68 | To check if there's a tunnel, open a Command window and use netstat like this: | ||
| 69 | |||
| 70 | {{code language="none"}} | ||
| 71 | netstat -a -n |find "3333" | ||
| 72 | |||
| 73 | # output should show something like | ||
| 74 | TCP 0.0.0.0:3333 0.0.0.0:0 LISTENING | ||
| 75 | {{/code}} | ||
| 76 | |||
| 77 | Voila! | ||
| 78 | |||
| 79 | To close the tunnel, just close the according putty terminal, preferrably by entering {{code language="none"}}exit{{/code}}. |