Ssh Forward Key



Parent page: Internet and Networking >> SSH

For example, ssh opens port 9000 on the router to forward it to localhosts port 3000: ssh admin@192.168.88.1 -R 9000:localhost:3000 Dynamic Forwarding. Dynamic forwarding turns SSH client into SOCKS proxy. On RouterOS dynamic forwarding can be controlled with the same settings as local forwarding. Use of dynamic forwarding: ssh -N -D -l Where.

Contents

  1. Types of Port Forwarding
  2. Forwarding GUI Programs

SSH Tunnel - Local, Remote and Dynamic Port Forwarding. 10 min read. Published: May 04, 2020. SSH tunneling is an extremely useful feature of SSH that is very often googled, but less often understood enough to use without a reference. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary. There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on. SSH agent forwarding with MobaXterm on Windows. SSH agent forwarding can be configured for MobaXterm as follows: Select the Configuration menu item from the Settings menu; Select the SSH tab. Enable Use internal SSH agent 'MobAgent'; Enable Forward SSH agents; Click the + button to select and load your private key.; When you now start a new session and login to a server optionally via a. Head over to your user account page on the Platform.sh Accounts page and navigate to the Account Settings tab. In the left side-bar, select SSH keys. Click the Add a public key button. Paste the key that you copied earlier into the ‘Key’ text box.

Port forwarding via SSH (SSH tunneling) creates a secure connection between a local computer and a remote machine through which services can be relayed. Because the connection is encrypted, SSH tunneling is useful for transmitting information that uses an unencrypted protocol, such as IMAP, VNC, or IRC.

SSH's port forwarding feature can smuggle various types of Internet traffic into or out of a network. This can be used to avoid network monitoring or sniffers, or bypass badly configured routers on the Internet. Note: You might also need to change the settings in other programs (like your web browser) in order to circumvent these filters.

Warning: Filtering and monitoring is usually implemented for a reason. Even if you don't agree with that reason, your IT department might not take kindly to you flouting their rules.

There are three types of port forwarding with SSH:

  • Local port forwarding: connections from the SSH client are forwarded via the SSH server, then to a destination server

  • Remote port forwarding: connections from the SSH server are forwarded via the SSH client, then to a destination server

  • Dynamic port forwarding: connections from various programs are forwarded via the SSH client, then via the SSH server, and finally to several destination servers

Local port forwarding is the most common type. For example, local port forwarding lets you bypass a company firewall that blocks Wikipedia.

Remote port forwarding is less common. For example, remote port forwarding lets you connect from your SSH server to a computer on your company's intranet.

Dynamic port forwarding is rarely used. For example, dynamic port forwarding lets you bypass a company firewall that blocks web access altogether. Although this is very powerful, it takes a lot of work to set up, and it's usually easier to use local port forwarding for the specific sites you want to access.

Port-forwarding is a widely supported technique and a feature found in all major SSH clients and servers, although not all clients do it the same way. For help on using a specific client, consult the client's documentation. For example, the PuTTY manual has a section on port forwarding in PuTTY.

To use port forwarding, you need to make sure port forwarding is enabled in your server. You also need to tell your client the source and destination port numbers to use. If you're using local or remote forwarding, you need to tell your client the destination server. If you're using dynamic port forwarding, you need to configure your programs to use a SOCKS proxy server. Again, exactly how to do this depends on which SSH client you use, so you may need to consult your documentation.

Local Port Forwarding

Local port forwarding lets you connect from your local computer to another server. To use local port forwarding, you need to know your destination server, and two port numbers. You should already know your destination server, and for basic uses of port forwarding, you can usually use the port numbers in Wikipedia's list of TCP and UDP port numbers.

For example, say you wanted to connect from your laptop to http://www.ubuntuforums.org using an SSH tunnel. You would use source port number 8080 (the alternate http port), destination port 80 (the http port), and destination server www.ubuntuforums.org. :

Where <host> should be replaced by the name of your laptop. The -L option specifies local port forwarding. For the duration of the SSH session, pointing your browser at http://localhost:8080/ would send you to http://www.ubuntuforums.org/.

In the above example, we used port 8080 for the source port. Ports numbers less than 1024 or greater than 49151 are reserved for the system, and some programs will only work with specific source ports, but otherwise you can use any source port number. For example, you could do:

This would forward two connections, one to www.ubuntuforums.org, the other to www.ubuntu.com. Pointing your browser at http://localhost:8080/ would download pages from www.ubuntuforums.org, and pointing your browser to http://localhost:12345/ would download pages from www.ubuntu.com.

The destination server can even be the same as the SSH server. For example, you could do:

This would forward connections to the shared desktop on your SSH server (if one had been set up). Connecting an SSH client to localhost port 5900 would show the desktop for that computer. The word 'localhost' is the computer equivalent of the word 'yourself', so the SSH server on your laptop will understand what you mean, whatever the computer's actual name.

Remote Port Forwarding

Remote port forwarding lets you connect from the remote SSH server to another server. To use remote port forwarding, you need to know your destination server, and two port numbers. You should already know your destination server, and for basic uses of port forwarding, you can usually use the port numbers in Wikipedia's list of TCP and UDP port numbers.

For example, say you wanted to let a friend access your remote desktop, using the command-line SSH client. You would use port number 5900 (the first VNC port), and destination server localhost:

The -R option specifies remote port forwarding. For the duration of the SSH session, Joe would be able to access your desktop by connecting a VNC client to port 5900 on his computer (if you had set up a shared desktop).

Dynamic Port Forwarding

Dynamic port forwarding turns your SSH client into a SOCKS proxy server. SOCKS is a little-known but widely-implemented protocol for programs to request any Internet connection through a proxy server. Each program that uses the proxy server needs to be configured specifically, and reconfigured when you stop using the proxy server.

For example, say you wanted Firefox to connect to every web page through your SSH server. First you would use dynamic port forwarding with the default SOCKS port:

The -D option specifies dynamic port forwarding. 1080 is the standard SOCKS port. Although you can use any port number, some programs will only work if you use 1080. -C enables compression, which speeds the tunnel up when proxying mainly text-based information (like web browsing), but can slow it down when proxying binary information (like downloading files).

Next you would tell Firefox to use your proxy:

  • go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...

  • check 'Manual proxy configuration'
  • make sure 'Use this proxy server for all protocols' is cleared
  • clear 'HTTP Proxy', 'SSL Proxy', 'FTP Proxy', and 'Gopher Proxy' fields
  • enter '127.0.0.1' for 'SOCKS Host'
  • enter '1080' (or whatever port you chose) for Port.

You can also set Firefox to use the DNS through that proxy, so even your DNS lookups are secure:

  • Type in about:config in the Firefox address bar
  • Find the key called 'network.proxy.socks_remote_dns' and set it to true

The SOCKS proxy will stop working when you close your SSH session. You will need to change these settings back to normal in order for Firefox to work again.

To make other programs use your SSH proxy server, you will need to configure each program in a similar way.

SSH can also forward graphical applications over a network, although it can take some work and extra software to forward programs to Windows or Mac OS.

Single Applications

If you are logging in from a Unix-like operating system, you can forward single applications over SSH very easily, because all Unix-like systems share a common graphics layer called X11. This even works under Mac OS X, although you will need to install and start the X11 server before using SSH.

To forward single applications, connect to your system using the command-line, but add the -X option to forward X11 connections:

Once the connection is made, type the name of your GUI program on the SSH command-line:

Your program will start as normal, although you might find it's a little slower than it would be if it were running locally. The trailing & means that the program should run in 'background mode', so you can start typing new commands in straight away, rather than waiting for your program to finish.

If you only want to run a single command, you can log in like this:

That will run Firefox, then exit when it finishes. See the SSH manual page for information about -f and -T.

If you start an application and it complains that it cannot find the display, try installing the xauth package from the Main repository (click here to install xauth). Xauth is installed by default with desktop installations but not server installations.

If you suspect that programs are running slowly because of a lack of bandwith, you can turn SSH compression on with the -C option:

Using -fTXC here is identical to -f -T -X -C.

Nested Windows

Xephyr is a program that gives you an X server within your current server. It's available in the xserver-xephyr package in the Main repository (click here to install xserver-xephyr).

Two ssh forwarded desktops on dual monitors, click to enlarge

Setting up Xephyr was explained briefly in the Ubuntu forums.

To get the most out of port forwarding, it's helpful to know a bit about how the Internet works.

The Internet assigns computers virtual 'ports', a bit like the USB ports on the back of your computer:

To let a digital camera share pictures with your PC, you connect the USB port on the camera to any USB port on the PC. The computer then talks to the camera about your photos, and shows you the result.

To let a web server share pages with your PC, you connect the web server port on the server to any Internet port on the PC. The computer then talks to the server about your page, and shows you the result.

Unlike a USB port, there is no physical component to an Internet port. There's no actual wire, or actual hole on the back of your computer. It's all just messages being sent over the Internet. Like other 'virtual' computer concepts, Internet ports are just an analogy that help to explain what your computer is doing. Sometimes, that analogy breaks down:

There are two types of Internet port: normal 'TCP' ports and strange 'UDP' ports (which won't be covered here).

Ssh Agent Forwarding

Unlike USB ports, every computer has exactly 65,535 numbered TCP ports, some of which have a special purpose. For example, port number 80 is your web server port, so your web browser knows it should connect to port number 80 in order to download a web page.

Connections between Internet ports can be patched together, so a connection from computer A to computer B on port 12,345 could be patched through to port number 80 on computer C. This is known as port forwarding.

If you get a message like this when you try to forward a port:

then someone is already listening on that port number. You won't be able to listen on that port until the other person has finished with it.

If forwarding doesn't seem to work, even though you didn't get a warning message, then your SSH server might have disabled forwarding. To check, do the following:

If you see something like this:

then forwarding is disabled on your server. See the SSH configuration page for more information.

Contents:


One of the ways Platform.sh keeps things secure is by using SSH behind the scenes. Users can interact with their environment through a command shell, or push changes to the environment’s Git repository, and both of these features rely on SSH.

Secure Shell Protocol, SSH, supports certificate-based and keypair-based authentication. Certificate-based authentication is faster to set up and generally easier to use, provided you have a web browser available on your computer. Alternatively, you may use keypair-based authentication if you are setting up an automation tool, or simply prefer that method.

Automation tools may also use an API Token.

Certificate-based authentication

To connect using certificate-based authentication, install the Platform.sh CLI.

Once installed, you may run platform login or any CLI command that would require authentication. In either case, a browser window will open and ask you to login with your Platform.sh account credentials. This web page is already encrypted with TLS over HTTP, making it secure.

The login process will issue a certificate that gets stored in your local SSH configuration. The certificate is automatically cycled every hour for a new certificate as long as your session is active. If you are inactive for an extended period your certificate will expire, and the system will ask you to login again the next time you use a command that requires authentication.

Keypair-based authentication

This process requires two RSA keys:

  • A private key kept secret by the user
  • A public key stored within the Platform.sh account

These keys are called the public-private keypair and usually look like random lines of characters, like this:

A private key:

A public key (one very long line):

GitHub has a good walk-through of creating an SSH keypair on various operating systems.

A keypair is valid for as long as you have access to the private key on the system from which you are connecting. If you have a keypair available you will not be prompted to login.

Find your Public-Private keypair

If you use Linux, you probably already have keys. The private key is usually in a file named ~/.ssh/id_rsa and the public key in ~/.ssh/id_rsa.pub.

Searching for a public key file:

  1. Open up a command prompt.

  2. Run the following commands:

    If you find a file named id_rsa.pub, you can use it with Platform.sh. If you don’t find an existing key, see the steps to create a new one in the next section.

Create a New Public-Private Keypair

Note:

If you already have a SSH keypair, you can skip this step.

Create a public-private keypair:

ssh-keygen generates the key pair and will ask you where you want to save the file:

The default location is fine in most cases. Now it’s time to create a passphrase. A good, strong passphrase is highly recommended, to make your key less useful if it falls into the wrong hands.

That’s it. Keys generated! Here are the results:

Note:

Forward

Make note of the location of your public key, you’re going to need that in the next section.

Add the SSH key to your Platform account

  1. First off, you’ll need to copy your public key to the clipboard.
  2. Head over to your user account page on the Platform.sh Accounts page and navigate to the Account Settings tab.
  3. In the left side-bar, select SSH keys.
  4. Click the Add a public key button.
  5. Paste the key that you copied earlier into the ‘Key’ text box. You can also add a title if you like, otherwise it will be auto-generated.
  6. Click ‘Save’.

That’s it! You’re all set. Now you’ll be able to use Git and command shells with any Platform.sh environment that your user account is authorized to work with.

Forwarding keys by default

It may be helpful to set your SSH client to always forward keys to Platform.sh servers, which can simplify other SSH or Rsync commands. To do so, include a block in your local ~/.ssh/config file like so:

Include one Host entry for each Platform.sh region you want to connect to, such as us-2 or eu-4. (You can include other configuration as desired.)

SSH to your Web Server

In the management console header, click on the environment tab and select the environment that you want to SSH into. Then click the SSH dropdown button towards the top right.

Troubleshoot SSH

While trying to log in via SSH, this can happen:

Don’t panic! It’s an issue which can happen for the following reasons:

  • Your environment is inactive
  • You haven’t redeployed (i.e. git push) your environment since adding the new public key
  • You didn’t upload your public key to your user profile
  • Your SSH private key has not been added into your ssh-agent
  • Your SSH key files have incorrect permissions

Check your public key

Make sure your public key has been uploaded to your user account.

Forward

Check your ssh-agent

Check that your key is properly added to your SSH agent. This is an authentication agent that manages your private key.

  1. Check your SSH agent. Run the command ssh-add -l in your terminal:

  2. Check that file name on the right (.ssh/id_rsa in the example above). Does it match your private key file?

  3. If you don’t see your private key file, add your private key:

  4. Try again.

Specify your identity file

Ssh Config Forwardagent

If your identity (SSH key) associated with Platform.sh is not in a default file name (as may be explained in your SSH software manual, for example) you may have to append a specification like the one below so that the SSH software finds the correct key.

Be aware that, above, platform.sh stands for a hostname. Each different hostname you connect to Platform.sh at may have to be specified in the host line, separated by spaces.

Still having trouble?

If you followed all the steps above, you may also notice an error message similar to below while attempting to SSH to platform.sh:

This usually means a deployment has not been committed yet. When a new key is added, it only becomes immediately active for use with Git. For use with SSH, it will not be activated until a deployment is made. An easy way to force this is to create and push an empty commit:

Generate SSH debug information

If your private key and public key both look OK but you don’t have any luck logging in, print debugging information. These lines often give clues about what is going wrong.

  1. Run the SSH command with the -v option, like this:

    or

You can use this information to make one last check of the private key file.

If you’re still stuck, don’t hesitate to submit a support ticket, we’ll help you solve your problem.