SshTunneling

From UABgrid Documentation
(Difference between revisions)
Jump to: navigation, search
(ssh port forwarding notes for 'nix system users)
 
m (SSH Port Forwarding Configuration)
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 
== SSH Port Forwarding Configuration ==
 
== SSH Port Forwarding Configuration ==
Most of the test systems are not exposed to the public interent directly and reside in a private network space. So one can't directly connect to these systems using a public hostname or IP address. One of the way to connect with such systems is using SSH Port Forwarding (a.k.a. SSH tunneling). In this technique a port on the local system is 'SSH tunneled' to a port on the remote system behind firewall using a public facing SSH server. Following is an example on how to connect to a test system behind firewall using Cheaha as an SSH server.  
+
Most of the test systems are not exposed to the public interent directly and reside in a private network space. So one can't directly connect to network services (e.g. web server, ssh) running on
* First set up an SSH-tunnel using ssh command as shown below.  
+
these systems using a public hostname or IP address. One of the way to connect with such systems is using SSH Port Forwarding (a.k.a. SSH tunneling). In this technique a port on the local system is 'SSH tunneled' to a service port on the remote system using a public facing SSH server.  
 +
 
 +
For example, consider a remote system on private network called 'oak' which runs a web server and an SSH server. And consider 'cheaha' as a public facing SSH server which is connected to both public and private networks. Now to connect to any of the network services on 'oak' a user will have to 'SSH tunnel' connections through 'cheaha'. Below is a command-line example to perform this setup.
 +
 
 +
* First we setup an SSH-tunnel which forwards a port (10080) on a local system (where following ssh command will be run) to a port (80) on the remote system 'oak' using public facing SSH server 'cheaha'.  
 
   # General syntax  
 
   # General syntax  
 
   $ ssh -L <local-port>:<remote-system-IP-or-Hostname>:<remote-system-port> blazerid@cheaha.uabgrid.uab.edu  
 
   $ ssh -L <local-port>:<remote-system-IP-or-Hostname>:<remote-system-port> blazerid@cheaha.uabgrid.uab.edu  
* Now you can connect to the <remote-system-IP-or-Hostname> using your local system's port number. For example, if you want to ssh to <remote-system-IP-or-Hostname> then type following ssh command.  
+
  $ ssh -L 10080:oak.subdomain.uab.edu:80 blazerid@cheaha.uabgrid.uab.edu
  $ ssh blazerid@localhost -p <local-port>
+
 
 +
Above command SSH-tunnels (forwards) connections to a local-port 10080 to remote system 'oak'sport 80. This allows user to access web pages on 'oak' using following connection string - 'http://localhost:10080'. When you run above SSH command you will have an SSH terminal window open on your system and it has a session open with public SSH server 'cheaha'. You can use the same terminal window to SSH to remote system 'oak'.
 +
 
 +
Quite often you have to connect with remote systems on  private network on regular basis. And specifying long SSH command-line options may soon become annoying. This can be avoided by putting above SSH options in the '~/.ssh/config' SSH client configuration file. Following is an example '~/.ssh/config' file equivalent to above SSH command.
  
Another way to set this up is using ssh configuration file rather than specifying these option on command-line. Following example shows '.ssh/config' file example where Cheaha head node is used as SSH server gateway and <remote-system-IP-or-Hostname> is a system behind firewall.
 
 
   # 'rnet' gateway - happens to be cheaha head node
 
   # 'rnet' gateway - happens to be cheaha head node
 
   Host rnet
 
   Host rnet
       User pavgi
+
       User blazerid
 
       hostname cheaha.uabgrid.uab.edu
 
       hostname cheaha.uabgrid.uab.edu
 
       # Port forwarding <remote-system-IP-or-Hostname>
 
       # Port forwarding <remote-system-IP-or-Hostname>
       LocalForward localhost:<local-port> <remote-system-IP-or-Hostname>:22
+
       # LocalForward localhost:<local-port> <remote-system-IP-or-Hostname>:<remote-port>
 +
      LocalForward localhost:10080 oak.subdomain.uab.edu:80
 +
 
 +
 
 +
Consider another remote system on a private network called 'pine'. Now if I need to access web server and SSH-server with X11 forwarding on 'pine' then I would setup '~/.ssh/config' in following manner (includes SSH config for 'oak'):
 +
 
 +
  # 'rnet' gateway - happens to be cheaha head node
 +
  Host rnet
 +
      User blazerid
 +
      hostname cheaha.uabgrid.uab.edu
 +
      # LocalForward localhost:<local-port> <remote-system-IP-or-Hostname>:<remote-port>
 +
      # Port forwarding for oak
 +
      LocalForward localhost:10080 oak.subdomain.uab.edu:80
 +
      # Port forwarding for pine
 +
      LocalForward localhost:20080 pine.subdomain.uab.edu:80
 +
      LocalForward localhost:20022 pine.subdomain.uab.edu:22
 
    
 
    
   Host <remote-system-Hostname>
+
  # SSH config for pine
       User pavgi
+
   Host pine
      hostname localhost
+
       host localhost
       Port <local-port>
+
       Port 20022
 +
      User blazerid
 +
      ForwardX11 yes
 +
 
  
Now you need to connect with the 'rnet' gateway first and then connect to the <remote-system-IP-or-Hostname> system.  
+
Note the port forwarding configuration for 'pine'. Here I have chosen a different local port number (20080) than for the 'oak' (10080). This is necessary because we can't forward same local port to multiple remote-systems. Also, in addition to the web server port (80) I have setup SSH tunnel for the SSH server (port 22) on pine. As mentioned in previous example, I could have used the same SSH terminal window to connect with 'pine', however typically I want to have multiple SSH terminal windows/tabs  open at the same and hence I have added configuration line to save some keystrokes. The port forwarding 'SSH tunnels' local port (20022) to a remote system 'pine's' port 22. So to SSH to 'pine' I can simply SSH to local-port 20022. Now take a look at the SSH config for pine host. This configuration allows me to SSH to pine 'ssh pine' - the hostname, port number, username and X11 forwarding is setup in the '~/.ssh/config' to avoid typing it repeatedly.
* Connect to Cheaha to setup SSH tunneling
+
  $ ssh blazerid@rnet
+
* Connect to the <remote-system-IP-or-Hostname>
+
  $ ssh blazerid@<remote-system-Hostname>
+

Latest revision as of 15:07, 12 January 2012

[edit] SSH Port Forwarding Configuration

Most of the test systems are not exposed to the public interent directly and reside in a private network space. So one can't directly connect to network services (e.g. web server, ssh) running on these systems using a public hostname or IP address. One of the way to connect with such systems is using SSH Port Forwarding (a.k.a. SSH tunneling). In this technique a port on the local system is 'SSH tunneled' to a service port on the remote system using a public facing SSH server.

For example, consider a remote system on private network called 'oak' which runs a web server and an SSH server. And consider 'cheaha' as a public facing SSH server which is connected to both public and private networks. Now to connect to any of the network services on 'oak' a user will have to 'SSH tunnel' connections through 'cheaha'. Below is a command-line example to perform this setup.

  • First we setup an SSH-tunnel which forwards a port (10080) on a local system (where following ssh command will be run) to a port (80) on the remote system 'oak' using public facing SSH server 'cheaha'.
 # General syntax 
 $ ssh -L <local-port>:<remote-system-IP-or-Hostname>:<remote-system-port> blazerid@cheaha.uabgrid.uab.edu 
 $ ssh -L 10080:oak.subdomain.uab.edu:80 blazerid@cheaha.uabgrid.uab.edu 

Above command SSH-tunnels (forwards) connections to a local-port 10080 to remote system 'oak's' port 80. This allows user to access web pages on 'oak' using following connection string - 'http://localhost:10080'. When you run above SSH command you will have an SSH terminal window open on your system and it has a session open with public SSH server 'cheaha'. You can use the same terminal window to SSH to remote system 'oak'.

Quite often you have to connect with remote systems on private network on regular basis. And specifying long SSH command-line options may soon become annoying. This can be avoided by putting above SSH options in the '~/.ssh/config' SSH client configuration file. Following is an example '~/.ssh/config' file equivalent to above SSH command.

 # 'rnet' gateway - happens to be cheaha head node
 Host rnet
     User blazerid
     hostname cheaha.uabgrid.uab.edu
     # Port forwarding <remote-system-IP-or-Hostname>
     # LocalForward localhost:<local-port> <remote-system-IP-or-Hostname>:<remote-port>
     LocalForward localhost:10080 oak.subdomain.uab.edu:80


Consider another remote system on a private network called 'pine'. Now if I need to access web server and SSH-server with X11 forwarding on 'pine' then I would setup '~/.ssh/config' in following manner (includes SSH config for 'oak'):

 # 'rnet' gateway - happens to be cheaha head node
 Host rnet
     User blazerid
     hostname cheaha.uabgrid.uab.edu
     # LocalForward localhost:<local-port> <remote-system-IP-or-Hostname>:<remote-port>
     # Port forwarding for oak
     LocalForward localhost:10080 oak.subdomain.uab.edu:80
     # Port forwarding for pine
     LocalForward localhost:20080 pine.subdomain.uab.edu:80
     LocalForward localhost:20022 pine.subdomain.uab.edu:22
 
 # SSH config for pine
 Host pine 
     host localhost
     Port 20022
     User blazerid
     ForwardX11 yes


Note the port forwarding configuration for 'pine'. Here I have chosen a different local port number (20080) than for the 'oak' (10080). This is necessary because we can't forward same local port to multiple remote-systems. Also, in addition to the web server port (80) I have setup SSH tunnel for the SSH server (port 22) on pine. As mentioned in previous example, I could have used the same SSH terminal window to connect with 'pine', however typically I want to have multiple SSH terminal windows/tabs open at the same and hence I have added configuration line to save some keystrokes. The port forwarding 'SSH tunnels' local port (20022) to a remote system 'pine's' port 22. So to SSH to 'pine' I can simply SSH to local-port 20022. Now take a look at the SSH config for pine host. This configuration allows me to SSH to pine 'ssh pine' - the hostname, port number, username and X11 forwarding is setup in the '~/.ssh/config' to avoid typing it repeatedly.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox