Making a Tunnel with Secure Shell

When a user is outside IMSc, one way to access IMSc machines is using Secure Shell ssh to log in to access.imsc.res.in using key-based login. If you do not yet have a key pair then you need to generate one as described elsewhere.

After logging in to access one can further log in to the IMSc LAN machines using ssh. You can also make IMAP connections to banyan.

This multi-stage process is sometimes cumbersome. So we describe an alternate approach.

First example: Using IMAP directly

ssh -f -L 9143:banyan:143 access.imsc.res.in sleep 300

(Here 9143 is some arbitrary choice of number greater than 1024.) If you run the above command from any machine (say A) on the internet, then you can connect to port 9143 on machine A to use the IMAP service on access directly. For example, on machine A you can type

mutt -f imap://luser@localhost:9143/mailbox

This will access the folder mailbox of the luser via imap. (You will be prompted for the password of luser by mutt).

Note: The above tunnel will timeout in 5 minutes (=300 seconds). You may wish to increase the time if you need more time. However, for security reasons please ensure that the tunnel is closed (by killing the relevant process) as soon as you have finished using it. We monitor long running connections and will disable :( accounts which misuse this facility.

Second Example: Using SSH directly

ssh -f -N -L 2222:as96:22 access.imsc.res.in && TUNPID=$$

(Here '2222' is some arbitrary choice of number greater than 1024. For 'as96' you can replace any IMSc host.) If you run the above command on machine A then you can use an ssh connection to port 2222 on A to actually connect to as96. For example,

ssh -o HostKeyAlias=as96 -p 2222 localhost

will open a connection to 'as96'. The 'HostKeyAlias' is so that 'ssh' is able to check in its database for the 'HostKey' for the host 'as96'. You can also add other ssh options to the command. For example

ssh -X -o HostKeyAlias=as96 -p 2222 localhost

can be used to forward X11 connections. This way you can run xterm or xpdf on the IMSc machine as96 and have the output show up on Machine A.

Note: Do not forget to kill the tunnel when you are done. By kill $TUNPID or killall ssh.

Third example: Combining the above two

ssh -f -L 1234:banyan:143 -L 3456:as96:22 -L 4567:as84:22 access.imsc.res.in

You can put any number of -L options in the command line. This will allow you to use the same tunnel to connect to multiple hosts. In fact the above command will log you in to access as well; this will mean that you will have to use the tunnels from some other window on your screen.

You can even add tunnels while you are logged in. Use the ~C escape sequence when you are in an ssh connection. This opens the command line for editing, so you can add some more -L port forwardings through the same ssh tunnel.

Advanced Example

Ultimately, even the above may not be enough for you. What you want is to set up your machine to connect to the IMSc LAN as if you are in IMSc. One way is to use openvpn as described elsewhere. Another way is to use ssh with the SOCKS protocol.

For this you need to be able to configure 'SOCKS' for your network applications on machine A. There are too many different ways to do this so we cannot specify them here. Add a comment at the bottom of this page if you have questions.

The SOCKS tunnel is started with the command:

ssh -f -N -D 1111 access.imsc.res.in

(Here '1111' any number larger than 1024.) This will set up a SOCKS service with address 127.0.0.1:1111. If you configure your application to use this SOCKS service, then any network connection it opens will be opened as if the same connection was opened by you from access.

A number of applications like Mozilla, Firefox, and Thunderbird can be configured to use SOCKS tunnels.

Comments

Please add your comments and questions regarding SecureShellTunnel.

  • You can find a setup using socks described here. --- kapil

  • There is a Linux ppp+ssh HOWTO which explains how one can use an SSH tunnel to transmit PPP traffic. The original document is at [http://www.tldp.org The Linux Documentation Project]. Note that there are disadvantages to this approach. Which is why we also have OpenVPN tunnels.


CategoryComputerTip

IMScWiki: SecureShellTunnel (last edited 2010-04-01 21:34:55 by localhost)