Tunneling using SSH in a limited enviroment

Others

tunnel, ssh, openssh, tunneling, ssh tunnel

This tutorial describes how to connect to a remote service via tunnel made withwhen only most basic software is available on everythe remote server. It is not directly related to Yii. It could be hovewer useful for web developers working with shared hosting sites with limited access. This is an medium/advanced tutorial targeted for Linux users. ## Use case

Let's assume there is a remote server, on which a service is running, such as a database. You cannot directly connect to that service because it does not listen on a public IP or is behind a firewall. The only way of accessing the server is a SSH remote shell. There is no VPN and no other helpful software can be run in the shell.* sometimes the AllowTcpForwarding option is turned off, disabling the __-L__ and __-D__ switch by the server.

## The solution

Because SSH is binary safe, that is it can transmit ANY binary data. SSH has to be ordered to run a command on the remote server that would connect to a TCP service and redirect all SSH traffic to it and send back responses.Now if you type anything to the terminal you'll send it straight to MySQL as binary data and will see binary data in response. You need to use a client program that would somehow attach to that SSH session.

## Run once

This is tricky, so if the command below scares you, jump straight to the next paragraph.## Run on demand To avoid setting up the tunnel manually each time, it could be run by a "super server". It's a service that listens on a specified port for incoming connections, runs a command and redirects the traffic between them. Examples of such servers are inetd, xinetd and systemd. Select one of them that is available on your platform. ### Key instead of a password

When the SSH connection is set up automatically, you can't enter a password, so a key must be used to authenticate. Another important advantage of using a key is the ability to set up multiple tunnels to different services on the same remote server and disabling a normal SSH shell. This is done by using a different key for each service.To use different keys on the client side, use the __-i__ switch with a path to the __private__ key file.

### inetd

It should be available on most older Linux distributions.Now restart inetd. On Ubuntu, it's called _openbsd-inetd_.

### xinetd

This is a more modern replacement for inetd.Replace all uppercase placeholders with values that suit you. The LOCAL_PORT can be any not used port from 1024 to 65535. If it's not working, select another one.

### systemd

This is available in the newest Linux distributions, such as Fedora or Arch Linux.~~~

## Other tips ### bash instead of nc

Sometimes even netcat is not available on the remote server. However, if bash is available, it can be used instead, because it has the ability to open TCP sockets as special files that can be read and written to.~~~

### Running SSH as a user instead of root

Sometimes you want to run SSH that creates the tunnel from your user account so it uses your configuration and keys. Replace all ssh calls with:~~~

### Minimazing SSH overhead

When establishing a connection, SSH adds a considerable amount of overhead. This can be avoided by using master connections. When subsequent connections to the same host are made they reuse the first connection. Read more about the __-M__ switch in the ssh(1) manual or the __ControlMaster__ option in the ssh_config(5) manual.Also, enabling compression in SSH usually helps.

## Summary

After practicing, when in need, just follow those steps:* connect

## Troubleshooting If something is not working, first try runnig the SSH command manually to see if it connects. Remember, that when you connect to a server for the first time, SSH asks you to verify the server signature. The check all the elements one by one.