How to configure ssh port forwarding in Linux

Yesterday, I saw two articles about ssh: remote logon, remote operations, and port forwarding. Although I have been using ssh, I only need to use it to remotely log on to Linux. After reading these two articles, I realized that there was such a fun place in ssh, and I was ignorant. So I found some ssh information on the Internet for a rough study. now

Yesterday, I saw two articles about ssh: remote logon, remote operations, and port forwarding. Although I have been using ssh, I only need to use it to remotely log on to Linux. After reading these two articles, I realized that there was such a fun place in ssh, and I was ignorant. So I found some ssh information on the Internet and made a rough Research. now I will write this article to summarize it. later I will see new things and continue to modify this blog post. This article only discusses common usage of ssh, rather than its implementation.

What is ssh

Ssh is short for SecureShell. it is a network protocol. Ssh is mainly used for remote logon, data transmission, and other network services. at the same time, these operations are built on secure channels. Ssh uses the public key system to ensure security. Note that ssh is only a network protocol, which has different implementations. openssh is the most widely used implementation. We use openssh for ssh on Linux.

Remote login

The most common function of ssh is to remotely log on to the computer for various operations, because the data transmitted over the network is encrypted during the entire process of ssh remote login to the computer, therefore, ssh logon is quite secure. Ssh remote logon can be performed in two ways: password logon and public key logon.

Password logon

The first method is more intuitive and the most common method. It is the same as our usual logon method, that is, enter the user name and password to log on.

The following shell command:

We will log on to the host with the IP address hostname and use the account user of the host to log on. Next, you will be prompted to enter the password of the user. after entering the correct password, you will be able to perform various operations.

However, this logon method has one disadvantage: it is vulnerable to man-in-the-middle attacks. Because this login method verifies the user's method is as follows: the login party needs to send the login request to the remote host. after receiving the login request, the remote host sends its own public key back, after entering the password, the user encrypts the password with the returned public key, and then transmits the encrypted password to the remote host. the remote host decrypts the password with its own private key for verification, if the password is correct, the user is valid and can log on. Here is a vulnerability where attackers can impersonate a remote host to intercept user login requests, and then send the forged public key to the user to defraud the user's password. In this case, the user cannot identify that the host logged on to this operation is the real host.

To avoid this, ssh will remind you when we log on to a host for the first time, as shown below:

The authenticity of host' 192. 168.13.233 (192.168.13.233) 'can' tbe established.
RSA key fingerprint isa9: 97: 4d: 56: 2f: 77: f9: b7: 1c: a9: d9: b9: a4: 21: 37: 67.
Are you sure you want to continue connecting (yes/no )?

It means that ssh cannot verify the remote host. the fingerprint of the public key of the host is a9: 97: 4d: 56: 2f: 77: f9: b7: 1c: a9: d9: b9: a4: 21: 37: 67. you need to verify whether the fingerprint of the public key of the host is true. for example, contact the host administrator. If the user confirms that there are no errors, the public key of the remote host will be saved in ~ In the/. ssh/known_hosts file, you can directly determine whether the remote host is valid after logon.

Public key login

Another logon method can be used to log on without the user entering the password, and is more secure than password logon. However, some additional steps are required before you log on to the remote host. You need to generate your own private key pair in advance, and put the public key generated by it on the remote host through some means. The steps for user authentication are as follows: when a user logs on to a remote host, the remote host obtains a local user public key to verify its validity, if it is valid, use the public key to encrypt a random string and then send the encrypted content back to the user. Then, use the corresponding private key for decryption, the decrypted content is MD5 together with the session id, and the MD5 value is sent to the remote host. after receiving the decrypted content, the remote host compares the MD5 values with the MD5 values, if they are consistent, the current user is valid.

This logon method is a little more complex. Run the following command to generate a key pair:

The passphrase password is Prompted. it is used to encrypt the private key. you can also press enter without entering the password. After successful, the rsa public key and private key pair will be generated, and the public key will be placed in ~ /. Ssh/id_rsa.pub file. put the private key in ~ /. Ssh/id_rsa file.

Then, you need to append the content in id_rsa.pub to the corresponding user on the remote host through some method (such as USB flash drive copy and network transmission ~ In the/. ssh/authorized_keys file, the preparation is complete. you only need to enter the following command when logging on:

If the private key is not encrypted, log on directly. Otherwise, you must enter the password for the private key.

Port Forwarding

Another major use of ssh is port forwarding, which I did not know before. Port forwarding means to forward data packets originally sent to a destination to other addresses and ports. In fact, this is a very common application, including the internet to access machines in the Lan to use port forwarding, but I did not notice that ssh can also do this. Port forwarding is divided into two types: local port forwarding and remote port forwarding. In fact, the two are similar, but the direction of ssh connection is different. For future convenience, we assume that there are three hosts A, B, C, and the hostnames are hosta, hostb, and hostc.

Local port forwarding

In local forwarding, a local port is forwarded to a port of another host, so that when our program connects to the local port, in fact, it is indirectly connected to a port of another host. when we send a packet to this port, the packet is automatically forwarded to that remote port. The ssh command format for local port forwarding is as follows:

Ssh-L [bind_address:] port: host: hostport hostname

Linux manual is explained as follows:

Specifies that the given port on the local (client) host is
Be forwarded to the given host and port on the remote side. This
Works by allocating a socket to listen to port on the local side,
Optionally bound to the specified bind_address. Whenever
Connection is made to this port, the connection is forwarded over
The secure channel, and a connection is made to host port hostport
From the remote machine. Port forwardings can also be specified in
The configuration file. IPv6 addresses can be specified with
Alternative syntax: [bind_address/] port/host/hostport or
Enclosing the address in square brackets. Only the superuser can
Forward privileged ports. By default, the local port is bound in
Accordance with the GatewayPorts setting. However, an explicit
Bind_address may be used to bind the connection to a specific
Address. The bind_address of "localhost" indicates that
Listening port be bound for local use only, while an empty address
Or '*' indicates that the port shoshould be available from all
Interfaces.

After running the preceding command, ssh listens to the port on the local host. if there is a connection pointing to the port, it will forward the host's hostport, hostname is the intermediate host used for forwarding. it can be the same as or different from the host.

In fact, after running this command, the ssh client of the local host will connect to the ssh server on the hostname host, use this link to connect to the host hostport forwarded by the local port. Therefore, the communication between the local host and the hostname host is secure, because the two are connected through ssh. However, the communication from the hostname to the host is not secure. In addition, the address bound to the local port is optional, that is, you can specify the port to receive the network interface from which the connection comes. if not specified, it is determined based on the configured GatewayPorts option: if this option is yes, programs on other hosts can connect to the local port. Otherwise, only the loopback interface can be used, that is, only programs on the host can connect to the port. If the binding address is specified, the GatewayPorts option is ignored.

For example, I want to set Port 1132 of hostForward through host BToPort 21 of host C (default ftp port). Run the following command on host A to use local port forwarding:

1A	Ssh-L 1132: hostC: 21Hostb

After this command, all the connections sent to Port 1132 on host A seem to have become connections with Port 21 on host C.

Similarly, I can directly connect to host C using ssh instead of intermediate host B for port forwarding, and run the following command on host:

1	Ssh-L 1132: hostC: 21 hostc

This command is the same as the previous one. it forwards the port to host C,DifferencesWhich host is connected by ssh. Why

Article 1In some cases, host A and host C cannot be connected, but host A and host B can be connected, and host B can be connected to host C, in this case, you can connect to host B through ssh and then use the forwarding port, so that you can use the ftp service of host C if you cannot connect to host C.

As shown in, in this case, an ssh tunnel is formed between host A and host B, encrypted during data transmission in this tunnel, therefore, you don't have to worry about blocking transmission content, such as firewalls. Therefore, a major use of local port forwarding is to establish an ssh tunnel to the Internet host in the Lan to access the external services blocked by the LAN gateway.

Remote port forwarding

Remote port forwarding is opposite to local port forwarding. Different from local forwarding, it specifiesA port of the remote hostTo forward the connection pointing to this port to the local end (not necessarily the local machine ). It can be seen that remote forwarding is essentially the same as local forwarding. The main difference is whether the port to be forwarded is on the remote host or the local host. The ssh command format for remote port forwarding is as follows:

Ssh-R [bind_address:] port: host: hostport hostname

Linux manual is explained as follows:

Specifies that the given port on the remote (server) host is
Be forwarded to the given host and port on the local side. This
Works by allocating a socket to listen to port on the remote side,
And whenever a connection is made to this port, the connection is
Forwarded over the secure channel, and a connection is made to host
Port hostport from the local machine.

Port forwardings can also be specified in the configuration
File. Privileged ports can be forwarded only when logging in
Root on the remote machine. IPv6 addresses can be specified
Enclosing the address in square braces or using an alternative
Syntax: [bind_address/] host/port/hostport.

By default, the listening socket on the server will be bound
The loopback interface only. This may be overriden by specifying
Bind_address. An empty bind_address, or the address '*', indicates
That the remote socket shoshould listen on all interfaces. Specifying
A remote bind_address will only succeed if the server's
GatewayPorts option is enabled (see sshd_config (5 )).

The port to be forwarded is on the remote host hostname, and the connection pointing to this port is forwarded to the hostport of the local host, in this case, ssh listens for incoming connections on the port of the remote host hostname. Similar to local forwarding, you can also specify the address bound to the remote forwarding Port. However, unlike local forwarding, it is valid only when the GatewayPorts option is set to yes in the remote host configuration, otherwise, even if the binding address is set, the port will only receive connections from the loopback interface.

For example, if I want to forward port 1132 of host B to port 22 (default ssh Port) on host A, run the following ssh command on host:

1A	Ssh-R 1132: 127.0.0.1: 22 hostb

After the command is executed, the ssh client of host A establishes A connection to the ssh server of host B, and all connections directed to Port 1132 on host B are forwarded to port 22 of host, as shown in. I can nowRun the following command on host B::

1B	Ssh-p 1132 root@127.0.0.1

This is equivalent to remotely logging on to host A, so remote port forwarding can be used to access services in the Lan from the Internet.

Ssh also has two options to use with the appeal port forwarding command.

-N option: indicates that no remote command is executed after the current ssh connection to the server.

-F option: indicates that the current ssh command is executed in the background.

SOCKS proxy

The port forwarding described above is performed between two specific ports. what if we want to use the same local port to access different external services? Ssh also provides a solution for this situation, that is, using ssh as the SOCKS proxy service. SOCKS is also a network protocol used for proxy services for data transmission between clients and servers. The command format for using the SOCKS service over ssh is as follows:

Ssh? D[Bind_address:] port hostname

Linux manual is explained as follows:

Specifies a local "dynamic" application-level port forwarding.
This works by allocating a socket to listen to port on the local
Side, optionally bound to the specified bind_address.
Whenever a connection is made to this port, the connection is
Forwarded over the secure channel, and the application protocol is
Then used to determine where to connect to from the remote
Machine. Currently the SOCKS4 and SOCKS5 protocols are
Supported, and ssh will act as a SOCKS server. Only root can
Forward privileged ports. Dynamic port forwardings can also be
Specified in the configuration file.

IPv6 ses sses can be specified with an alternative
Syntax: [bind_address/] port or by enclosing the address in square
Brackets. Only the superuser can forward privileged
Ports. By default, the local port is bound in accordance
The GatewayPorts setting. However, an explicit bind_address
May be used to bind the connection to a specific address.
Bind_address of "localhost" indicates that the listening port be
Bound for local use only, while an empty address or '*' indicates
That the port shoshould be available from all interfaces.

The above description shows that the command is equivalent to dynamic port forwarding, and the connection pointing to the local port is forwarded to the remote host port. the specific forwarding location is determined by the upper layer application layer protocol, currently, ssh supports two protocols: SOCKS4 and SOCKS5. After the command is executed, the local machine establishes an ssh connection with the hostname host to transfer SOCKS requests. in this way, all local programs enabled with SOCKS support can connect to the port, the connection will be forwarded to their respective destinations through the hostname host. Like local port forwarding, the local port used for forwarding can also be bound to an address. if not bound, the system determines whether to accept connections from other hosts based on the GatewayPorts option.

Because data transmission from the local server to the ssh server is encrypted, and due to special network conditions in China, this function is often used to break through the network blockout. For example, if we have a foreign ssh account, we can connect to a foreign host using this method, and then enable the SOCKS proxy of the browser to point it to the local forwarding port, because the content transmitted by the local host and the foreign host is encrypted by ssh, it can escape the network review to browse the blocked content. On Windows, MyEntunnel and other software use this principle to penetrate the wall.