SSH Port Forwarding Examples

SSH is a very flexible and very useful tool for those of us working across multiple systems sometimes in multiple locations.  Here are a few SSH commands I regularly use and include mostly SSH port forwarding.  I use all these commands regularly on Linux and Mac OSX and they all work quite happily!

You’ll need to run all these commands from Terminal on your Mac, or Terminal on Linux.  The exact same logic also works fine with PuTTY on Windows too but you’ll have to dig around the various options to find all the sections.

The following command opens a port on my local machine and forwards it to a remote machine.  The useful part of this command is it looks like my connections are coming from the intermediate host.

ssh -L [local port]:[remote host]:[remote port] [user]@[intermediate host]

So for example if I want to connect to an RDP server at 1.2.3.4 via SSH and I want it to look like it’s coming from 5.6.7.8 (if there is IP filtering on a firewall for instance), I’d use the following command:

ssh -L 3389:1.2.3.4:3389 [email protected]

All I need to do is open up my RDP client and point it at localhost and I’ll connect through to 1.2.3.4.

If I want to do something similar but say want to use a proxy server on 1.2.3.4 I’d use a command like the following:

ssh -L 8080:1.2.3.4:8080 [email protected]

Although this one isn’t specifically port forwarding it still operates in a similar logic fashion. Sometimes we can’t access an SSH daemon from where we are and we need to go through an intermediate host, we use the following context:

ssh -t [user]@[remote machine we can access] ssh [user]@[remote machine we can’t access]

For example:

ssh -t [email protected] ssh [email protected]

SSH Certificate Based Logons

Sometimes it’s very good to be able to logon without needing a password.  For instance if we want to run commands but don’t want an interactive logon on a remote machine, or if you have multiple users of the same machine.

Firstly you need to generate yourself a key, you can then use this same key on numerous different machines.

[alert style=”red”] Be warned if you have an SSH certificate already this will overwrite it!  Check in ~/.ssh in your home directory if you have an files that may look something like id_rsa or id_dsa.  So if you depend on it then don’t run this command.  If you do have files in here you can jump down to the section about ssh-copy-id.[/alert]

Type in the following to create our public and private key pair:

ssh-keygen -t rsa

You will be greeted by some prompts, you can press enter to accept the defaults:

Enter file in which to save the key (/Users/gyp/.ssh/id_rsa): [enter]
Enter passphrase (empty for no passphrase): [enter]
Enter same passphrase again: [enter]
Your identification has been saved in /Users/gyp/.ssh/id_rsa.
Your public key has been saved in /Users/gyp/.ssh/id_rsa.pub.
The key fingerprint is:0b:03:a6:9e:[redacted]:64:64:2e:93:d5:[redacted] gyp@[yourmachine].companya.local
The key’s randomart image is:
+–[ RSA 2048]—-+
|        . o.     |
|       . oo.     |
|    o + .  o     |
|   o B    E      |
|  [redacted]        |
| . . = o .       |
|  o.. . .        |
|  ..+o           |
|   [redacted]          |
+—————–+

Now with ssh-copy-id we are ready to copy it to our remote machine, run the following on Linux:

ssh-copy-id [user]@[remote machine]

For example:

ssh-copy-id [email protected]

If you’re on a Mac you may have to go through the following (since Mac OSX doesn’t have the ssh-copy-id command installed by default):

scp ~/.ssh/id_rsa.pub [user]@[remote machine]
ssh [user]@[remote machine]
cat id_rsa.pub >> ~/.ssh/authorized_keys
logout

Now if you try ssh [user]@[remote machine] it shouldn’t ask you for a password.

If you use this method a lot don’t forget to backup your keys up somewhere safe where you can get them but no one else can!