I have 3 Ubuntu machines. First one (A) is my local machine, second one (B) is a gateway to the third (C) Ubuntu server. I can SSH from my local machine, A, to B and then SSH from B to C. I can't SSH from A to C directly.
What I need is to remotely log (graphical) into C from B? and if possible from A? I'm no network guy and the tunneling concept and port 3389 is confusing me.
Appreciate your help.
Confusing or not, you need tunneling. The easiest:
ssh -L 7722:address.of.C:22 address.of.B
will log you into B. At the same time, it will set up a tunnel between the current machine's port 7722 (can be any unused port over 1024, I arbitrarily selected 7722) and C's port 22 (the ssh port). Then, in another terminal,
ssh -X -p 7722 localhost
will open a SSH connection to your local port 7722, which is being tunneled to C's 22. It is functionally equivalent to ssh address.of.C while the above tunnel exists.
When you are done, just exit the second connection to leave C, then exit the first connection to deconstruct the tunnel.
If you don't have two terminals to work with, it is a bit more complex since you need a way to refer to the tunnel in order to be able to close it later.
ssh -fNM -S /tmp/tunnel.B.to.C.control 7722:address.of.C:22 address.of.B
ssh -X -p 7722 localhost
ssh -O exit -S /tmp/tunnel.B.to.C.control address.of.B
Here, /tmp/tunnel.B.to.C.control is an arbitrary name of file in a location where you can create a file. The first command sets up a tunnel and exits (instead of logging in), but stays in memory and records its activities in the named file. The last command then releases the tunnel, the memory and the file.
Related
I have three hosts: A, B, C. B can connect to C through ssh, via port 221. A cannot connect to C because it's behind a router, but can connect to B through ssh. What I need, is to connect from A to C.
The situation is summarized below:
A -- p22 ---> B OK
B -- p221---> C OK
A -- p???---> C not working
I have tried many variations of ssh tunneling but looks like I don't get how tunneling works. Also, I have no root privileges on any of the hosts, therefore I cannot do port forwarding on port 22. I am therefore not sure this tunneling can be done at all. If it can, however, I would appreciate the exact commands to run on each host so that I can finally ssh from A to C.
While you could set up an explicit tunnel in this situation, it's much more convenient to use the -J option
ssh -J B -p 221 C
or the ProxyJump option explicitly
ssh -o ProxyJump=B -p 221 C
ssh will first connect to B for you (prompting for a password if necessary), then connect to C from B. From your point of view, you will have connected directly to C.
The idea of ssh -L local_port:another_host:destination_port user#host is to say a/ start listening locally on local_port b/ connect to remote host (as usual), and once you're there, connect to that another_host and c/ forward everything you will receive locally to that another host's destination_port
so, I would try the following (from host A)
ssh -C -N -L 2222:C:221 user#B
then from another terminal
ssh -p 2222 user#localhost
I did not test the above. Happy to dig deeper if required.
Here is the human readable explanation (hopefully) :
starting from host A
ssh, connect as user on host B (no port specified as 22 is the default)
-C compress all content in transit in the tunnel
-N says to not open a tty (interactive) session on host B
-L says "once you're on B, start listening on this host (A) on port 2222 (as you are not root) and forward everything to C, port 221"
If you're using password authentication, it should work. Certificate authentication would require a bit of additional configuration on B to correctly forward your certificate to C (which exact syntax I don't remember right now)
I've long seeked a solution to tunnel to a machine behind a firewall, passing VNC (or other ports) through. Like explained in this old usenet post, which I'll recap here:
I have to log through an intermediate machine, something like:
local $ ssh interim
interim $ ssh remote
remote $ ...any commands...
This works fine. But now I am trying to tunnel a vnc session from remote to local and I can't find the magic incantation, using either one or two steps.
I recently found a wonderfully simple and adaptable solution: simply tunnel the ssh to the target system through the connection to the firewall. Like such:
local $ ssh -L 2222:remote:22 interim
interim $ ...no need to do anything here...
In another local console you connect to localhost on port 2222, which is actually your remote destination:
local $ ssh -C -p 2222 -L 5900:localhost:5900 localhost
remote $ ...possibly start you VNC server here...
In yet another local console:
local $ xtightvncviewer :0
It's that simple. You can add any port forwarding you want to the 2nd command (-L localport:localhost:remoteport) just like if there wasn't any intermediate firewall. For instance for RDP: -L 3389:localhost:3389
My ultimate goal is to use MyEnTunnel to set up a tunnel between a Windows server at location A, and a BSD machine at location B so that I can access a database server running at location B locally at A. (localhost:3054 ======> bsdmachine:3050) MyEnTunnel is essentially a Windows Service wrapper for plink.
We use a private key for ssh access at location B. PuttyGen was used to convert the private key into a .ppk file to be compatible with putty, plink, etc. Putty connects to the BSD machine using the .ppk with no problems whatsoever.
I copied the command line string MyEnTunnel is using to establish the connection, pasted it into a directory with the latest version of putty, plink, etc. (in case MyEnTunnel's plink.exe is outdated), and it still failed.
plink.exe 192.168.0.233 -N -ssh -2 -P 916 -l "root" -C -i "keyfile.ppk" -L 3054:192.168.0.208:3050
The BSD machine has several jails running; 1.233 is the host, and accepts SSH connections. 1.208 is a jail with a server listening to 3050, and will not accept ssh connections.
I use tunnels so rarely, I always forget the proper order of things, and when I'm supposed to ur -R and -L, so I tried the 16 possibilities. ;-) I then started plink with the bare options:
plink.exe 192.168.0.233 -N -ssh -2 -P 916 -l "root" -i "keyfile.ppk"
Putty, with these settings, connects without a hitch. Plink reports:
Using username "root".
And proceeds to do nothing forever.
What am I doing wrong, and what would establish the tunnel with the local listening port 3054, and the target port 3050 at 192.168.0.208?
You used the -N flag, this makes it run on the background. If you add the -v flag you can see all the activity of the forward/tunnel.
Setup:
My computer (linux / unix) has an arbitrary IP address
I can connect to a central linux server which has a static ip
Remote linux systems are set up so they only respond to central server IP address on port 22
I want to port forward through the central server so I can use MySQLWorkbench and make python scripting connections on port 3306 to the remote systems.
Ideally, I would like the syntax for ssh command to make the port forwarding work;
Suppose I want to forward local port 3307 to 3306 on the remote system. Assume my ip is x.x.x.x, the central server IP is y.y.y.y, and the remote system IP is z.z.z.z;
I think it has something to do with ssh -L but I can only forward to the central server so far. Maybe I need to connect to the central server, set up forwarding there, then set up forwarding on my machine? I think functionality exists to do it with a single command using ssh.
If this is a duplicate, it should not be marked as such because without knowing what magic keyword to search for, you can't find the duplicate;
Clarification: port 3306 is NOT open on the remote server. Only 22
ssh -L :3307:z.z.z.z:3306 user#y.y.y.y -Nf
Works fine
or
ssh -L 3307:z.z.z.z:3306 user#y.y.y.y -Nf
To only bind to x.x.x.x's localhost
The first example binds to all interfaces
edit...
Just seen that z.z.z.z only has port 22 open.
on y.y.y.y you will also need to have a local port open
run on y.y.y.y
ssh -L 3307:localhost:3306 user#z.z.z.z -Nf
then on x.x.x.x
ssh -L 3307:localhost:3307 user#y.y.y.y -Nf
run these commands in a screen for best results
You can actually condense these 2 commands together
ssh -L 3307:localhost:3307 user#y.y.y.y -f 'ssh -L 3307:localhost:3306 user#z.z.z.z -Nf'
ssh -L <local-port-to-listen>:<remote-host>:<remote-port>
The āLā switch indicates that a local port forward is need to be created
Best method is to create the tunnel using putty (ssh client). so you can start the shell, and it will create the ssh tunnel for you. this is a good reference
https://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/
I need to do some work on a server to which I don't have direct access to. I do have access to my company network (via vpn). If I were on that network, I could access the server directly. But, for some reason when I'm on the vpn, I can't access the server directly.
So, I need to ssh into an intermediary ubuntu box, and then create an ssh tunnel from that box to the server.
Then, I can do my work on my laptop and send it through a local tunnel that points to a foreign tunnel (on my ubuntu box) that goes to the server.
But I don't know how to do a tunnel that creates another tunnel to a third server.
Any ideas?
Thanks,
Scott
What are you trying to achieve? If you just want to get to a shell on the server then ssh into the Ubuntu box and then ssh from there to the server.
If you want to access some other network resource on the server then you want to forward a port from the server (where you can't get to it) to the Ubuntu box (where you can). Take a look at the -L option in ssh.
Edit:
Copying files to the server:
tar c path/* | ssh ubuntuName 'ssh serverName "tar x"'
Copying stuff back:
ssh ubuntuName 'ssh serverName "tar c path/*"' | tar x
Obviously you need to change ubuntuName, serverName and path/* to what you want. To use rsync you need the -E option and the same trick of wrapping one ssh command inside another. After reading your comment I'd say that the most general answer to your question is that the trick is making ssh execute a command on the target machine. You do this by specifying the command as an argument after the machine name. If you use ssh as the target command for ssh to execute then you get the two-hop behaviour that you are looking for. Then it is just a matter of playing with quotes until everything is escaped correctly.
It's just a double port forward. Forward the ports from the PC to the ubuntu box, then on the ubuntu box forward those destination ports to the final endpoint. It's been a while since I've done command line ssh (been trapped in windows hell :)), so I can't give the command line you need. Another possibility is to use the SOCKS proxy ability built into SSH.
To connect from your local machine over a second machine to a specific port on the third machine you can use the ssh -N -L option:
ssh -N second_machine -L 8080:third_machine:8082
This maps the Port 8082 on the third machine to port 8080 on the local machine (eg. http://localhost:8080/ ).