[kwlug-disc] KWLUG - The Kitchener Waterloo Linux User Group new content notification: 2009-12-17 22:08

webhost at kwlug.org webhost at kwlug.org
Thu Dec 17 22:08:00 EST 2009

Greetings mail-forum-merge,

Recent content - 1 new post

1. SSH
Published Blog entry by Raul Suarez
[ http://kwlug.org/node/707 ]

The second command in the series is the one I find more useful and
versatile so it also will be the longest post.

Different implementations of SSH will have slightly different features.
In this case I will focus on OpenSSH.
To install on the server (Debian/Ubuntu):
sudo aptitude install openssh-server
To install on the server (Redhat/Fedora):
sudo yum install openssh-server
To start/stop/restart under Debian/Ubuntu
sudo /etc/init.d/ssh start
sudo /etc/init.d/ssh stop
sudo /etc/init.d/ssh restart
To start/stop under RedHat/Fedora
service sshd start
service sshd stop
service sshd restart
confirming that the port is open
To check that the port is open by name
netstat -l | grep -i ssh
Or faster and more specific, to check by port number
netstat -ln | grep 22
Note: if you configure SSH to listen to a different port as explained
later in this post, replace 22 with the port configured.
Once the server is running you can connect from other computers as long
as the port is not blocked by a firewall.
Command examples
SSH has many parameters. They are described on the man pages
man ssh
Here are some basic (and very common) examples:
The basic command to connect to a server (host) assumes that ssh is
listening to port 22 and that you want to connect with the same userID
as you are using on the local computer. Host name is the only mandatory
ssh mycomputer.com
Connecting using a userID "rarsa" on the remote computer
ssh rarsa at mycomputer.com
ssh mycomputer.com -l rarsa
When the server is listening to a different port
ssh -p 50022 rarsa at mycomputer.com
X forwarding
OK, accessing the remote computer and executing commands is handy and
exciting and maybe all you need to do, but what if you want to run a
graphical application on the remote computer? 
ssh has the -X parameter that allows the GUI of the remote program to
display on your local computer
First ssh to the remote computer
ssh rarsa at mycomputer.com -X
Then on that console, execute the program. e.g. to run Firefox:
The program will be actually running on the remote computer but the
Graphical interface will show in the local computer!
Note: When using X forwarding this way, we refer to the program running
on the remote computer as "the client" and to the local computer
displaying the GUI as "the server".
Port forwarding/tunneling
One of the most powerful features of SSH is the ability to "forward
ports" sometimes referred as "tunneling"
Port forwarding allows forwarding of TCP/IP connections to a remote
machine over an encrypted channel.
This is, imagine that you need to FTP (port 21) to a remote computer
which is behind a firewall that only allows SSH connections.
ssh rarsa at remotecomputer.com -L50021:localhost:21
This command will "tunnel" the FTP traffic from port 50021 on the local
computer to port 21 on the remote computer 
Now you can ftp to the remote computer with the following command
ftp localhost 50021
Note, you can specify any available port you want on the local
computer, but you must specify the correct port listening on the remote
Reverse tunneling
If you want the remote computer to access a port on yours but you are
behind a firewall that closes all incoming ports, you do "reverse
You first connect to the remote computer specifying that the a port on
the remote computer will be forwarded to a port in your computer. For
example, for FTP:
ssh rarsa at remotecomputer.com -R50021:localhost:21
Now the remote computer can FTP to your computer using port 50021. 
Note: you can specify any available port you want on the remote
computer, but you must specify the correct port listening on the local
Combining it all
You can tunnel (and reverse tunnel) various ports on the same ssh
You can even indicate that the remote computer should forward to a
different server!
For example, to allow your computer to FTP to the remote computer and
at the same time allow the remote computer to SSH to your computer and
at the same time forwarding port 80 to the web server in the same
ssh rarsa at remotecomputer.com -L50021:localhost:21 -R50022:localhost:22
I personally use reverse tunneling to SSH to my father's computer which
is behind a firewall. He just needs to execute the ssh command to
connect to my computer opening a reverse tunnel for port 22, I can then
SSH back to his computer using the reverse tunnel.
On my father's side (assuming he has a "dad" id on my computer):
ssh dad at mycomputer.com -R50022:localhost:22
On my computer (assuming I have a "rarsa" id on his computer:
ssh rarsa at localhost
The ssh client takes it's parameters, in order of precedence from:
1. Command line parameters
2. User configuration file ~/.ssh/config
3. System-wide configuration file /etc/ssh/ssh_config
The sshd server daemon takes it's parameters, in order of precedence
1. Command line parameters
2. System-wide configuration file /etc/ssh/sshd_config
Server configuration file
Note: you must restart the SSH daemon after modifying the configuration
For example, to prevent portscans use a different port by editing
sshd_config and specifying the port.
port 50022
You can look at all the options on the man pages
man sshd_config>
Client configuration file
As we've seen before, the SSH command can get quite long. If you
normally use the same parameters in general or particular parameters
a remote server, you can configure all that on your local SSH
configuration file
For more detailed information:
The man pages:
man ssh
man sshd
man ssh_config
man sshd_config
The OpenSSH website:
http://www.openssh.org/ [1]
The web:
There are some very good examples of port forwarding, just search for
For example
 http://souptonuts.sourceforge.net/sshtips.htm [2]

[1] http://www.openssh.org/
[2] http://souptonuts.sourceforge.net/sshtips.htm

This is an automatic e-mail from KWLUG - The Kitchener Waterloo Linux
User Group.
To stop receiving these e-mails, change your notification preferences
at http://kwlug.org/user/28/notify

More information about the kwlug-disc mailing list