lamnguyenx 3 hours ago | next |

It's 2024! Please avoid writing SSH commands like that.

Instead, configure your ~/.ssh/config with LocalForward, RemoteForward, and ProxyJump. This can save you a significant amount of time, especially when using ssh, scp, or rsync to transfer data from a remote server that requires multiple intermediate SSH connections.

e.g:

    Host jump-host-1
        HostName jump1.example.com
        User your_username
        IdentityFile ~/.ssh/id_rsa

        Host jump-host-2
            HostName jump2.example.com
            User your_username
            IdentityFile ~/.ssh/id_rsa
            ProxyJump jump-host-1

            Host jump-host-3
                HostName jump3.example.com
                User your_username
                IdentityFile ~/.ssh/id_rsa
                ProxyJump jump-host-2

                Host target-server
                    HostName target.example.com
                    User your_username
                    IdentityFile ~/.ssh/id_rsa
                    ProxyJump jump-host-3
                    LocalForward 0.0.0.0:8080 0.0.0.0:80  
                    RemoteForward 0.0.0.0:9022 0.0.0.0:22

    # after this:
    # - you can ssh/scp/rsync to your target-server via an alias
    # - forward traffic FROM port 80 on your target-server to port 8080 on your local machine
    # - forward ssh requests TO port 9022 on your target-server to port 22 on your local machine
    # - remember, for LocalForward & RemoteForward : 
    #   + left is target-server
    #   + right is your local
    #   + use 0.0.0.0 instead of localhost or 127.0.0.1

mmh0000 2 hours ago | root | parent | next |

While we're sharing neat ssh_config tricks, here's my favorite trick I use:

My home network is set up so that if I'm home or on my self-hosted VPN, I can SSH directly to my various things. But if I'm away from home and not on the VPN, I can SSH into my home systems through a jump host.

In the ssh_config file, I have it configured to detect how/where I am and optionally use a jump host.

  Host jump jump.example.org
    HostName                        jump.example.org
    Port                            41444
    User                            mmh
    UserKnownHostsFile              /dev/null
    ChallengeResponseAuthentication no
    CheckHostIP                     no
    Compression                     yes
    ForwardX11                      no
    GSSAPIAuthentication            no
    LogLevel                        ERROR
    PreferredAuthentications        publickey,keyboard-interactive
    ProxyJump                       none
    PermitLocalCommand              yes

  # Order here matters. Detect VPN first, then home network.
  # If connecting to a *.example.org host and router.example.org = 10.0.0.1, must be home/vpn.
  Match host *.example.org exec "getent ahosts router.example.org | grep -q ^10.0.0.1"
    ProxyJump                 none
  # If connecting to a *.example.org host and the macaddr of 10.0.0.1 is NOT 2a:70:ff:ff:ff:ff, then use jump.example.org:
  Match host *.example.org exec "! arp -ne 10.0.0.1 | grep -Fq 2a:70:ff:ff:ff:ff"
    ProxyJump                 jump.example.org


  ## Define the things
  Host tv tv.example.org
    HostName                  tv.example.org
    User                      mmh

_dan 4 hours ago | prev | next |

SSH tunnelling is an utter necessity in the ridiculous corporate environment I work in. Incredible amounts of bureaucracy and sometimes weeks of waiting to get access to stuff, get ports opened, get some exception in their firewalls and vpn so someone can access a thing they need to do their job.

This guide mentions -D but doesn't really articulate quite how powerful it is if you don't know what it does.

ssh -D 8888 someserver, set your browser's SOCKS proxy to localhost:8888 (firefox still lets you set this without altering system defaults). Now all your browser's traffic is routed via someserver.

I find that to be incredibly useful.

hackit2 4 hours ago | root | parent |

It isn't a good idea to circumvent corporate environment networks. they're there for a reason, and doing it shows a lack of professionalism and dis-respect for the organization process, procedures, and security. Yes it takes weeks/months to get access, then it takes weeks/months to get access. You don't want to be held liable for opening a backdoor to confidential information, or compromising their security.

ziml77 39 minutes ago | root | parent | next |

Exactly. It's not a good idea to bypass policies at work. Just because you don't know why the policy is there or you disagree with the reason, it doesn't mean you can ignore the policy.

If you can't get your job done, then escalate the issue to your manager. You not being able to get your work done because of other teams is the kind of problem they're supposed to be solving.

barbs 3 hours ago | root | parent | prev | next |

Sometimes they are. Sometimes that reason is long forgotten, or isn't really valid anymore, or is an overprotective measure and not really a good reason in the first place. Quite often it doesn't justify waiting weeks or months to get it changed.

theideaofcoffee 3 hours ago | prev | next |

The filthiest SSH tunneling hack that I've ever done was at 3AM while in a three-way... datacenter connection. The interesting part of that, while the three facilities, spaced out over a single metro area had upstream transit connectivity to the rest of the net, only two pairs were able to reach the other due to some odd routing policies that weren't able to be resolved in time.

That meant that A could connect to B, and only B could connect to C. The data I had to move from facility A to facility C via B in the most ridiculous rsync+ssh tunnel+keys+routing shenanigan mashup I've ever done. It took a few tries to get the incantation exactly right, but it was magical seeing it all move as one.

Looking back it is super obvious how I'd do it now, but back then being green, was a huge accomplishment. I still remember the exhilaration when I confirmed everything was synced up.

lamnguyenx 3 hours ago | root | parent |

just check my comment in in this post using `~/.ssh/config` with ProxyJump, you can virtually jump between A B C D E ... or whatever.

apitman an hour ago | prev | next |

> TCP-over-TCP

> It lowers the throughput due to more overhead and increases the latency. On connections with packet loss or high latencies (e.x. satellite) it can cause a TCP meltdown.

This actually isn't a problem with SSH tunnels unless you're using TAP/TUN, because It unpacks and forwards the TCP streams. But you can still get reduced performance with multiple channels due to head of line blocking.

1970-01-01 4 hours ago | prev | next |

I love the extra detail in the visualizations. My wish is for networking to have much more visual representation of traffic, especially at lower level connections.

0nate 4 hours ago | root | parent |

Hi.. Check out the diagrams here: https://www.nathanhandy.blog/articles/osi-model-revisited.ht... .. obviously this is only a static conceptual representation. Most network vendors will have some form of visual representation of traffic, but it's tyipcally only discreet metrics / graphs.

haolez 5 hours ago | prev | next |

Kind of related, but I was wondering if there is some kind of redirect functionality in SSH itself. Something like:

- A wants to SSH into B

- B tells A that it must connect to C instead

- A transparently connects to C directly

- B is not a part of the critical data path anymore

Does something like this exist?

lytedev 5 hours ago | root | parent | next |

B could port forward (as in route packets?) to C, but I don't think there are any HTTP Permanent Redirect equivalents, no.

Maybe you can explain the problem more and perhaps there's a more suitable solution?

If you have a host that's somewhat embedded, you can have DNS handle the "routing" for you. You will have to handle fingerprint verification.

bongodongobob 4 hours ago | root | parent | prev | next |

I think you could do that with a virtual IP. For some reason my firewall/router doesn't communicate DHCP option 67 correctly, it sends its own address no matter what I do so I had to set up a a virtual IP/rule to route all PXE boot traffic on whatever port that is going to the routers IP, over to the real PXE boot server instead.

shmerl 4 hours ago | root | parent | prev |

It would be misleading if A doesn't know that the real target is C.

Otherwise you can use jump functionality

From A:

    ssh -J B C
If B doesn't need to be part of the path, just connect to C directly if it's doable. If it's not, then B will have to be a hop either way.

zaptheimpaler 5 hours ago | prev | next |

I've found VS Code can setup port forwarding tunnels if you remote into a host and its been very useful. Its graphical, no command line incantations to remember and I usually have it running anyways.

jwrallie 6 hours ago | prev | next |

I learned how to use ssh tunnels when wanting to bypass a firewall in my university network around 15 years ago, had to change the default port to 443.

Been using it ever since for so much more than just bypassing firewalls.

metadat 5 hours ago | root | parent |

What purpose have you enjoyed it for beyond bypassing firewalls and exposing local services across a network?

lytedev 4 hours ago | root | parent | next |

I use it for proxying general internet traffic (such as from your web browser) using the SOCKS5 proxy described in the article. Combined with FoxyProxy or similar it's nice if you want certain traffic (such as to a certain domain which only allows certain IP blocks) to flow from a certain host based on things like the domain.

jwrallie 4 hours ago | root | parent | prev |

In essence it is what you mentioned, these are a few practical uses:

- Streaming region locked content from overseas.

- Permanent reverse-tunnel for remote-access with autossh.

- Increased security compared to making services visible to the internet.

- Downloading scientific articles using my university's connection as a proxy.

yownie 2 hours ago | prev | next |

I've used tunneling quite a lot over the years but never knew about -J option.

What I'd really like is just some visual tool to configure my tunnels instead of spending 30 minutes very few months when I need to use a tunnel.