[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH Port Forwarding <http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html>

To: Terrence Miao <terrence@xxxxxxxxxxxxxx>
Subject: SSH Port Forwarding <http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html>
From: Terrence Miao <terrence@xxxxxxxxxxxxxx>
Date: Mon, 17 Nov 2003 21:46:18 +1100
Organization: ITS of Unimacq
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Title: SSH: Port Forwarding

[Contents] [Index]

    About This Document>>
    Introduction to SSH Secure Shell >>
    Configuring SSH Secure Shell >>
        Basic Configuration>>
        Subconfigurations >>
        Configuring SSH Secure Shell for TCP Wrappers Support>>
        Configuring SSH2 for SSH1 Compatibility
        Forwarding>>
            Port Forwarding
            Dynamic Port Forwarding
            X11 Forwarding
            Agent Forwarding
    Authentication >>
    Log Messages >>
    Using SSH Secure Shell >>
    Tool Syntax>>
    Technical Specifications >>

Port Forwarding

Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure - see Figure Encrypted SSH2 tunnel.

Figure : Encrypted SSH2 tunnel

The client-server applications using the tunnel will carry out their own authentication procedures, if any, the same way they would without the encrypted tunnel.

The protocol/application might only be able to connect to a fixed port number ( e.g. IMAP 143). Otherwise any available port can be chosen for port forwarding.

Privileged ports (below 1024) can be forwarded only with root privileges.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. Local port forwarding forwards traffic coming to a local port to a specified remote port.

For example, if you issue the command

ssh2 -L 1234:localhost:23 username@host

all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host). Note that localhost will be resolved by the sshdserver after the connection is established. In this case localhost therefore refers to the server (host) itself.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port.

For example, if you issue the command

ssh2 -R 1234:localhost:23 username@host

all traffic which comes to port 1234 on the server (host) will be forwarded to port 23 on the client (localhost).

It is important to realize that if you have three hosts, client, sshdserver, and appserver, and you forward the traffic coming to the client's port x to the appserver's port y, only the connection between the client and sshdserver will be secured. See Figure Forwarding to a third host. The command you use would be something like the following:

ssh2 -L x:appserver:y username@sshdserver

Figure : Forwarding to a third host

Forwarding FTP

With SSH Secure Shell version 3.0 and above it is possible to easily forward FTP connections by using a command with the following syntax:

ssh2 -L ftp/x:ftpdserver:y username@sshdserver

FTP forwarding is an extension to the generic port forwarding mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.

To protect also the transferred files, use FTP forwarding instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested. To see exactly how this is done, two different cases need to be examined: the active mode and the passive mode of the FTP protocol.

FTP in passive mode

In passive mode, the FTP client sends the command 'PASV' to the server, which reacts by opening a listener port for the data channel and sending the IP address and port number of the listener as a reply to the client. The reply is of the form '227 Entering Passive Mode (10,1,60,99,6,12)'.

When the Secure Shell client notices the reply to the PASV command, it will create a local port forwarding to the destination mentioned in the reply. After this the client will rewrite the IP address and port in the reply to point to the listener of the newly created local port forwarding (which exists always in a local host address, 127.0.0.1) and pass the reply to the FTP client. The FTP client will open a data channel based on the reply, effectively tunneling the data through the SSH connection, to the listener the FTP server has opened. The net effect is that the data channel is secure all the way except from the Secure Shell server to the FTP server, if they are on different machines. This sequence of events happens automatically for every data channel.

Since the port forwarding is opened to a local host address, the FTP client must be run on the same machine as the Secure Shell client if passive mode is used.

FTP in active mode

In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channell by sending the IP address and the port number to the FTP server in a command of the following form: 'PORT 10,1,60,99,6,12'. The Secure Shell client intercepts this command and creates a remote port forwarding from the Secure Shell server's localhost address to the address and port specified in the PORT command.

After creating the port forwarding, the Secure Shell client rewrites the address and port in the PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the PORT command, effectively forwarding the data through the SSH connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events happens automatically for every data channel.

Since the port forwarding is made to a local host address on the Secure Shell client machine, the FTP client must be run in the same host as the Secure Shell client if passive mode is used.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.

Note: Consider using sftp2 or scp2 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since the SSH Secure Shell server already has sftp-server2 as a subsystem, and sftp2 and scp2 clients are included in the distribution. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.

[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Prev by Date: Wireless upgrade_infr.sh failed with error sp2-0306 Invalid Option while upgrading Oracle portal core patchset 9.0.2.3
Next by Date: how to use ssh to forward remote port to local host and port
Previous by thread: Wireless upgrade_infr.sh failed with error sp2-0306 Invalid Option while upgrading Oracle portal core patchset 9.0.2.3
Next by thread: how to use ssh to forward remote port to local host and port
Index(es):
- Main
- Thread