SSH Tunneling

From CS Support Wiki
Jump to: navigation, search

What is SSH tunneling?

SSH tunneling provides an encrypted network connection from a client computer to a remote computer using port-forwarding. That is, the client, A, connects to the remote host, B, and requests that network traffic on a specified port X on B be directed through an encrypted connection to a port on A. That connection makes network services on B's port X available to A securely.

There are two main reasons one might want to use SSH tunneling:

  • Securing traffic on an otherwise-insecure network protocol across an untrusted network. Examples include X and VNC - anytime you're sending sensitive data, passwords, or anything else you'd like to prevent from being sniffed, you should send it through an SSH tunnel.
  • Rerouting traffic through a network that restricts a port you'd like to use. Many networks - especially guest networks, like those provided by a hotel or internet cafe - block particular ports to prevent certain kinds of traffic on their network. SSH tunneling allows you to move that traffic to a different port, over an encrypted connection, to circumvent those restrictions.

How to set up an SSH tunnel

Setting up a tunnel takes this form: "ssh -L <local port>:hostname:<remote port> user@remotehost". In this example, I'm setting up a tunnel from home to a VNC server running on my CS department machine, puddles:

ssh -L 5909:localhost:5909 jlg9n@puddles.cs.virginia.edu

Once I've authenticated (either via my password or with an SSH private key), port 5909 from puddles will be available on port 5909 on localhost, and I can connect my client (in this case, my VNC client) to localhost:5909 as if I were connecting to puddles directly.

To look up port numbers for popular services, see IANA's list of well-known port numbers.