\documentclass{article} \usepackage{hyperref} \begin{document} \section{SSH Port Forwarding and Tunnelling} SSH can be used for far more than simply a secure version of telnet / rsh. It is possible to securely forward TCP over it, to talk to CVS servers over it, syncronise data, and to run X11 programs over it. \subsection{SSH Proxy Command} It is possible to specify a command to use to connect to a server. This is useful for several reasons. You can ``proxy'' a SSH connection through another host to reach hosts you can't reach via normal methods. Alternatively, you can use a proxy server that supports CONNECT to tunnel ssh over it. To proxy a ssh session over another ssh, there are two ways: \begin{verbatim} $ ssh -t host1 ssh -t host2 \end{verbatim} or put the following in your ssh config file (usually \~/.ssh/config, unless otherwise specified) \begin{verbatim} host host1 host2 ProxyCommand ssh -q -a -x proxyhost nc %h 22 \end{verbatim} The second way is perhaps more useful, as you can also use scp with it. To restrict where people can ssh, or if you don't want to give accounts out on the proxy box, you can emulate this using authorized\_keys. Create a user on the proxy box, and put the users ssh keys in the authorized\_keys file. \begin{verbatim} command="/usr/bin/ssh username@server" 1024 37 105798033118795863 58021686052300103980941764797682379061591207704158565700576345615 85946731592562930534179289740531679597143419198424296224711392290 02288832904077518817454048858496739972992172603601941585694169789 39883160304574378786044084860173524731416414440764165352480435096 4976595515178392252529415424289 bmarshal@gosling \end{verbatim} \subsection{SSH Port Forwarding} Forwarding TCP over ssh is possible using port forwarding. This can be done in a couple of ways - either via command line, or by settings in a config file. Command line: \begin{verbatim} $ ssh -L 8000:host1:80 host2 \end{verbatim} Config extract: \begin{verbatim} host host2 LocalForward 8000 host1:80 \end{verbatim} This command forwards local port 8000 to port 80 on host1. \subsection{CVS over SSH} To access CVS remotely, the traditional method is using CVS's pserver. This is insecure, as it is a plain text password. It is possible to tunnel CVS over ssh, both if the users have an account on the box, and if they don't. If the user doesn't have an account on the box, it can be done using the authorized\_keys file. \begin{verbatim} command="/usr/bin/cvs server" 1024 37 105798033 11879586358021686052300103980941764797682379061 59120770415856570057634561585946731592562930534 17928974053167959714341919842429622471139229002 28883290407751881745404885849673997299217260360 19415856941697893988316030457437878604408486017 35247314164144407641653524804350964976595515178 392252529415424289 bmarshal@gosling \end{verbatim} Regardless, to use CVS over ssh, use something like the following. \begin{verbatim} $ export CVS_RSH=ssh $ export CVSROOT=:ext:username@host:/path/to/cvsroot $ cvs co module \end{verbatim} \subsection{Rsync over SSH} Rsync is a program that is used to transfer files between hosts---much like scp or rcp---but uses an efficient protocol that means only the differences are transferred. By default, it uses rsh as a transport layer but can be configured to use ssh rather easily. This is done either by setting the RSYNC\_RSH environment variable to point to your ssh binary, or by using the -e command line option. Further details about rsync are available from the rsync(1) manpage. \section{Conclusion} As you have seen, ssh is much more than a secure version of telnet. It is able to encrypt just about any kind of TCP connection with very little setup on either side, other than installing ssh. For more information, see the ssh(1), sshd(8), cvs(1), and rsync(1) manpages, as well as the \href{http://www.openssh.org/}{OpenSSH}, \href{http://www.cvs.org/}{CVS} and \href{http://rsync.samba.org}{Rsync} websites. \end{document}