What is an ssh tunnel and how does it work?
SSH tunneling, or SSH port forwarding, is a method of transporting arbitrary data over an encrypted SSH connection. SSH tunnels allow connections made to a local port (that is, to a port on your own desktop) to be forwarded to a remote machine via a secure channel.
To protect our network services, not all of them are reachable directly from outside the ENCS network. If you are offsite and need to access a resource that is protected in this way, you can use ssh to tunnel through an accessible resource to reach the protected resource. We generally recommend using the host "tunnel.encs.concordia.ca" for this purpose.
For more detailed information, please read more about the "-L" parameter at the SSH man page.
How to create an SSH Tunnel
To create a local port forward add the -L
parameter to the ssh command line.
ssh encs_username@reachable_IP -N -f -L local_port:remote_IP:remote_port
For example, the command:
ssh userfoo@tunnel.encs.concordia.ca -N -f -L 4040:remote_host.encs.concordia.ca:5050
Will create an ssh tunnel to port 5050 on the remote system "remote_host.encs.concordia.ca" which you can access on your local system at "localhost:4040".
The above example uses option "-N" (do not execute remote command) to create a noninteractive ssh connection and option "-f" to request ssh to go to the background once the ssh connection has been established.
Important:
- Local and remote ports can match.
- If you get the error "Address already in use", it probably means that your desktop is already using the local port you specified; try a different local port number.
- Additional "-L local_port:remote_IP:remote_port" clauses can be added to the ssh command, e.g.,
ssh userfoo@tunnel.encs.concordia.ca \ -L 5050:remote_host1.encs.concordia.ca:5050\ -L 4000:remote_host1.encs.concordia.ca:4000\ -L 3000:remote_host2.encs.concordia.ca:3000
- If you have not set up authorized_keys, then you will be prompted for your ENCS password in order to establish the tunnel.
- If you used the "-N" and "-f" options above, remember to kill your ssh tunnel once you're finished using it (see the "ps" and "kill" manpages for information on how to find and kill your ssh tunnel process).
Otherwise, in the absence of those options, an interactive session was established in addition to the port forwardings; in that case, you must leave that interactive session active until you're finished using the tunnel, as exiting the interactive session will also tear down the tunnel.
Install an SSH client such as PuTTy
In this example we will use PuTTy to create an SSH tunnel to the following remote hosts.
ssh tunnel.encs.concordia.ca -L 4040:remote_host1.encs.concordia.ca:5050
Where: 4040 is the local or Source port; remote_host1.encs.concordia.ca is the remote hostname; and 5050 is the remote port
- Launch PuTTy
- In the Category pane of the PuTTY Configuration window, expand Connection then expand SSH and select Tunnels.
- Under "Options controlling SSH port forwarding" enter the following:
- Source Port: 4040
- Destination: remote_host1.encs.concordia.ca:5050
- Source Port: 4040
- Click the Add button
- In the Category pane of the PuTTY Configuration window, click on Session
- Under "Basic options for your PuTTy session" enter:
- Hostname: tunnel.encs.concordia.ca
- Port: 22
- Saved Sessions: SSH Tunnel to remote_host1
- Click Save
- Click Open
- If you have not set up authorized_keys, then you will be prompted for your ENCS password in order to establish the tunnel.
- Do not close the PuTTy window
Repeat steps 3 and 4 to forward additional ports.
FAQs
Before beginning the procedure below you will need to install an SSH client such as PuTTy
- Launch PuTTy
- In the Category pane of the PuTTY Configuration window, expand Connection then expand SSH and select Tunnels.
- Under "Options controlling SSH port forwarding" enter the following:
- Source Port: 1711
- Destination: license-matlab.encs.concordia.ca:1711
- Click the Add button
- Add another source port and destination
- Source port: 5001
- Destination: license-matlab.encs.concordia.ca:5001
- Click the Add button
- In the Category pane of the PuTTY Configuration window, click on Session
- Under "Basic options for your PuTTy session" enter:
- Hostname: tunnel.encs.concordia.ca
- Port: 22
- Saved Sessions: Matlab
- Click Save
- Click Open
- If you have not set up authorized_keys, then you will be prompted for your ENCS password in order to establish the tunnel.
- Do not close the PuTTy window.
Note: Everytime you wish to use Matlab on your PC, this SSH tunnel has to established with the Matlab License Servers prior to the application being launched.
- Open up a terminal window on your GCS Purchased system and enter the following
ssh userfoo@tunnel.encs.concordia.ca -N -f \ -L 1711:license-matlab.encs.concordia.ca:1711\ -L 5001:license-matlab.encs.concordia.ca:5001
- If you have not set up authorized_keys, then you will be prompted for your ENCS password in order to establish the tunnel.
- If you used the "-N" and "-f" options above, remember to kill your ssh tunnel once you're finished using it (see the "ps" and "kill" manpages for information on how to find and kill your ssh tunnel process).
Otherwise, in the absence of those options, an interactive session was established in addition to the port forwardings; in that case, you must leave that interactive session active until you're finished using the tunnel, as exiting the interactive session will also tear down the tunnel.
Note: Every time you wish to use Matlab on your PC, this SSH tunnel has to established with the Matlab License Servers prior to the application being launched.