SSH Tunneling

Remote Mio or BlueM Access - Why?

Mio.mines.edu and BlueM.mines.edu are behind the campus firewall. What this means is that it can not be accessed directly from outside of the CSM campus. That is, a ssh to Mio or BlueM or an attempt to access the http://mio.mines.edu page will fail. The following instructions work for both Mio and BlueM access. To enable BlueM access change "Mio" to "bluem" in the instructions.

There are instructions for setting up two stage tunneling at HPC-SSH-Tunneling-Multistage. These instructions are primarily for transferring files but will also allow tunneling for ssh sessions, allowing to have a session that appears to be a direct connection from outside of campus to AuN.mines.edu and Mc2.mines.edu. Tunneling works best if you set up pass phrases with a timeout feature as described at: http://geco.mines.edu/ssh/sshra.html.

Set up tunneling in your .ssh/config file

This is likely the easiest way to set up and use tunneling. On Unix like systems, including OSX, you have a directory that contains files that control ssh. The directory is hidden from a normal ls but can be seen if you use the command ls -a. The directory .ssh is under your home directory. In this directory you may have a file config. If not, just create it and run the command chmod 700 config Add the following to the end of the file (replacing joeuser with your username):


Host imagine2mio
ProxyCommand ssh joeuser@imagine.mines.edu nc mio.mines.edu %p

Then do an ssh to imgaine2mio. That is:

tg-login1 /users/joeuser> ssh imgaine2mio
Last login: Fri Jan 21 14:42:16 2011 from imagine.mines.edu
[joeuser@mio ~]$ 

You will be connected to Mio via a tunnel through imagine. Note: you can set imgaine2mio to any string that is not a real host or used elsewhere in you config file. You can change imagine.mines.edu to any machine that is reachable from off campus.

An easy fix that works for most cases

Mines has set up a VPN service that is easy to use and works well, especially using the web based interface. A VPN (Virtual Private Network) is a secure method of accessing a private network from a remote or otherwise insecure location. See: http://ccit.mines.edu/CCIT-VPN for additional information.

After you have VPN running on your home machine it acts as if it is on campus and you can access Mio and other machines.

Tunneling into Campus

There are cases where VPN will not help, for example, if you need to transfer a file from some remote machine on which you can't run VPN to Mio. Another technique called ssh tunneling might be helpful.

Say you have a file pi.f90 on a machine called tg-login1.sdsc.teragrid.org and you want to get it to Mio. You could use the scp command to copy it from tg-login1.sdsc.teragrid.org to a machine on campus that does have off campus access, such as imagine.mines.edu. You could then copy the file from imagine.mines.edu to Mio. With tunneling you can skip the intermediate copy.

Here is an example with an explanation given below.

We assume that we have password-less ssh set up between tg-login1 and the local machine imagine.mines.edu and between imagine.mines.edu and mio.mines.edu. See http://geco.mines.edu/ssh for information on how to set up password-less ssh.

On machine tg-login1 I run the following commands:

tg-login1 /users/joeuser> ssh -fngT -L 3022:mio.mines.edu:22  imagine.mines.edu ping -i 30 -c 10 localhost >& /dev/null
tg-login1 /users/joeuser> scp -P 3022 pi.f90 localhost:

The first command sets up the tunnel from tg-login1 through imagine.mines.edu to mio.mines.edu. The second command copies the file to Mio via the tunnel. The file will go in your home directory. If you want it to go somewhere else then append the full path to the filename onto the command after the ":" without spaces.

You can also directly do a ssh from tg-login1 to Mio using the command:

tg-login1 /users/joeuser> ssh -p 3022 localhost
Last login: Fri Jan 21 14:42:16 2011 from imagine.mines.edu
[joeuser@mio ~]$ 

Note that the scp uses an upper case "-P" as an option and ssh uses a lower case "-p". Strange.

What is going on?

There are a few key concepts here:

  1. Unix can suppress output from a command.
  2. Ssh can take many command line options, and can even be used to run a command on a remote machine instead of just logging in.
  3. Ssh normally connects to a remote machine through networking port 22 but can be told to connect via another port.
  4. Ssh can be used to map connections from a port on one machine to port on another. This is called port forwarding or tunneling.

In the above example we are taking advantage of all of these concepts. Let's look at the parts of the command by color.

ssh -fngT -L 3022:mio.mines.edu:22  imagine.mines.edu ping -i 30 -c 10 localhost >& /dev/null

You will recognize the portion of the command in magenta, ssh imagine.mines.edu, as a normal ssh command. That is, we are connecting from our local machine to imagine.mines.edu. The same thing is happening here except all of the other arguments on the command line effect what happens after we make the connection.

In this case we are telling ssh to run a command on imagine. The command is ping -i 30 -c 10 localhost. The ping command checks network connections between two machines. Here we are checking the connection to localhost, which is the machine on which the ping command is being run. Since we have told ssh to run the command on imagine we are checking the connection from imagine to itself. The -i option says to test every 30 seconds and -c 10 says to do this for 10 tries. The >& /dev/null options says to discard the results of the test by putting them in the null or dummy file.

If we typed ssh imagine.mines.edu ping -i 30 -c 10 localhost >& /dev/null we would connect to imagine and do a ping 10 times, once every 30 seconds. Then the command would exit. It would appear like the command was hung during this time because it would not produce any visible output because it is going into /dev/null.

The portion of the command in red, -fngT -L 3022:mio.mines.edu:22 are various command line options to ssh. The "f" forces ssh to go in the background when the ping command is run. The "n" is required to correctly handle keyboard input when ssh is run in the background. The "g" options allows remote hosts to connect to local forwarded ports. The "T" option is also related to correctly handling terminal output. This leaves us with the most important option -L 3022:mio.mines.edu:22. From the ssh man page we read:

     -L port:host:hostport
             Specifies that the given port on the local (client) host is to be
             forwarded to the given host and port on the remote side. 

With:

port
3022
host
mio.mines.edu
hostport
22

What this says is that we want ssh running on our local machine to listen to all local network traffic for network port 3022 and to relay it via ssh to imagine.mines.edu and then imagine.mines.edu will forward the traffic to port 22 on mio.mines.edu.

How does this help? Any traffic from port 3022 on our local machine, a.k.a. localhost will go to mio.mines.edu. We can start another ssh session and connect to port 3022 on our localhost and the connection will be forwarded to mio.mines.edu. For example, after we run the above commande we can get to Mio via the command:

tg-login1 /users/joeuser> ssh -p 3022 localhost
Last login: Fri Jan 21 14:42:16 2011 from imagine.mines.edu
[joeuser@mio ~]$ 

Recall that the "-p" option tells ssh to connect to a particular port instead of the default port, 22. We are connecting to our localhost (back to the machine on which we are typing) which then gets forwarded to mio.mines.edu.

A few notes... After you have run the command given above to establish the tunnel it is possible to open multiple ssh connections to Mio in different windows. Also, you would think that the command ping -i 30 -c 10 localhost would keep the line active for only 30*10=300 seconds. Normally that is the case. But if you have active ssh connections after 300 seconds the ssh tunnel will stay open until the connections are closed. As was said above, you would use a uppercase P instead of p if you are doing an scp instead of ssh.

Tunneling to access the Mio web page

If you change the 3022 to 3080 and the 22 to 80 in the above command, that is,

tg-login1 /users/joeuser> ssh -fngT -L 3080:mio.mines.edu:80  imagine.mines.edu ping -i 30 -c 10 localhost >& /dev/null

you will be able to connect to Mio's web pages at the address http://localhost:3080. However, this connection might timeout after 300 seconds. What you can do instead is drop the "ping" in which case most of the rest of the arguments are no longer required. Your command becomes:

ssh -L3080:mio.mines.edu:80 imagine.mines.edu

This will open a normal session to imagine.mines.edu and at the same time forward traffic to the mio.mines.edu web server.

Two window terminal connect

The following command will open a normal session to imagine.mines.edu and at the same time forward traffic to the mio.mines.edu.

ssh -L3022:mio.mines.edu:22 imagine.mines.edu

Then doing an ssh to localhost port 3022 in a second window will connect to mio.mines.edu.

Tunneling on the iPad/iPhone using iSSH for accessing Mio and Mio web pages

The iPad/iPhone app, iSSH, http://www.zinger-soft.com, supports ssh tunneling. It is possible to use iSSH with tunneling to access servers behind fire walls. Tunneling can be used to access machines for both ssh sessions and connecting to web servers. The rest of this page describes how to set up and use tunneling for both types of connections with iSSH. In our example, the end machine we are trying to reach is mio.mines.edu and we are tunneling through imagine.mines.edu. However these techniques should work with other machines as well.

In our first example we will use iSSH to transparently pass through a machine to open an ssh terminal session on Mio. In the second case we will use iSSH to set up tunnels to access Mio's web server which is not accessible from the outside.

iSSH also has the capability to use keys for authentication instead of passwords and to add the key to a SSH-Agent for a session. We assume both of these capabilities will be used to prevent the necessity of entering passwords. Setting up this feature is the subject of another note.

Tunneling through a front end machine in a single window

Here we have the iSSH window that lists the ssh connections we have set up.

As we said, we first wish to open a terminal session on Mio, which is not accessible except through the intermediate machine imagine.mines.edu. The connection setup for this is mio-via-imagine on our list. The settings for this connection are:

  • Description: mio-via-imagine
  • Host: imagine.mines.edu
  • Port: Default
  • Login: tkaiser (replace with your username)
  • Command: ssh -A -t -t mio

When we log on to imagine.mines.edu using this configuration the command ssh -A -t -t mio is run. That, is we do an ssh from imagine to Mio. This takes us to Mio, openning up a terminal session, in what appears to be a transparent fashion.

The -A option allows the forwarding of the authentication key used to get on imagine to Mio so we don't need to enter a password. The double -t (-t -t) is required to allow terminal IO to work properly. Note that we don't need the full address to Mio, that is mio.mines.edu, because Mio's address is known to imagine.

Setting up a tunnel to forward a connection to a web server

You can set up explicit tunnels using iSSH. This can be used to connect to Mio via ssh but more importantly, it can be used to connect to Mio's web server using Safari on the iPad.

For this example we will again use imagine.mines.edu as our intermediate machine. In this case we create a connection configuration called "imagine with tunnel to Mio 80 on 1258". The settings are:

  • Description: imagine with tunnel to mio 80 on 1258
  • Host: imagine.mines.edu
  • Port: Default
  • Login: tkaiser (replace with your username)
  • Command:

In this case our command in blank. However, at the bottom of the configuration page there is an option, Tunnels. We will add a tunnel with the configuration:

  • Local Port: 1258
  • Destination Host: mio.mines.edu
  • Destination Port: 80

Port 80 is the port that normally handles web traffic. After this configuration is set up we can connect to imagine as usual. However, during the connect ssh sets up a tunnel so that a traffic on the iPad on port 1258 gets redirected to port 80 on Mio.

How is this used? After this is set up you can open Safari and go to address localhost:1258. This will take you to the Mio web server. Or we can see the Mio jobs page by entering localhost:1258/jobs to show the list of running jobs.

References:

© 2017 Colorado School of Mines | | Equal Opportunity | Privacy Policy | Directories | Text Only | Mines.edu | rss

 
Last Updated: 08/04/2017 08:23:15