What does the L option of SSH do?

To make VNC secure, I am supposed to use this

ssh -L 5901:127.0.0.1:5901 

from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.

The description of the option is

-L [bind_address:]port:host:hostport Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.

The ssh_config files description includes this

GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, ssh(1) binds local port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to spec- ify that ssh should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ``yes'' or ``no''. The default is ``no''.

Please explain this command or diagram it.

4 Answers

This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.

The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.

By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks. To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.

8

Basically this makes the port 5902 on example.com accessible as it was running on your local machine

ssh -L 5901:127.0.0.1:5902 

After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901

- user/server you are connecting to

5902 - the target port you want forward

5901 - the port number the target port should be reachable on

4

SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.

Suppose the command is

ssh -L 5901:127.0.0.1:5901 user@remoteIP

In the above option there are two instances of 5901.

In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.

An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.

An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be

ssh -L *:5901:127.0.0.1:5901 user@remoteIP

An illustration with 4 hosts:

App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B

App Host A could be on the same machine as the Host Running ssh.

App Host B could be on the same machine as the Host at remoteIP.

Addendum 0: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.

Addendum 1: Lately I noticed that when issuing the command ssh -L 5901:127.0.0.1:5901 user@remoteIPwhere the REMOTE HOST /etc/ssh/sshd_config has no GatewayPorts value, the LOCAL HOST reports the following error: "bind: Cannot assign requested address". The tunnel works even though an error was generated. When GatewayPorts has no value it defaults to no. It would seem the value no is more secure so I want to keep it that way. The error message is one that I cannot explain. I now issue the following command which avoids generating the error message.ssh -L 127.0.0.1:5901:127.0.0.1:5901 user@remoteIP

2

I find this confusing because of the use of "localhost" in many examples.

LocalPort:RemoteHost:RemotePort user@IntermediateHost

LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.

RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".

RemotePort: This is the target port on the target machine

IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.

In the oft-quoted example of secure VNC / SSH tunnel:

ssh -L 5901:localhost:5900 myuser@IntermediateHost

The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.

Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".

In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.

Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.

Hope this helps

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like