Give me a place to stand on, and I will move the Earth.
This is a legend ascribed to the famous Archimedes, genius of antiquity. When he understood the basic principles behind the lever he felt its power and he started seeing them in a different way. His paradigm changed.
In a similar way SSH is a tool that can completely change the way you work, for good. Let me show you why you, as a system integrator, should be interested in its wonders. And I can assure you that if you get familiar with the basic principles behind it you’ll be able to perform tasks you would never possibly imagine.
Case 1: Browsing through a remote computer
There are multiple situations where browsing through a remote computer is interesting:
- IP address restrictions: a customer has restricted access so that I can only access a remote machine from my network at work. I am at home and I really need to access this server.
- Content filtering: I am located in a network or a country that restricts my Internet connection. And I really need to access some pages which are key to do my job.
- Remote LAN access: I have access to a remote computer. But I would like to access the ERP or database of another computer in the same local network.
So this is the magic that makes this possible:
ssh -D 8888 johndoe@remote_computer
This basically converts the remote computer into a proxy server only for you. So that you just need to provide this information to your web browser. Using Firefox as an example, you’d need to go to Preferences → Advanced → Network → Settings, then select Manual proxy configuration and finally enter localhost in the SOCKS Host field and 8888 as the port number. The simplest way to verify it’s working is to visit whatismyip.org so that you can verify your IP address, it should be the remote one.
Case 2: Securely connect to a remote database
This is a typical case scenario. The remote machine has only SSH opened and there is no direct access to the database. Let’s suppose it’s PostgreSQL running on port 5432 on the remote computer, but the port is not opened to the outside world, only to local connections. So as have SSH access you can ask it to redirect the remote 5432 port into any port of your local machine, like 5433:
ssh -L 5433:localhost:5432 johndoe@remote_computer
Now you can start psql, pgAdmin or your favorite client and use localhost as the host and 5433 as the port in the connection details.
As for Oracle the concept is the same and just the port numbers change:
ssh -L 1522:localhost:1521 johndoe@remote_computer
Case 3: Expose my local ERP into a remote network
Let’s suppose that I have Openbravo ERP beautifully running in my local machine, it includes some nice new changes we’ve been working on. I would like to show it to Mike and Sandra, but they are located in a remote network. I am in a hotel, there is no way I can ask the IT staff of the hotel to open a port for my users to access the ERP in my computer. SSH comes to the rescue again: basically you can perform the opposite operation of Case 2, and forward your local Web Server port into any port of a remote machine:
ssh -R :9999:localhost:80 johndoe@remote_computer
So now I can ask Mike and Sandra to enter http://local_ip_of_remote_computer:9999 and bingo, they can access my ERP installation.
Important note: for this feature to work the server’s SSH configuration (sshd_config) must have the GatewayPorts option set to yes.
Case 4: Securely connect to a remote database available only in the LAN
Now let’s suppose I have SSH access to remote_computer, but not to remote_computer-2, which is is in the same LAN as the first one. And I want to access the database in remote_computer-2 using my graphical SQL client. There are multiple ways of solving this situation, by using variants of Case 1 or Case 2. We’ll do it extending the first case. Firstly, open the SSH connection and establish the local proxy server:
ssh -D 8888 johndoe@remote_computer
Now we want to tell our PostgreSQL client to use this proxy. But usually they don’t support this feature. So here proxychains comes to the rescue. This is a tool that allows you to make any program use the Internet connection through that proxy. Once it is installed, it requires a minimal configuration in $HOME/.proxychains/proxychains.conf, only required the first time you use it:
DynamicChain tcp_read_time_out 15000 tcp_connect_time_out 10000 [ProxyList] socks5 127.0.0.1 8888
From now on you can prepend the proxychains command to your program and it will go to the Internet using the proxy server connection. So for example in our case we would go a terminal and run:
proxychains psql -d openbravo -U tad -h localhost -p 5433
As you can see SSH opens a new world of possibilities for you. Invest some time playing with it, you won’t regret.
Some final words for Windows users: don’t worry, this is not valid for UNIX based systems only. If you run Windows in your computer you can use PuTTY to achieve exactly the same results.
UPDATE (2010/04/26): adding the GatewayPorts requirement and the corrected ssh command based on Asier’s comments.
Tagged: Security, SSH