SSH gateway: how to understand ssh -L when remote comes first

sshssh-tunnel

I understand some ssh forwarding basics, but this SuperUser post seems backwards to me. In other words, with 2 hosts, this…

ssh -L 0.0.0.0:10022:localhost:22 root@A

…seems to allow a connection from localhost to A. But with 3 hosts, this…

ssh -L 0.0.0.0:10022:A:22 root@B

…allows localhost to A though B? Why not localhost to B through A?

The ssh man page seems to describe the 2-hosts option, not the 3-hosts option:

-L [bind_address:]port:host:hostport

Whenever a connection is made to the local port or socket, the
connection is forwarded over the secure channel, and a connection is
made to either host port hostport, or the Unix socket remote_socket,
from the remote machine.

Best Answer

It's not clear to me what your (mis)understanding really is. I guess the confusion might be because of the word "localhost".

Localhost is a relative term. By definition, in context of any machine localhost should refer to this machine exactly. Practically every Linux resolves localhost as IP address 127.0.0.1 (I put IPv6 aside) thanks to a proper entry in /etc/hosts file. 127.0.0.1 should be assigned to a loopback interface.

In the linked answer most occurrences of the word localhost refer to the machine (of three) that is neither host1 nor host2; this is the local machine where commands are invoked. Similarly, when you say "localhost" you probably mean neither A nor B. From now on let's call this local computer the client.

Basically you run this on the client:

ssh -L bind_address:port:host:hostport user@server

There are two computers involved: the client and the server. Certain parts of the command are valid in context of either the client or the server.

ssh -L is the executable with option that the client understands (the server may not have ssh at all).
server is the address of the server from the client's point of view (server may not even be aware it has such-and-such address or name).
user is a username existing on the server (it may not exist on the client).
bind_address and port are respectively the address (interface) and TCP port on which the client's ssh will listen (I don't know if these parameters are even passed to the server at all, the server doesn't need them). In your case 0.0.0.0 means "every available interface".
host and hostport are respectively the address and TCP port to which the server should send packets tunneled from the client. These parameters are for the server; host is resolved on the server. From the client's point of view host may be an invalid address or it may resolve to something completely different – it doesn't matter because the client doesn't resolve it at all; host is just a character string passed to the server, it means nothing more on the client's side.

This means if there's a literal localhost as this host parameter, it is "localhost" from the server's point of view, i.e. the server itself. It doesn't mean "the client".

With this knowledge let's analyze your examples.

ssh -L 0.0.0.0:10022:localhost:22 root@A

This captures everything that enters the TCP port 10022 of the client; captured packets will be recreated on the server A and destined to localhost:22, but localhost on the server means "the loopback interface of the server A itself".

ssh -L 0.0.0.0:10022:A:22 root@B

This captures everything that enters the TCP port 10022 of the client; captured packets will be recreated on the server B and destined to A:22 from there.

Indeed it can be described as "localhost to A though B", where "localhost" means the client.

Related Solutions

How to determine the port allocated on the server for a dynamically bound openssh reverse tunnel

If you set the 'LogLevel' in the sshd_config configuration file to DEBUG1 (or any DEBUG level), then sshd will log the port numbers in /var/log/auth.log.

Do remember, that using a LogLevel of DEBUG or higher could be a privacy risk, since much is logged.

(from /var/log/auth.log, removed a few lines to show relevant information)

Jun 24 06:18:24 radon sshd[9334]: Connection from 192.168.13.10 port 39193
Jun 24 06:18:24 radon sshd[9334]: Accepted publickey for lornix from 192.168.13.10 port 39193 ssh2
Jun 24 06:18:24 radon sshd[9334]: pam_unix(sshd:session): session opened for user lornix by (uid=0)
Jun 24 06:18:24 radon sshd[9334]: User child is on pid 9339
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on 0.0.0.0 port 0.
Jun 24 06:18:24 radon sshd[9339]: debug1: Allocated listen port 39813
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 0: new [port listener]
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on :: port 39813.
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 1: new [port listener]
Jun 24 06:18:27 radon sshd[9339]: Received disconnect from 192.168.13.10: 11: disconnected by user

If you follow it through, you can see where you could parse the connection information, and then the forwarded port (39813 in this case)

I used this command line between two of my machines, I do have ssh-key login set up, so no password prompts or delays

-xenon- lornix:~> ssh -R "*:0:radon:22" -N -T radon
Allocated port 39813 for remote forward to radon:22

-N specifies no command is given, and -T stops allocation of a tty for this connection.

Another way to disseminate the port connection information would be to parse it from the client side and send an email, jabber, text msg, smoke signals or pigeon to carry the port # to whomever needs it.

Networking – How does SSH tunneling work at low level

Your understanding of the process is correct.

The "wrapping" or "tunneling" indeed happens at TCP level: the stream coming over the SSH connection is connected to the socket connection in the LAN, and everything that goes forth and back over this also goes over that.

Best Answer

Related Solutions

How to determine the port allocated on the server for a dynamically bound openssh reverse tunnel

Networking – How does SSH tunneling work at low level

Related Question