SSH – Recording Dynamically Allocated Port Number with Remote Port Forwarding

port-forwardingssh-tunneling

In the SSH documentation, for remote port forwarding, it says:

If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.

How can I get/use this port number?

I can see it printed on stdout, but I would like to record it in a file.

I have a few computers that sit behind NAT firewalls, where they all connect to a central server, and setup a tunnel so I can SSH back to them.

I currently specify my own port number (e.g. 12345) to do this:

ssh -R 12345:localhost:22 1.2.3.4

And that works, as I can connect to 1.2.3.4, and use:

ssh -p 12345 localhost

But I don't want to hard code a port number for each computer, because keeping a record is a pain; and when the connection eventually fails, the re-connection sometimes doesn't work (because the port is still "in use").

Instead, I can use:

ssh -R 0:localhost:22 1.2.3.4

Where it does report:

Allocated port 41191 for remote forward to localhost:22

But how do I record that port number?

I'm assuming I'm missing something obvious on how to access it.

Could I do something in a shell script that can write the port number to a file?

One option, which doesn't work when you have several servers doing this, would be to check the listening ports:

sudo netstat -tpln | grep "127.0.0.1" | grep sshd

While it seems a bit wasteful, I could get the port number first, disconnect, and then use it:

port=`ssh -R 0:localhost:22 1.2.3.4 exit 2>&1 | grep 'Allocated port' | awk '/port/ { print $3 }'`;

ssh 1.2.3.4 record-port.sh "my-name" "${port}";

ssh -NTC -o ConnectTimeout=10 -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R "${port}:localhost:22" 1.2.3.4;

Another option, which is probably worse, is to randomly select the port myself, and record it before attempting to use it:

while true; do

  port=$(((RANDOM %= 1000) + 2000));

  ssh 1.2.3.4 record-port.sh "my-name" "${port}";

  ssh -NTC -o ConnectTimeout=10 -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -R "${port}:localhost:22" 1.2.3.4;

  sleep 3;

done

Best Answer

You connect a master connection first without port forwarding:

ssh -NMS /path/to/socket user@server

/path/to/socket is up to you. A socket will be created there. In a script you want to use -f.

Then you use -S /path/to/socket -O … to control the master connection. E.g. you can check if it still works:

ssh -S /path/to/socket -O check placeholder

placeholder doesn't matter, it's /path/to/socket what identifies the master connection you want to control.

Now you can request port forwarding:

ssh -S /path/to/socket -O forward -R 0:localhost:22 placeholder

The command will tell you the port. It will exit right away, this means you were able to capture the output. Nothing is lost. Repeat the command and it will tell you the same port again instead of forwarding a second port to the same destination. So let's save the output to a variable:

port="$(ssh -S /path/to/socket -O forward -R 0:localhost:22 placeholder)"

And that's it, now you can use the variable.

For completeness, this is how you cancel the forwarding:

ssh -S /path/to/socket -O cancel -R 0:localhost:22 placeholder

although you don't need to cancel explicitly before terminating the master connection. You terminate it like this:

ssh -S /path/to/socket -O exit placeholder

Not all the above commands are necessary in a most basic script. You need these:

ssh -fNMS /path/to/socket user@server
port="$(ssh -S /path/to/socket -O forward -R 0:localhost:22 placeholder)"
   # anything you want, now you know the port
ssh -S /path/to/socket -O exit placeholder

possibly with some logic to handle connection refused etc.

Related Solutions

Shell – Determine dynamically allocated port for OpenSSH RemoteForward

Unfortunately I didn't find your question earlier, but I've just got a really good answer from kamil-maciorowski:

https://unix.stackexchange.com/a/584505/251179

In summary, establish a master connection first, keep that in the background, then issue a second command with -O *ctl_cmd* set to forward to request/setup port forwarding:

ssh -fNMS /path/to/socket user@server

port="$(ssh -S /path/to/socket -O forward -R 0:localhost:22 placeholder)"

This will give you $port on your local machine, and a connection in the background.

You can then use $port locally; or use ssh again to run a command on the remote server, where you can use the same control socket.

As to the flags, these are:

-f = Requests ssh to go to background.
-N = Do not execute a remote command.
-M = Places client into “master” mode, for connection sharing.
-S = Location of a control socket for connection sharing.
-O = Control an active connection multiplexing master process.

In my case I've added a bit more to keep checking the connection:

#!/bin/bash

#--------------------------------------------------
# Setup
#--------------------------------------------------

  set -u;

  tunnel_user="user";
  tunnel_host="1.1.1.1";

  local_port="22";
  local_name="my-name";

  path_key="$HOME/.ssh/tunnel_ed25519";

  path_lock="/tmp/tunnel.${tunnel_host}.pid"
  path_port="/tmp/tunnel.${tunnel_host}.port"
  path_log="/tmp/tunnel.${tunnel_host}.log"
  path_socket="/tmp/tunnel.${tunnel_host}.socket"

#--------------------------------------------------
# Key file
#--------------------------------------------------

  if [ ! -f "${path_key}" ]; then

    ssh-keygen -q -t ed25519 -f "${path_key}" -N "";

    /usr/local/bin/tunnel-client-key.sh
      # Sends the public key to a central server, also run via cron, so it can be added to ~/.ssh/authorized_keys
      # curl -s --form-string "pass=${pass}" --form-string "name=$(local_name)" -F "key=@${path_key}.pub" "https://example.com/key/";

  fi

#--------------------------------------------------
# Lock
#--------------------------------------------------

  if [ -e "${path_lock}" ]; then
    c=$(pgrep -F "${path_lock}" 2>/dev/null | wc -l);
      # MacOS 10.15.4 does not support "-c" to count processes, or the full "--pidfile" flag.
  else
    c=0;
  fi

  if [[ "${c}" -gt 0 ]]; then
    if tty -s; then
      echo "Already running";
    fi;
    exit;
  fi;

  echo "$$" > "${path_lock}";

#--------------------------------------------------
# Port forward
#--------------------------------------------------

  retry=0;

  while true; do

    #--------------------------------------------------
    # Log cleanup
    #--------------------------------------------------

      if [ ! -f "${path_log}" ]; then
        touch "${path_log}";
      fi

      tail -n 30 "${path_log}" > "${path_log}.tmp";

      mv "${path_log}.tmp" "${path_log}";

    #--------------------------------------------------
    # Exit old sockets
    #--------------------------------------------------

      if [ -S "${path_socket}" ]; then

        echo "$(date) : Exit" >> "${path_log}";

        ssh -S "${path_socket}" -O exit placeholder;

      fi

    #--------------------------------------------------
    # Lost lock
    #--------------------------------------------------

      if [ ! -e "${path_lock}" ] || ! grep -q "$$" "${path_lock}"; then

        echo "$(date) : Lost Lock" >> "${path_log}";

        exit;

      fi

    #--------------------------------------------------
    # Master connection
    #--------------------------------------------------

      echo "$(date) : Connect ${retry}" >> "${path_log}";

      ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -fNTMS "${path_socket}" -i "${path_key}" "${tunnel_user}@${tunnel_host}" >> "${path_log}" 2>&1;

    #--------------------------------------------------
    # Setup and keep checking the port forwarding
    #--------------------------------------------------

      old_port=0;

      while ssh -S "${path_socket}" -O check placeholder 2>/dev/null; do

        new_port=$(ssh -S "${path_socket}" -O forward -R "0:localhost:${local_port}" placeholder 2>&1);

        if [[ "${new_port}" -gt 0 ]]; then

          retry=0;

          if [[ "${new_port}" -ne "${old_port}" ]]; then

            ssh -i "${path_key}" "${tunnel_user}@${tunnel_host}" "tunnel.port.sh '${new_port}' '${local_name}'" >> "${path_log}" 2>&1;
              # Tell remote server what the port is, and local_name.
              # Don't use socket, it used "-N"; if done, a lost connection keeps sshd running on the remote host, even with ClientAliveInterval/ClientAliveCountMax.

            echo "$(date) : ${new_port}" >> "${path_log}";

            echo "${new_port}" > "${path_port}";

            old_port="${new_port}";

            sleep 1;

          else

            sleep 300; # Looks good, check again in 5 minutes.

          fi

        else # Not a valid port number (0, empty string, number followed by an error message, etc?)

          ssh -S "${path_socket}" -O exit placeholder 2>/dev/null;

        fi

      done

    #--------------------------------------------------
    # Cleanup
    #--------------------------------------------------

      if [ ! -f "${path_port}" ]; then
        rm "${path_port}";
      fi

      echo "$(date) : Disconnected" >> "${path_log}";

    #--------------------------------------------------
    # Delay before next re-try
    #--------------------------------------------------

      retry=$((retry+1));

      if [[ $retry -gt 10 ]]; then
        sleep 180; # Too many connection failures, try again in 3 minutes
      else
        sleep 5;
      fi

  done

Ssh – What does port forwarding mean in “SSH port forwarding”

1 - general case

Suppose you have two server in a company network.

From local server "L1" you have access to a remote server "R1" via ssh on port 22.

The server R1 host a web service, but firewall/NAT/whatever block direct access to port 80.
"R1" can't access "L1" directly due to NAT issue.

from L1 you connect using (same user on both host)

ssh -L 10080:localhost:80 -R 10022:localhost:22 R1

now,

-L 10080:localhost:80 local browsing on 10080 will be forward to distant host (R1), localhost (e.g. distant 127.0.0.1) on port 80, thus you could browse distant host (R1), while blocked by firewall/NAT.
-R 10022:localhost:22 remote use of port 10022 will be forwarded to localhost (L1) port 22, you can initiate scp/ssh from remote to localhost. (using scp -P 10022 file localhost: (note upper -P ) )

This is actually a command line I use from an Ubuntu (14.04) laptop to go to production server (I can firefox to localhost:10080 and use scp from server to localhost:10022 to bring back file )

now your IP are

192.168.1.1 L1
172.17.17.1 R1

you use

ssh -L 10080:172.17.17.3:80 -R 10022:192.168.1.5:22 \
     -L 192.168.1.9:8888:172.17.17.9:9999 R1

now

distant access to port 10022 (any IP) will be forwarded to local 192.168.1.5 ssh/scp.
local access to port 10080 (any IP) will be forwarded to distant host 172.17.17.3 port 80.
local access to port 8888 from 192.168.1.9 will be forwarded to port 9999 on 172.17.17.9 (192.168.1.9 is a local address in L1, using alias mecanism, this is not a firewall rule).

those setting can be used on putty/bitwise client

Ask Ubuntu question

what about

 -R 8000:localhost:80

this read as

-R remote
8000 port 8000 (remote port 8000 ... )
localhost (remote port 8000 goest to localhost .. )
80 ( remote port 8000 goes to localhost port 80 )