Florz
/
ssh-port-forwarding
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
how to use plain openssh to do remote port forwarding
5 Commits 1 Branch 0 Tags 42 KiB
Go to file
Florz d7cd5dc5a2 add sshd_config lines 2021-02-18 21:27:00 +01:00
LICENSE Initial commit 2021-02-18 20:07:07 +01:00
README.md add sshd_config lines 2021-02-18 21:27:00 +01:00

README.md

ssh-port-forwarding

(use plain openssh to do remote port forwarding)

There are many good reasons to do secure port forwarding through ssh. For example if you own two servers in different datacenters and you want to connect to a single service which is less restricted when accessed locally (e.g. port 25 for SMTP) or you want to forward a service from a system behind a firewall (e.g. a web service on your home Server).
Traditionally you would use autossh to manage permanent ssh connections. However through many hours of testing this has prooven unreliable in many ways. When connecting multiple times to the same server autossh by default uses the same ports for monitoring, which leads to the termination of at least one connection. There also were inexplicable cases when sshd remained running on the server, while the client was actually disconnected and could not restore the connection due to the broken process on the server.
Luckily opennsh made autossh redundant because it already offers built-in monitoring. No additional monitoring ports are necessary anymore. However, there are quite a few options that you should know about in order to improve security and reliability of such a setup. This is the motivation behind this tutorial.

Disclaimer

When you follow this guide, you can make otherwise protected services accessible to the public Internet (when using ssh -R). This might be an attack vector into your protected network.
When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).

Server configuration

/etc/ssh/sshd_config

Add or change the following lines:

GatewayPorts clientspecified
ClientAliveInterval 5
ClientAliveCountMax 3

This allows any user to forward his local ports to an unprivileged public port on the server (ssh -R). You have to restrict this late on through the permitlisten variable in the authorized_keys file. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.