This page explains how to set up secure port forwarding through indirect ssh connections. <> == Scenario == Let's suppose we connect by ssh from ''clienthost'' to ''hophost'', and from there on to ''targethost'', where we want to run a VNC server as securely as possible - which means that only accepts connections from 127.0.0.1 (localhost), not over the network. Let's assume the VNC server uses display :2 and hence listens on port 5902. To connect a client through a secure tunnel, two ssh port forwardings have to be set up: {{attachment:hop.gif}} While we could use port 5902 everywhere in this example (provided that it's available on ''hophost''), for clarity we're using port 5911 on the client and port 65432 on the hop host. It doesn't matter whether the second ssh connection is established automatically (like on a gateway system not allowing actual logins) or manually. We will now see how to add both required port forwards ''after'' the ssh connections have been established: == Step by step (Linux) == === Step 1: establish the ssh connections === Connect as usual, but with a modified escape character: {{{ [clienthost] ~ % ssh -o EscapeChar='^' hophost }}} If not executed automatically, now connect to the target system: {{{ [hophost] ~ % ssh targethost }}} We can now "escape" both ssh connections independently, and add the port forwards. In the first connection we use our ''^'' escape character and we use the standard ''~'' escape to work on the second connection. === Step 2: start the VNC server and determine the target port === {{{ [targethost] ~ % vncserver -localhost New 'targethost.domain.de:2 (user)' desktop is targethost.domain.de:2 Starting applications specified in ~user/.vnc/xstartup Log file is ~user/.vnc/targethost.domain.de:2.log }}} The vncserver script could have chosen a different display number. In this case, modify the port number accordingly (from 5902 to 5900+display) when following the examples. === Step 3: set up the port forward from hop to target host === In the terminal window, 1. hit [Enter] 2. hit the escape character key [~] 3. hit [C] This will give you a prompt allowing to add the port forward. Only a single command can be entered. ''?'' shows a list. {{{ [targethost] ~ % ssh> }}} To add the port forward, enter the following command and hit [Enter] twice: {{{ [targethost] ~ % ssh> -L65432:localhost:5902 Forwarding port. [targethost] ~ % }}} This is just the same option one could have given to the ssh command as well. Now any connection to port 65432 on ''hophost'' will effectively connect to port 5902 on ''targethost''. The choice of port number is arbitrary, within the constraint that users can only use ports > 1023 and that only 64k port numbers exist. If you get an error message ''channel_setup_fwd_listener: cannot listen to port: 65432'', this port is already in use and you have to try another one. There should be plenty of free ports, try numbers above 60000 (but below 65534). === Step 4: set up the port forward from client to hop host === The procedure is the same as in the previous step, but now we use the nonstandard escape character we specified for this connection: 1. hit [Enter] 2. hit [^] 3. hit [C] 4. specify the required forward: {{{ [targethost] ~ % ssh> -L5911:localhost:65432 Forwarding port. [targethost] ~ % }}} Again, port 5911 could be in use on the client host. In this case, you have to try different ports int the 5901-... range, and later point the VNC client to the corresponfding display. === Step 5: start the VNC viewer on the client === Simply run the command `vncviewer localhost:11` . You should be prompted for your VNC password and get access to the server session you started on ''targethost''. == If you want to connect to a different system from the end of the tunnel == Just modify step 3 above. For example, to access an http server on ''webserver'' accessible from ''targethost'' but not from ''clienthost'' and ''hophost'', replace `localhost:5902' by 'webserver:80'. == Step by step (windows) == === Configure Putty === Putty is the preferred ssh client on windows platform. This scenario (see above) happens automatically using warp connecting to Zeuthen: "ssh warp.zeuthen.desy.de". To connect a client through "both of the" secure tunnels, two ssh port forwardings have to be set up.<
> {{attachment:putty1.jpg||width=400px}}<
> {{attachment:putty2.jpg||width=400px}}<
> Press '''Add''' before opening the connection.<
> Then open the ssh session and enter your DESY password! === Start VNC server === Start the VNC server on the workgroup server: {{{ [wgs03] ~ >vncserver -geometry 1250x1000 -depth 24 -localhost -once }}} you will get {{{ New 'host.domain.de:2 (user)' desktop is host.domain.de:2 Starting applications specified in ~user/.vnc/xstartup Log file is ~user/.vnc/host.domain.de:2.log }}} Please note the : In this case the display port is '''2'''. === Port forwarding === Now it is possible to connect the VNC port from the workgroup server with the port forwarding done by creating the session – connecting the remote port from the first tunnel with the local port of the second tunnel.<
> In the terminal window, 1. hit [Enter] 2. hit the escape character key [~] 3. hit [C] You will get a ssh prompt: {{{ [wgs03] ~ % ssh> }}} To add the port forward, enter the following command and hit [Enter] twice. Modify the port number accordingly (5900+display port): {{{ [wgs03] ~ % ssh> -L65432:localhost:5902 Forwarding port. [wgs03] ~ % }}} === start VNC viewer === For windows you can use the "UltraVNC Client" provided by DSM (!NetInstall) or the "Real VNC Viewer" (freeware). <
> <
> {{attachment:vnc.jpg||width=400px}}<
> {{attachment:vnc2.jpg||width=400px}}<
> Enter your VNC password! This password must be set on Linux with the command '''vncpasswd''' before. === Stop the VNC server === * close the VNC viewer * in terminal window {{{ ssh vncserver -kill : }}}