What does the L option of SSH do?
To make VNC secure, I am supposed to use this
ssh -L 5901:127.0.0.1:5901 user@example.com
from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.
The description of the option is
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be
specified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
The ssh_config files description includes this
GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.
Please explain this command or diagram it.
ssh vnc localhost
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
add a comment |
To make VNC secure, I am supposed to use this
ssh -L 5901:127.0.0.1:5901 user@example.com
from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.
The description of the option is
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be
specified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
The ssh_config files description includes this
GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.
Please explain this command or diagram it.
ssh vnc localhost
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
add a comment |
To make VNC secure, I am supposed to use this
ssh -L 5901:127.0.0.1:5901 user@example.com
from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.
The description of the option is
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be
specified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
The ssh_config files description includes this
GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.
Please explain this command or diagram it.
ssh vnc localhost
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
To make VNC secure, I am supposed to use this
ssh -L 5901:127.0.0.1:5901 user@example.com
from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.
The description of the option is
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be
specified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.
The ssh_config files description includes this
GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.
Please explain this command or diagram it.
ssh vnc localhost
ssh vnc localhost
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
edited Feb 9 '17 at 15:18
H2ONaCl
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
asked Feb 9 '17 at 14:46
H2ONaClH2ONaCl
3,346204885
3,346204885
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.
The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.
By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.
answered Feb 9 '17 at 14:57
murumuru
1
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
|
show 2 more comments
Basically this makes the port 5902 on example.com accessible as it was running on your local machine
ssh -L 5901:127.0.0.1:5902 user@example.com
After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901
user@example.com - user/server you are connecting to
5902 - the target port you want forward
5901 - the port number the target port should be reachable on
edited Feb 9 '17 at 15:56
muru
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
add a comment |
SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.
Suppose the command is
ssh -L 5901:127.0.0.1:5901 user@remoteIP
In the above option there are two instances of 5901.
In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.
An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.
An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be
ssh -L *:5901:127.0.0.1:5901 user@remoteIP
An illustration with 4 hosts:
App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B
App Host A could be on the same machine as the Host Running ssh.
App Host B could be on the same machine as the Host at remoteIP.
Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
add a comment |
I find this confusing because of the use of "localhost" in many examples.
LocalPort:RemoteHost:RemotePort user@IntermediateHost
LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.
RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".
RemotePort: This is the target port on the target machine
IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.
In the oft-quoted example of secure VNC / SSH tunnel:
ssh -L 5901:localhost:5900 myuser@IntermediateHost
The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.
Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".
In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.
Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.
Hope this helps
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f881605%2fwhat-does-the-l-option-of-ssh-do%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.
The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.
By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.
answered Feb 9 '17 at 14:57
murumuru
1
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
|
show 2 more comments
This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.
The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.
By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.
answered Feb 9 '17 at 14:57
murumuru
1
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
|
show 2 more comments
This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.
The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.
By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.
answered Feb 9 '17 at 14:57
murumuru
1
This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.
The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.
By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.
answered Feb 9 '17 at 14:57
murumuru
1
answered Feb 9 '17 at 14:57
murumuru
1
answered Feb 9 '17 at 14:57
murumuru
1
answered Feb 9 '17 at 14:57
murumuru
1
1
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
|
show 2 more comments
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.
– H2ONaCl
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
@H2ONaCl that's explained in the manual. What part of that do you not understand?
– muru
Feb 9 '17 at 15:30
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
May be the manual needs a diagram.
– H2ONaCl
Feb 9 '17 at 15:32
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
@H2ONaCl dirk-loss.de/ssh-port-forwarding.htm
– muru
Feb 9 '17 at 15:34
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.
– H2ONaCl
Feb 9 '17 at 15:52
|
show 2 more comments
Basically this makes the port 5902 on example.com accessible as it was running on your local machine
ssh -L 5901:127.0.0.1:5902 user@example.com
After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901
user@example.com - user/server you are connecting to
5902 - the target port you want forward
5901 - the port number the target port should be reachable on
edited Feb 9 '17 at 15:56
muru
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
add a comment |
Basically this makes the port 5902 on example.com accessible as it was running on your local machine
ssh -L 5901:127.0.0.1:5902 user@example.com
After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901
user@example.com - user/server you are connecting to
5902 - the target port you want forward
5901 - the port number the target port should be reachable on
edited Feb 9 '17 at 15:56
muru
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
add a comment |
Basically this makes the port 5902 on example.com accessible as it was running on your local machine
ssh -L 5901:127.0.0.1:5902 user@example.com
After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901
user@example.com - user/server you are connecting to
5902 - the target port you want forward
5901 - the port number the target port should be reachable on
edited Feb 9 '17 at 15:56
muru
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
Basically this makes the port 5902 on example.com accessible as it was running on your local machine
ssh -L 5901:127.0.0.1:5902 user@example.com
After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901
user@example.com - user/server you are connecting to
5902 - the target port you want forward
5901 - the port number the target port should be reachable on
edited Feb 9 '17 at 15:56
muru
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
edited Feb 9 '17 at 15:56
muru
1
edited Feb 9 '17 at 15:56
muru
1
edited Feb 9 '17 at 15:56
muru
1
1
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
answered Feb 9 '17 at 15:53
D-unitD-unit
16415
16415
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
add a comment |
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?
– H2ONaCl
Feb 9 '17 at 16:07
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)
– D-unit
Feb 9 '17 at 16:09
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
What does 127.0.0.1 mean? Localhost of the client or localhost of the server?
– H2ONaCl
Feb 9 '17 at 16:24
add a comment |
SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.
Suppose the command is
ssh -L 5901:127.0.0.1:5901 user@remoteIP
In the above option there are two instances of 5901.
In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.
An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.
An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be
ssh -L *:5901:127.0.0.1:5901 user@remoteIP
An illustration with 4 hosts:
App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B
App Host A could be on the same machine as the Host Running ssh.
App Host B could be on the same machine as the Host at remoteIP.
Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
add a comment |
SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.
Suppose the command is
ssh -L 5901:127.0.0.1:5901 user@remoteIP
In the above option there are two instances of 5901.
In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.
An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.
An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be
ssh -L *:5901:127.0.0.1:5901 user@remoteIP
An illustration with 4 hosts:
App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B
App Host A could be on the same machine as the Host Running ssh.
App Host B could be on the same machine as the Host at remoteIP.
Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
add a comment |
SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.
Suppose the command is
ssh -L 5901:127.0.0.1:5901 user@remoteIP
In the above option there are two instances of 5901.
In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.
An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.
An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be
ssh -L *:5901:127.0.0.1:5901 user@remoteIP
An illustration with 4 hosts:
App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B
App Host A could be on the same machine as the Host Running ssh.
App Host B could be on the same machine as the Host at remoteIP.
Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.
Suppose the command is
ssh -L 5901:127.0.0.1:5901 user@remoteIP
In the above option there are two instances of 5901.
In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.
An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.
An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be
ssh -L *:5901:127.0.0.1:5901 user@remoteIP
An illustration with 4 hosts:
App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B
App Host A could be on the same machine as the Host Running ssh.
App Host B could be on the same machine as the Host at remoteIP.
Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
edited Mar 10 '17 at 5:42
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
answered Feb 9 '17 at 19:46
H2ONaClH2ONaCl
3,346204885
3,346204885
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
add a comment |
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.
– John Red
Dec 5 '17 at 8:50
add a comment |
I find this confusing because of the use of "localhost" in many examples.
LocalPort:RemoteHost:RemotePort user@IntermediateHost
LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.
RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".
RemotePort: This is the target port on the target machine
IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.
In the oft-quoted example of secure VNC / SSH tunnel:
ssh -L 5901:localhost:5900 myuser@IntermediateHost
The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.
Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".
In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.
Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.
Hope this helps
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
add a comment |
I find this confusing because of the use of "localhost" in many examples.
LocalPort:RemoteHost:RemotePort user@IntermediateHost
LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.
RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".
RemotePort: This is the target port on the target machine
IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.
In the oft-quoted example of secure VNC / SSH tunnel:
ssh -L 5901:localhost:5900 myuser@IntermediateHost
The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.
Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".
In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.
Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.
Hope this helps
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
add a comment |
I find this confusing because of the use of "localhost" in many examples.
LocalPort:RemoteHost:RemotePort user@IntermediateHost
LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.
RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".
RemotePort: This is the target port on the target machine
IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.
In the oft-quoted example of secure VNC / SSH tunnel:
ssh -L 5901:localhost:5900 myuser@IntermediateHost
The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.
Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".
In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.
Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.
Hope this helps
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
I find this confusing because of the use of "localhost" in many examples.
LocalPort:RemoteHost:RemotePort user@IntermediateHost
LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.
RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".
RemotePort: This is the target port on the target machine
IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.
In the oft-quoted example of secure VNC / SSH tunnel:
ssh -L 5901:localhost:5900 myuser@IntermediateHost
The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.
Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".
In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.
Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.
Hope this helps
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
answered Jan 12 at 13:12
Malcolm BoekhoffMalcolm Boekhoff
1213
1213
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f881605%2fwhat-does-the-l-option-of-ssh-do%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
