What does the L option of SSH do?












3















To make VNC secure, I am supposed to use this



ssh -L 5901:127.0.0.1:5901 user@example.com


from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.



The description of the option is



-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. This
works by allocating a socket to listen to port on the local side,
optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and a connection is made to host port
hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be
specified with an alternative syntax:
[bind_address/]port/host/hostport or by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.


The ssh_config files description includes this



GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports. By default, ssh(1) binds local port forwardings
to the loopback address. This prevents other remote hosts from
connecting to forwarded ports. GatewayPorts can be used to spec-
ify that ssh should bind local port forwardings to the wildcard
address, thus allowing remote hosts to connect to forwarded
ports. The argument must be ``yes'' or ``no''. The default is
``no''.


Please explain this command or diagram it.










share|improve this question





























    3















    To make VNC secure, I am supposed to use this



    ssh -L 5901:127.0.0.1:5901 user@example.com


    from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.



    The description of the option is



    -L [bind_address:]port:host:hostport

    Specifies that the given port on the local (client) host is to be
    forwarded to the given host and port on the remote side. This
    works by allocating a socket to listen to port on the local side,
    optionally bound to the specified bind_address. Whenever a
    connection is made to this port, the connection is forwarded over
    the secure channel, and a connection is made to host port
    hostport from the remote machine. Port forwardings can also be
    specified in the configuration file. IPv6 addresses can be
    specified with an alternative syntax:
    [bind_address/]port/host/hostport or by enclosing the address in
    square brackets. Only the superuser can forward privileged
    ports. By default, the local port is bound in accordance with
    the GatewayPorts setting. However, an explicit bind_address may
    be used to bind the connection to a specific address. The
    bind_address of “localhost” indicates that the listening port be
    bound for local use only, while an empty address or ‘*’ indicates
    that the port should be available from all interfaces.


    The ssh_config files description includes this



    GatewayPorts
    Specifies whether remote hosts are allowed to connect to local
    forwarded ports. By default, ssh(1) binds local port forwardings
    to the loopback address. This prevents other remote hosts from
    connecting to forwarded ports. GatewayPorts can be used to spec-
    ify that ssh should bind local port forwardings to the wildcard
    address, thus allowing remote hosts to connect to forwarded
    ports. The argument must be ``yes'' or ``no''. The default is
    ``no''.


    Please explain this command or diagram it.










    share|improve this question



























      3












      3








      3


      2






      To make VNC secure, I am supposed to use this



      ssh -L 5901:127.0.0.1:5901 user@example.com


      from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.



      The description of the option is



      -L [bind_address:]port:host:hostport

      Specifies that the given port on the local (client) host is to be
      forwarded to the given host and port on the remote side. This
      works by allocating a socket to listen to port on the local side,
      optionally bound to the specified bind_address. Whenever a
      connection is made to this port, the connection is forwarded over
      the secure channel, and a connection is made to host port
      hostport from the remote machine. Port forwardings can also be
      specified in the configuration file. IPv6 addresses can be
      specified with an alternative syntax:
      [bind_address/]port/host/hostport or by enclosing the address in
      square brackets. Only the superuser can forward privileged
      ports. By default, the local port is bound in accordance with
      the GatewayPorts setting. However, an explicit bind_address may
      be used to bind the connection to a specific address. The
      bind_address of “localhost” indicates that the listening port be
      bound for local use only, while an empty address or ‘*’ indicates
      that the port should be available from all interfaces.


      The ssh_config files description includes this



      GatewayPorts
      Specifies whether remote hosts are allowed to connect to local
      forwarded ports. By default, ssh(1) binds local port forwardings
      to the loopback address. This prevents other remote hosts from
      connecting to forwarded ports. GatewayPorts can be used to spec-
      ify that ssh should bind local port forwardings to the wildcard
      address, thus allowing remote hosts to connect to forwarded
      ports. The argument must be ``yes'' or ``no''. The default is
      ``no''.


      Please explain this command or diagram it.










      share|improve this question
















      To make VNC secure, I am supposed to use this



      ssh -L 5901:127.0.0.1:5901 user@example.com


      from the client. Use 5901 if the server display is 1; use 5900 for display 0. This command was taken from a tutorial.



      The description of the option is



      -L [bind_address:]port:host:hostport

      Specifies that the given port on the local (client) host is to be
      forwarded to the given host and port on the remote side. This
      works by allocating a socket to listen to port on the local side,
      optionally bound to the specified bind_address. Whenever a
      connection is made to this port, the connection is forwarded over
      the secure channel, and a connection is made to host port
      hostport from the remote machine. Port forwardings can also be
      specified in the configuration file. IPv6 addresses can be
      specified with an alternative syntax:
      [bind_address/]port/host/hostport or by enclosing the address in
      square brackets. Only the superuser can forward privileged
      ports. By default, the local port is bound in accordance with
      the GatewayPorts setting. However, an explicit bind_address may
      be used to bind the connection to a specific address. The
      bind_address of “localhost” indicates that the listening port be
      bound for local use only, while an empty address or ‘*’ indicates
      that the port should be available from all interfaces.


      The ssh_config files description includes this



      GatewayPorts
      Specifies whether remote hosts are allowed to connect to local
      forwarded ports. By default, ssh(1) binds local port forwardings
      to the loopback address. This prevents other remote hosts from
      connecting to forwarded ports. GatewayPorts can be used to spec-
      ify that ssh should bind local port forwardings to the wildcard
      address, thus allowing remote hosts to connect to forwarded
      ports. The argument must be ``yes'' or ``no''. The default is
      ``no''.


      Please explain this command or diagram it.







      ssh vnc localhost






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 9 '17 at 15:18







      H2ONaCl

















      asked Feb 9 '17 at 14:46









      H2ONaClH2ONaCl

      3,346204885




      3,346204885






















          4 Answers
          4






          active

          oldest

          votes


















          1














          This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.



          The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.



          By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
          To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.






          share|improve this answer
























          • I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

            – H2ONaCl
            Feb 9 '17 at 15:30











          • @H2ONaCl that's explained in the manual. What part of that do you not understand?

            – muru
            Feb 9 '17 at 15:30











          • May be the manual needs a diagram.

            – H2ONaCl
            Feb 9 '17 at 15:32











          • @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

            – muru
            Feb 9 '17 at 15:34











          • Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

            – H2ONaCl
            Feb 9 '17 at 15:52



















          1














          Basically this makes the port 5902 on example.com accessible as it was running on your local machine



          ssh -L 5901:127.0.0.1:5902 user@example.com


          After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901



          user@example.com - user/server you are connecting to



          5902 - the target port you want forward



          5901 - the port number the target port should be reachable on






          share|improve this answer


























          • So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

            – H2ONaCl
            Feb 9 '17 at 16:07











          • I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

            – D-unit
            Feb 9 '17 at 16:09











          • What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

            – H2ONaCl
            Feb 9 '17 at 16:24



















          1














          SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.



          Suppose the command is



          ssh -L 5901:127.0.0.1:5901 user@remoteIP



          In the above option there are two instances of 5901.



          In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.



          An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.



          An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be



          ssh -L *:5901:127.0.0.1:5901 user@remoteIP



          An illustration with 4 hosts:



          App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B


          App Host A could be on the same machine as the Host Running ssh.



          App Host B could be on the same machine as the Host at remoteIP.



          Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.






          share|improve this answer


























          • This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

            – John Red
            Dec 5 '17 at 8:50



















          0














          I find this confusing because of the use of "localhost" in many examples.



          LocalPort:RemoteHost:RemotePort user@IntermediateHost



          LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.



          RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".



          RemotePort: This is the target port on the target machine



          IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.



          In the oft-quoted example of secure VNC / SSH tunnel:



          ssh -L 5901:localhost:5900 myuser@IntermediateHost


          The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.



          Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".



          In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.



          Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.



          Hope this helps






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f881605%2fwhat-does-the-l-option-of-ssh-do%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            4 Answers
            4






            active

            oldest

            votes








            4 Answers
            4






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.



            The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.



            By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
            To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.






            share|improve this answer
























            • I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

              – H2ONaCl
              Feb 9 '17 at 15:30











            • @H2ONaCl that's explained in the manual. What part of that do you not understand?

              – muru
              Feb 9 '17 at 15:30











            • May be the manual needs a diagram.

              – H2ONaCl
              Feb 9 '17 at 15:32











            • @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

              – muru
              Feb 9 '17 at 15:34











            • Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

              – H2ONaCl
              Feb 9 '17 at 15:52
















            1














            This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.



            The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.



            By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
            To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.






            share|improve this answer
























            • I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

              – H2ONaCl
              Feb 9 '17 at 15:30











            • @H2ONaCl that's explained in the manual. What part of that do you not understand?

              – muru
              Feb 9 '17 at 15:30











            • May be the manual needs a diagram.

              – H2ONaCl
              Feb 9 '17 at 15:32











            • @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

              – muru
              Feb 9 '17 at 15:34











            • Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

              – H2ONaCl
              Feb 9 '17 at 15:52














            1












            1








            1







            This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.



            The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.



            By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
            To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.






            share|improve this answer













            This is simply a way to apply well-tested security to the insecure VNC protocol. SSH is widely used, it has well-tested encryption protocols, and it supports a variety of authentication protocols. VNC is just widely used, and not as much as SSH.



            The L option of SSH forwards traffic from the local system to the remote system, under SSH's protection. So, where VNC isn't secure or flexible enough by itself, by forwarding VNC traffic over SSH, you get the full power of SSH for protecting it.



            By forwarding your localhost's port to the remote host, you ensure that none of your unencrypted VNC traffic is leaked on the local (or remote, for that matter) networks.
            To intercept any of this, an attacker will have to break SSH, or have root access to the systems involved, in which case you have already lost.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 9 '17 at 14:57









            murumuru

            1




            1













            • I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

              – H2ONaCl
              Feb 9 '17 at 15:30











            • @H2ONaCl that's explained in the manual. What part of that do you not understand?

              – muru
              Feb 9 '17 at 15:30











            • May be the manual needs a diagram.

              – H2ONaCl
              Feb 9 '17 at 15:32











            • @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

              – muru
              Feb 9 '17 at 15:34











            • Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

              – H2ONaCl
              Feb 9 '17 at 15:52



















            • I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

              – H2ONaCl
              Feb 9 '17 at 15:30











            • @H2ONaCl that's explained in the manual. What part of that do you not understand?

              – muru
              Feb 9 '17 at 15:30











            • May be the manual needs a diagram.

              – H2ONaCl
              Feb 9 '17 at 15:32











            • @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

              – muru
              Feb 9 '17 at 15:34











            • Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

              – H2ONaCl
              Feb 9 '17 at 15:52

















            I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

            – H2ONaCl
            Feb 9 '17 at 15:30





            I know that. The first 4 words of the question are: "to make VNC secure". How about explaining the '[number:]number:localhost:number' thing.

            – H2ONaCl
            Feb 9 '17 at 15:30













            @H2ONaCl that's explained in the manual. What part of that do you not understand?

            – muru
            Feb 9 '17 at 15:30





            @H2ONaCl that's explained in the manual. What part of that do you not understand?

            – muru
            Feb 9 '17 at 15:30













            May be the manual needs a diagram.

            – H2ONaCl
            Feb 9 '17 at 15:32





            May be the manual needs a diagram.

            – H2ONaCl
            Feb 9 '17 at 15:32













            @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

            – muru
            Feb 9 '17 at 15:34





            @H2ONaCl dirk-loss.de/ssh-port-forwarding.htm

            – muru
            Feb 9 '17 at 15:34













            Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

            – H2ONaCl
            Feb 9 '17 at 15:52





            Note to self: at the link SSHD does not mean solid state hybrid drive. It probably means SSH daemon.

            – H2ONaCl
            Feb 9 '17 at 15:52













            1














            Basically this makes the port 5902 on example.com accessible as it was running on your local machine



            ssh -L 5901:127.0.0.1:5902 user@example.com


            After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901



            user@example.com - user/server you are connecting to



            5902 - the target port you want forward



            5901 - the port number the target port should be reachable on






            share|improve this answer


























            • So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

              – H2ONaCl
              Feb 9 '17 at 16:07











            • I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

              – D-unit
              Feb 9 '17 at 16:09











            • What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

              – H2ONaCl
              Feb 9 '17 at 16:24
















            1














            Basically this makes the port 5902 on example.com accessible as it was running on your local machine



            ssh -L 5901:127.0.0.1:5902 user@example.com


            After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901



            user@example.com - user/server you are connecting to



            5902 - the target port you want forward



            5901 - the port number the target port should be reachable on






            share|improve this answer


























            • So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

              – H2ONaCl
              Feb 9 '17 at 16:07











            • I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

              – D-unit
              Feb 9 '17 at 16:09











            • What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

              – H2ONaCl
              Feb 9 '17 at 16:24














            1












            1








            1







            Basically this makes the port 5902 on example.com accessible as it was running on your local machine



            ssh -L 5901:127.0.0.1:5902 user@example.com


            After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901



            user@example.com - user/server you are connecting to



            5902 - the target port you want forward



            5901 - the port number the target port should be reachable on






            share|improve this answer















            Basically this makes the port 5902 on example.com accessible as it was running on your local machine



            ssh -L 5901:127.0.0.1:5902 user@example.com


            After running this command you can access what is running on example.com:5902 on your local machine 127.0.0.1:5901



            user@example.com - user/server you are connecting to



            5902 - the target port you want forward



            5901 - the port number the target port should be reachable on







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Feb 9 '17 at 15:56









            muru

            1




            1










            answered Feb 9 '17 at 15:53









            D-unitD-unit

            16415




            16415













            • So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

              – H2ONaCl
              Feb 9 '17 at 16:07











            • I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

              – D-unit
              Feb 9 '17 at 16:09











            • What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

              – H2ONaCl
              Feb 9 '17 at 16:24



















            • So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

              – H2ONaCl
              Feb 9 '17 at 16:07











            • I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

              – D-unit
              Feb 9 '17 at 16:09











            • What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

              – H2ONaCl
              Feb 9 '17 at 16:24

















            So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

            – H2ONaCl
            Feb 9 '17 at 16:07





            So this is not a mistake? You want to illustrate with port 5902 rather than 5901 in both places?

            – H2ONaCl
            Feb 9 '17 at 16:07













            I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

            – D-unit
            Feb 9 '17 at 16:09





            I changed it to two different ports to better explain it. In this scenarie you bind the port 5902 on example.com to be reachable on 127.0.0.1:5901. They can be the same port (often they are)

            – D-unit
            Feb 9 '17 at 16:09













            What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

            – H2ONaCl
            Feb 9 '17 at 16:24





            What does 127.0.0.1 mean? Localhost of the client or localhost of the server?

            – H2ONaCl
            Feb 9 '17 at 16:24











            1














            SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.



            Suppose the command is



            ssh -L 5901:127.0.0.1:5901 user@remoteIP



            In the above option there are two instances of 5901.



            In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.



            An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.



            An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be



            ssh -L *:5901:127.0.0.1:5901 user@remoteIP



            An illustration with 4 hosts:



            App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B


            App Host A could be on the same machine as the Host Running ssh.



            App Host B could be on the same machine as the Host at remoteIP.



            Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.






            share|improve this answer


























            • This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

              – John Red
              Dec 5 '17 at 8:50
















            1














            SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.



            Suppose the command is



            ssh -L 5901:127.0.0.1:5901 user@remoteIP



            In the above option there are two instances of 5901.



            In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.



            An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.



            An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be



            ssh -L *:5901:127.0.0.1:5901 user@remoteIP



            An illustration with 4 hosts:



            App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B


            App Host A could be on the same machine as the Host Running ssh.



            App Host B could be on the same machine as the Host at remoteIP.



            Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.






            share|improve this answer


























            • This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

              – John Red
              Dec 5 '17 at 8:50














            1












            1








            1







            SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.



            Suppose the command is



            ssh -L 5901:127.0.0.1:5901 user@remoteIP



            In the above option there are two instances of 5901.



            In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.



            An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.



            An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be



            ssh -L *:5901:127.0.0.1:5901 user@remoteIP



            An illustration with 4 hosts:



            App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B


            App Host A could be on the same machine as the Host Running ssh.



            App Host B could be on the same machine as the Host at remoteIP.



            Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.






            share|improve this answer















            SSH normally provides a remote shell accessible securely at a local terminal. The command with the -L option appears to offer the secure tunnel capability to ports at the two ends.



            Suppose the command is



            ssh -L 5901:127.0.0.1:5901 user@remoteIP



            In the above option there are two instances of 5901.



            In the above option the first instance of 5901 determines the configuration on the machine that is the LOCAL HOST, which is not to say "localhost". The LOCAL HOST is the machine executing the ssh command. In the above option the remainder of the string, 127.0.0.1:5901, determines the configuration on the machine that is the REMOTE HOST at remoteIP.



            An application on the REMOTE HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is explicit so only an application on the same machine will be allowed to access the tunnel.



            An application on the LOCAL HOST can access the secure tunnel via 127.0.0.1:5901 where the 127.0.0.1 is by default. If GatewayPorts is 'yes' then a * can be specified in the option to mean any host (with any IP) may access the secure tunnel. The form of the command would then be



            ssh -L *:5901:127.0.0.1:5901 user@remoteIP



            An illustration with 4 hosts:



            App Host A <---> Host Running `ssh` <---> Host At `remoteIP` <---> App Host B


            App Host A could be on the same machine as the Host Running ssh.



            App Host B could be on the same machine as the Host at remoteIP.



            Addendum: Note that this command makes it appear that port 5901 is being used but in fact the tunnel is the substitute for port 5901 on both ends. Thus you can disable port 5901. In fact if no others are needed you can disable all ports except the one being used by ssh which is by convention 22.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Mar 10 '17 at 5:42

























            answered Feb 9 '17 at 19:46









            H2ONaClH2ONaCl

            3,346204885




            3,346204885













            • This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

              – John Red
              Dec 5 '17 at 8:50



















            • This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

              – John Red
              Dec 5 '17 at 8:50

















            This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

            – John Red
            Dec 5 '17 at 8:50





            This is the answer that explained all to me. Well, and this link. But I think your addendum is wrong. You actually need your port 5901 on your Client for this to work.

            – John Red
            Dec 5 '17 at 8:50











            0














            I find this confusing because of the use of "localhost" in many examples.



            LocalPort:RemoteHost:RemotePort user@IntermediateHost



            LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.



            RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".



            RemotePort: This is the target port on the target machine



            IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.



            In the oft-quoted example of secure VNC / SSH tunnel:



            ssh -L 5901:localhost:5900 myuser@IntermediateHost


            The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.



            Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".



            In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.



            Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.



            Hope this helps






            share|improve this answer




























              0














              I find this confusing because of the use of "localhost" in many examples.



              LocalPort:RemoteHost:RemotePort user@IntermediateHost



              LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.



              RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".



              RemotePort: This is the target port on the target machine



              IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.



              In the oft-quoted example of secure VNC / SSH tunnel:



              ssh -L 5901:localhost:5900 myuser@IntermediateHost


              The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.



              Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".



              In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.



              Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.



              Hope this helps






              share|improve this answer


























                0












                0








                0







                I find this confusing because of the use of "localhost" in many examples.



                LocalPort:RemoteHost:RemotePort user@IntermediateHost



                LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.



                RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".



                RemotePort: This is the target port on the target machine



                IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.



                In the oft-quoted example of secure VNC / SSH tunnel:



                ssh -L 5901:localhost:5900 myuser@IntermediateHost


                The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.



                Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".



                In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.



                Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.



                Hope this helps






                share|improve this answer













                I find this confusing because of the use of "localhost" in many examples.



                LocalPort:RemoteHost:RemotePort user@IntermediateHost



                LocalPort: This is a local port that SSH opens on the machine that you run the ssh command. You will typically setup your client machine to connect to localhost:5901 - on your client machine.



                RemoteHost: This is the target machine, to which a connection is attempted - from the IntermediateHost machine. I.e. it is relative to the RemoteHost. When you use "localhost" here, it means "IntermediateHost".



                RemotePort: This is the target port on the target machine



                IntermediateHost: This is the machine listening (by default, on SSH port 22) that the ssh command connects to. It is this machine that attempts to connect to RemoteHost:RemoteHost.



                In the oft-quoted example of secure VNC / SSH tunnel:



                ssh -L 5901:localhost:5900 myuser@IntermediateHost


                The "localhost" here is relative to IntermediateHost, i.e. it IS IntermediateHost.



                Local port 5901 is opened, so you can configure your local VNC client to connect to port 5901 on the local machine. Confusingly this is referred to as: "localhost:5901".



                In the parameter, "localhost:5900" is the target to which the IntermediateHost connects: therefore it connects to itself.



                Hence the ssh server running on IntermediateHost is instructed to send all traffic to "localhost:5900" - i.e. to itself. The traffic comes from what is sent to port 5901 on the local client machine.



                Hope this helps







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Jan 12 at 13:12









                Malcolm BoekhoffMalcolm Boekhoff

                1213




                1213






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f881605%2fwhat-does-the-l-option-of-ssh-do%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?