- jmc@cvs.openbsd.org 2006/01/12 14:44:12

[ssh.1] split sections on tcp and x11 forwarding into two sections. add an example in the tcp section, based on sth i wrote for ssh faq; help + ok: djm markus dtucker
author: Damien Miller <djm@mindrot.org> 2006-01-14 10:09:13 +1100
committer: Damien Miller <djm@mindrot.org> 2006-01-14 10:09:13 +1100
commit: f31771810cf89a3e687112e71264be266012b2de (patch)
tree: 33cd75a414230d895223e00cee68bf28c2fc7ecc /ssh.1
parent: 7e76e1f101cf672df9ca1822f2a04cb4289df519 (diff)
1 files changed, 62 insertions, 7 deletions
diff --git a/ssh.1 b/ssh.1
index 0ebe177f5..c15cfc319 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.245 2006/01/06 13:29:10 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.246 2006/01/12 14:44:12 jmc Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -893,7 +893,67 @@ option.
 Request rekeying of the connection
 (only useful for SSH protocol version 2 and if the peer supports it).
 .El
-.Sh X11 AND TCP FORWARDING
+.Sh TCP FORWARDING
+Forwarding of arbitrary TCP connections over the secure channel can
+be specified either on the command line or in a configuration file.
+One possible application of TCP forwarding is a secure connection to a
+mail server; another is going through firewalls.
+.Pp
+In the example below, we look at encrypting communication between
+an IRC client and server, even though the IRC server does not directly
+support encrypted communications.
+This works as follows:
+the user connects to the remote host using
+.Nm ,
+specifying a port to be used to forward connections
+to the remote server.
+After that it is possible to start the service which is to be encrypted
+on the client machine,
+connecting to the same local port,
+and
+.Nm
+will encrypt and forward the connection.
+.Pp
+The following example tunnels an IRC session from client machine
+.Dq 127.0.0.1
+(localhost)
+to remote server
+.Dq server.example.com :
+.Bd -literal -offset 4n
+$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
+$ irc -c '#users' -p 1234 pinky 127.0.0.1
+.Ed
+.Pp
+This tunnels a connection to IRC server
+.Dq server.example.com ,
+joining channel
+.Dq #users ,
+nickname
+.Dq pinky ,
+using port 1234.
+It doesn't matter which port is used,
+as long as it's greater than 1023
+(remember, only root can open sockets on privileged ports)
+and doesn't conflict with any ports already in use.
+The connection is forwarded to port 6667 on the remote server,
+since that's the standard port for IRC services.
+.Pp
+The
+.Fl f
+option backgrounds
+.Nm
+and the remote command
+.Dq sleep 10
+is specified to allow an amount of time
+(10 seconds, in the example)
+to start the service which is to be tunnelled.
+If no connections are made within the time specified,
+.Nm
+will exit.
+Once opened,
+a SSH connection will remain active
+until all actively forwarded connections have closed.
+.Sh X11 FORWARDING
 If the
 .Cm ForwardX11
 variable is set to
@@ -948,11 +1008,6 @@ and
 options above) and
 the user is using an authentication agent, the connection to the agent
 is automatically forwarded to the remote side.
-.Pp
-Forwarding of arbitrary TCP/IP connections over the secure channel can
-be specified either on the command line or in a configuration file.
-One possible application of TCP/IP forwarding is a secure connection to an
-electronic purse; another is going through firewalls.
 .Sh ENVIRONMENT
 .Nm
 will normally set the following environment variables:
author	Damien Miller <djm@mindrot.org>	2006-01-14 10:09:13 +1100
committer	Damien Miller <djm@mindrot.org>	2006-01-14 10:09:13 +1100
commit	f31771810cf89a3e687112e71264be266012b2de (patch)
tree	33cd75a414230d895223e00cee68bf28c2fc7ecc /ssh.1
parent	7e76e1f101cf672df9ca1822f2a04cb4289df519 (diff)

diff --git a/ssh.1 b/ssh.1 index 0ebe177f5..c15cfc319 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.245 2006/01/06 13:29:10 jmc Exp $	37	.\" $OpenBSD: ssh.1,v 1.246 2006/01/12 14:44:12 jmc Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -893,7 +893,67 @@ option.
893	Request rekeying of the connection	893	Request rekeying of the connection
894	(only useful for SSH protocol version 2 and if the peer supports it).	894	(only useful for SSH protocol version 2 and if the peer supports it).
895	.El	895	.El
896	.Sh X11 AND TCP FORWARDING	896	.Sh TCP FORWARDING
		897	Forwarding of arbitrary TCP connections over the secure channel can
		898	be specified either on the command line or in a configuration file.
		899	One possible application of TCP forwarding is a secure connection to a
		900	mail server; another is going through firewalls.
		901	.Pp
		902	In the example below, we look at encrypting communication between
		903	an IRC client and server, even though the IRC server does not directly
		904	support encrypted communications.
		905	This works as follows:
		906	the user connects to the remote host using
		907	.Nm ,
		908	specifying a port to be used to forward connections
		909	to the remote server.
		910	After that it is possible to start the service which is to be encrypted
		911	on the client machine,
		912	connecting to the same local port,
		913	and
		914	.Nm
		915	will encrypt and forward the connection.
		916	.Pp
		917	The following example tunnels an IRC session from client machine
		918	.Dq 127.0.0.1
		919	(localhost)
		920	to remote server
		921	.Dq server.example.com :
		922	.Bd -literal -offset 4n
		923	$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
		924	$ irc -c '#users' -p 1234 pinky 127.0.0.1
		925	.Ed
		926	.Pp
		927	This tunnels a connection to IRC server
		928	.Dq server.example.com ,
		929	joining channel
		930	.Dq #users ,
		931	nickname
		932	.Dq pinky ,
		933	using port 1234.
		934	It doesn't matter which port is used,
		935	as long as it's greater than 1023
		936	(remember, only root can open sockets on privileged ports)
		937	and doesn't conflict with any ports already in use.
		938	The connection is forwarded to port 6667 on the remote server,
		939	since that's the standard port for IRC services.
		940	.Pp
		941	The
		942	.Fl f
		943	option backgrounds
		944	.Nm
		945	and the remote command
		946	.Dq sleep 10
		947	is specified to allow an amount of time
		948	(10 seconds, in the example)
		949	to start the service which is to be tunnelled.
		950	If no connections are made within the time specified,
		951	.Nm
		952	will exit.
		953	Once opened,
		954	a SSH connection will remain active
		955	until all actively forwarded connections have closed.
		956	.Sh X11 FORWARDING
897	If the	957	If the
898	.Cm ForwardX11	958	.Cm ForwardX11
899	variable is set to	959	variable is set to
@@ -948,11 +1008,6 @@ and
948	options above) and	1008	options above) and
949	the user is using an authentication agent, the connection to the agent	1009	the user is using an authentication agent, the connection to the agent
950	is automatically forwarded to the remote side.	1010	is automatically forwarded to the remote side.
951	.Pp
952	Forwarding of arbitrary TCP/IP connections over the secure channel can
953	be specified either on the command line or in a configuration file.
954	One possible application of TCP/IP forwarding is a secure connection to an
955	electronic purse; another is going through firewalls.
956	.Sh ENVIRONMENT	1011	.Sh ENVIRONMENT
957	.Nm	1012	.Nm
958	will normally set the following environment variables:	1013	will normally set the following environment variables: