summaryrefslogtreecommitdiff
path: root/ssh.1
diff options
context:
space:
mode:
authorjmc@openbsd.org <jmc@openbsd.org>2019-03-16 19:14:21 +0000
committerDamien Miller <djm@mindrot.org>2019-03-26 10:20:22 +1100
commit1b1332b5bb975d759a50b37f0e8bc8cfb07a0bb0 (patch)
tree24c47f2157f92eddafe53d5cd4c161e15d268255 /ssh.1
parent2aee9a49f668092ac5c9d34e904ef7a9722e541d (diff)
upstream: benno helped me clean up the tcp forwarding section;
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
Diffstat (limited to 'ssh.1')
-rw-r--r--ssh.150
1 files changed, 18 insertions, 32 deletions
diff --git a/ssh.1 b/ssh.1
index 41937c61a..9480eba8d 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: ssh.1,v 1.401 2019/03/05 16:17:12 naddy Exp $ 36.\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $
37.Dd $Mdocdate: March 5 2019 $ 37.Dd $Mdocdate: March 16 2019 $
38.Dt SSH 1 38.Dt SSH 1
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -1090,49 +1090,35 @@ Increase the verbosity
1090when errors are being written to stderr. 1090when errors are being written to stderr.
1091.El 1091.El
1092.Sh TCP FORWARDING 1092.Sh TCP FORWARDING
1093Forwarding of arbitrary TCP connections over the secure channel can 1093Forwarding of arbitrary TCP connections over a secure channel
1094be specified either on the command line or in a configuration file. 1094can be specified either on the command line or in a configuration file.
1095One possible application of TCP forwarding is a secure connection to a 1095One possible application of TCP forwarding is a secure connection to a
1096mail server; another is going through firewalls. 1096mail server; another is going through firewalls.
1097.Pp 1097.Pp
1098In the example below, we look at encrypting communication between 1098In the example below, we look at encrypting communication for an IRC client,
1099an IRC client and server, even though the IRC server does not directly 1099even though the IRC server it connects to does not directly
1100support encrypted communications. 1100support encrypted communication.
1101This works as follows: 1101This works as follows:
1102the user connects to the remote host using 1102the user connects to the remote host using
1103.Nm , 1103.Nm ,
1104specifying a port to be used to forward connections 1104specifying the ports to be used to forward the connection.
1105to the remote server. 1105After that it is possible to start the program locally,
1106After that it is possible to start the service which is to be encrypted
1107on the client machine,
1108connecting to the same local port,
1109and 1106and
1110.Nm 1107.Nm
1111will encrypt and forward the connection. 1108will encrypt and forward the connection to the remote server.
1112.Pp 1109.Pp
1113The following example tunnels an IRC session from client machine 1110The following example tunnels an IRC session from the client
1114.Dq 127.0.0.1 1111to an IRC server at
1115(localhost)
1116to remote server
1117.Dq server.example.com :
1118.Bd -literal -offset 4n
1119$ ssh -f -L 1234:localhost:6667 server.example.com sleep 10
1120$ irc -c '#users' -p 1234 pinky 127.0.0.1
1121.Ed
1122.Pp
1123This tunnels a connection to IRC server
1124.Dq server.example.com , 1112.Dq server.example.com ,
1125joining channel 1113joining channel
1126.Dq #users , 1114.Dq #users ,
1127nickname 1115nickname
1128.Dq pinky , 1116.Dq pinky ,
1129using port 1234. 1117using the standard IRC port, 6667:
1130It doesn't matter which port is used, 1118.Bd -literal -offset 4n
1131as long as it's greater than 1023 1119$ ssh -f -L 6667:localhost:6667 server.example.com sleep 10
1132(remember, only root can open sockets on privileged ports) 1120$ irc -c '#users' pinky IRC/127.0.0.1
1133and doesn't conflict with any ports already in use. 1121.Ed
1134The connection is forwarded to port 6667 on the remote server,
1135since that's the standard port for IRC services.
1136.Pp 1122.Pp
1137The 1123The
1138.Fl f 1124.Fl f
@@ -1142,7 +1128,7 @@ and the remote command
1142.Dq sleep 10 1128.Dq sleep 10
1143is specified to allow an amount of time 1129is specified to allow an amount of time
1144(10 seconds, in the example) 1130(10 seconds, in the example)
1145to start the service which is to be tunnelled. 1131to start the program which is going to use the tunnel.
1146If no connections are made within the time specified, 1132If no connections are made within the time specified,
1147.Nm 1133.Nm
1148will exit. 1134will exit.