diff options
author | jmc@openbsd.org <jmc@openbsd.org> | 2019-03-16 19:14:21 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-03-26 10:20:22 +1100 |
commit | 1b1332b5bb975d759a50b37f0e8bc8cfb07a0bb0 (patch) | |
tree | 24c47f2157f92eddafe53d5cd4c161e15d268255 /ssh.1 | |
parent | 2aee9a49f668092ac5c9d34e904ef7a9722e541d (diff) |
upstream: benno helped me clean up the tcp forwarding section;
OpenBSD-Commit-ID: d4bec27edefde636fb632b7f0b7c656b9c7b7f08
Diffstat (limited to 'ssh.1')
-rw-r--r-- | ssh.1 | 50 |
1 files changed, 18 insertions, 32 deletions
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh.1,v 1.401 2019/03/05 16:17:12 naddy Exp $ | 36 | .\" $OpenBSD: ssh.1,v 1.402 2019/03/16 19:14:21 jmc Exp $ |
37 | .Dd $Mdocdate: March 5 2019 $ | 37 | .Dd $Mdocdate: March 16 2019 $ |
38 | .Dt SSH 1 | 38 | .Dt SSH 1 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1090,49 +1090,35 @@ Increase the verbosity | |||
1090 | when errors are being written to stderr. | 1090 | when errors are being written to stderr. |
1091 | .El | 1091 | .El |
1092 | .Sh TCP FORWARDING | 1092 | .Sh TCP FORWARDING |
1093 | Forwarding of arbitrary TCP connections over the secure channel can | 1093 | Forwarding of arbitrary TCP connections over a secure channel |
1094 | be specified either on the command line or in a configuration file. | 1094 | can be specified either on the command line or in a configuration file. |
1095 | One possible application of TCP forwarding is a secure connection to a | 1095 | One possible application of TCP forwarding is a secure connection to a |
1096 | mail server; another is going through firewalls. | 1096 | mail server; another is going through firewalls. |
1097 | .Pp | 1097 | .Pp |
1098 | In the example below, we look at encrypting communication between | 1098 | In the example below, we look at encrypting communication for an IRC client, |
1099 | an IRC client and server, even though the IRC server does not directly | 1099 | even though the IRC server it connects to does not directly |
1100 | support encrypted communications. | 1100 | support encrypted communication. |
1101 | This works as follows: | 1101 | This works as follows: |
1102 | the user connects to the remote host using | 1102 | the user connects to the remote host using |
1103 | .Nm , | 1103 | .Nm , |
1104 | specifying a port to be used to forward connections | 1104 | specifying the ports to be used to forward the connection. |
1105 | to the remote server. | 1105 | After that it is possible to start the program locally, |
1106 | After that it is possible to start the service which is to be encrypted | ||
1107 | on the client machine, | ||
1108 | connecting to the same local port, | ||
1109 | and | 1106 | and |
1110 | .Nm | 1107 | .Nm |
1111 | will encrypt and forward the connection. | 1108 | will encrypt and forward the connection to the remote server. |
1112 | .Pp | 1109 | .Pp |
1113 | The following example tunnels an IRC session from client machine | 1110 | The following example tunnels an IRC session from the client |
1114 | .Dq 127.0.0.1 | 1111 | to an IRC server at |
1115 | (localhost) | ||
1116 | to remote server | ||
1117 | .Dq server.example.com : | ||
1118 | .Bd -literal -offset 4n | ||
1119 | $ ssh -f -L 1234:localhost:6667 server.example.com sleep 10 | ||
1120 | $ irc -c '#users' -p 1234 pinky 127.0.0.1 | ||
1121 | .Ed | ||
1122 | .Pp | ||
1123 | This tunnels a connection to IRC server | ||
1124 | .Dq server.example.com , | 1112 | .Dq server.example.com , |
1125 | joining channel | 1113 | joining channel |
1126 | .Dq #users , | 1114 | .Dq #users , |
1127 | nickname | 1115 | nickname |
1128 | .Dq pinky , | 1116 | .Dq pinky , |
1129 | using port 1234. | 1117 | using the standard IRC port, 6667: |
1130 | It doesn't matter which port is used, | 1118 | .Bd -literal -offset 4n |
1131 | as long as it's greater than 1023 | 1119 | $ ssh -f -L 6667:localhost:6667 server.example.com sleep 10 |
1132 | (remember, only root can open sockets on privileged ports) | 1120 | $ irc -c '#users' pinky IRC/127.0.0.1 |
1133 | and doesn't conflict with any ports already in use. | 1121 | .Ed |
1134 | The connection is forwarded to port 6667 on the remote server, | ||
1135 | since that's the standard port for IRC services. | ||
1136 | .Pp | 1122 | .Pp |
1137 | The | 1123 | The |
1138 | .Fl f | 1124 | .Fl f |
@@ -1142,7 +1128,7 @@ and the remote command | |||
1142 | .Dq sleep 10 | 1128 | .Dq sleep 10 |
1143 | is specified to allow an amount of time | 1129 | is specified to allow an amount of time |
1144 | (10 seconds, in the example) | 1130 | (10 seconds, in the example) |
1145 | to start the service which is to be tunnelled. | 1131 | to start the program which is going to use the tunnel. |
1146 | If no connections are made within the time specified, | 1132 | If no connections are made within the time specified, |
1147 | .Nm | 1133 | .Nm |
1148 | will exit. | 1134 | will exit. |