Paint By Numbers for iPad, iPhone, Android, Mac & PC! Painting has never been easier! No need to stress about what color to choose, just relax and enjoy!!
Wonky pong mac os. So far in this series of posts on ssh on macOS:
- SSH Tunnels (this post)
Please consider supporting Scripting OS X by buying one of my books!
We have learned so far that ssh is a really useful and flexible protocol. It can be used to connect securely to a remote shell, or to transfer files securely.
Rather than providing the shell itself, ssh provides a secure way to transmit data to and from the remote shell. In a similar way, ssh can be used to provide access to other remote services as well.
SSH Tunnels with Two Computers
Mar 08, 2020 Paint By Numbers for iPad, iPhone, Android, Mac & PC! Painting has never been easier! No need to stress about what color to choose, just relax and enjoy!! IPv6 Tunnel Broker daemon for Mac OS X. Because the Internet is running out of room, we will see more and more services only available through IPv6.An IPv6 tunnel makes it possible to access the IPv6 side of the Internet when the current internet service provider doesn't come with. XAMPP for OS X is a native installer for OS X. It installs Apache, PHP and other XAMPP components directly on your OS X system, in the /Applications/XAMPP folder. XAMPP-VM is a virtual machine for OS X. It includes Apache, PHP and other XAMPP components and runs them in a Linux-based virtual machine on your OS X system. Home / Networking / Establishing an SSH Tunnel to Remotely Access a Mac Using AFP and VNC The ability to remotely access a computer on a home network while.
Access to important services are usually blocked behind a firewall or router. Since ssh, when setup correctly, is quite secure, you can usually get access to a server with ssh even when other protocols are blocked. (Though some administrators move ssh access to a different port than the default 22.)
You can use ssh port forwarding or ‘tunneling' to gain access to other services through ssh.
Imagine you want to use Screen Sharing to connect to a remote Mac (remote.example.com). Screen Sharing on macOS uses the VNC port 5900 to connect to a remote Mac. Since VNC itself is inherently insecure, (mac Screen Sharing adds a few things to make it more secure) this port is blocked by many firewalls.
However, I do have ssh access to remote.example.com. So, how do I tell both systems to ‘tunnel' the screen sharing traffic through ssh?
(When you test this, remember to enable either ‘Screen Sharing' or ‘Remote Management' (i.e Apple Remote Desktop) access in the ‘Sharing' pane in System Preferences on the remote Mac.)
The tunnel starts on my local machine and ends on remote.example.com at port 5900 (where the screen sharing service is listening on the remote Mac.)
The starting point also needs a port number, and I can basically choose freely. Port numbers under 1000 and over 49000 are reserved for the system and require root privileges. There are also many numbers that are commonly used by certain services (such as 5900 for VNC/Screen Sharing) and may already be in use. I will choose 5901 for the local port.
To connect the local port 5901 to port 5900 on the remote Mac use the following command:
(You can just try this with a second Mac or virtual machine in your network, even without a firewall.)
The syntax of this command is less than obvious. Let's break it into pieces:
The -N option tells ssh that we do not want to invoke a remote shell or run a remote command.
The -L option creates a local port forwarding setup. This option takes a parameter with three or four parts, separated by colons :. The first pair (localhost:5901) are the tunnel start point. The second pair (localhost:5900) are the remote end point of the tunnel.
The second localhost is resolved on the remote host, so this means port 5900 on the remote host.
The last parameter states the remote host, to connect to, remote.example.com.
This commands tell ssh to connect to remote.example.com and establish a tunnel that transfers traffic from port 5901 on my computer to port 5900 on the remote computer.
Since the origin of my tunnel is usually on my local computer, the first localhost can be omitted, so you only see the origin port.
When you execute the command nothing will happen. You will not even get a new prompt, because the ssh process is running until you cancel it with ctrl-C. Don't cancel it yet, however, since it needs to run to provide the tunnel.
So, when you open the Screen Sharing application (from /System/Library/CoreServices/Applications/) and connect to localhost:5901 all traffic will be forwarded by sshto port 5900 on the remote Mac.
You can also use the open command to connect with Screen Sharing:
You should be able connect with Screen Sharing, even when port 5900 is blocked by a Firewall.
When you are done with the Screen Sharing session, you can end the ssh tunnel process in Terminal with ctrl-C.
The Tunnel Man Mac Os Sierra
You can also use ssh port to use the remote host as a gateway or ‘jump host' to a third computer. Imagine you want to use Screen Sharing to connect to secundus.example.com behind a firewall and you only have ssh connection to primus.example.com available. You can tell primus to point the endpoint of an ssh tunnel at secundus with:
Note: secundus.example.com or whatever host or IP address you enter there will be resolved on the remote host. So you can use NAT IP addresses or .local host names here, even if they do not make sense in the network your work Mac is in. (They do have to make sense on the remote host, though, otherwise you will get an error.)
In the following examples the local IP address 192.168.1.200 or the Bonjour hostname Secundus.local will be resolved on the remote host, even if they don't work on my local computer:
Either way, you can then point Screen Sharing at localhost:5902 and it will connect through primus to Screen Sharing on secundus.
Keep in mind, that while the connection from the start point (on your Mac) to the host primus is secured by ssh the connection from primus to secundus is not.
Stumbling over HTTP hosts
In general you can use ssh port forwarding (or tunnels) for any service. Some services however, may introduce extra pitfalls.
For example, I wanted to use ssh port forwarding to gain access to my home router's web interface. I can use ‘Back to My Mac' to ssh into one of the iMacs at home, and thought it should be easy to connect to the router with an ssh tunnel:
This seemed to work, but whenever I tried to point a browser to localhost:8080 it couldn't connect to the web page. The problem here is not the ssh tunnel but the the web server on the router. As part of the http request, the browser sends the name of the domain requested to the web server. This allows web servers to host different pages for different domains. With this request, the browser told the router it wanted the web page for localhost and the router replied with 'I don't serve pages for that host'… (Your router might behave differently.)
With curl I could convince the router to serve me the page with:
However, since navigating the web interface of the router with curl is out of the question I had to find a different solution.
Tunnel All the Things!
What if I could send all traffic through the iMac at home?
With the command
I can create a tunnel from my computer (on port 9001) to the remote Mac that acts as a SOCKS proxy. Then I can set the Socks proxy to localhost:9001 in the proxy tab in the Network pane in System Preferences. You probably want to create a new network location for this setup. Then all network traffic will be securely routed through the ssh tunnel to my Mac at home where it can connect to the router.
This can also serve as a temporary VPN solution.
However it is somewhat painful to set up and maintain, so if you start using this more frequently, you probably need to look into a proper VPN service solution (some routers, ironically, provide one…).
Summary
- you can bypass firewalls and other network blocks by tunnel traffic for any service through a
sshtunnel - the command describes which local port to connect to which port on the remote host
- you can even tell the remote host to connect the end point to a third computer, behind the firewall
- you can also create a SOCKS proxy with
sshto tunnel all traffic
Previous Post: Transferring Files with ssh
From OS X Scientific Computing
|
Telnet and FTP?
Never, ever, use telnet. Ever. Or ftp. These programs send you password through the aether as clear text, opening you to exploits by all kinds of nefarious evildoers. Instead, learn to use ssh, scp, and sftp.
Fugu: A nice, free, GUI for sftp
I'm generally a command-line person, but this free little application provides a nice intuitive and visually pleasing GUI interface that also permits integrated editing of remote files and so forth. Here's a screen shot grabbed from their website:
SSH: the basics
How to log in remotely to another machine using ssh
If you want to log in remotely to your account on another machine, simply issue the command
If you want to display X-windows programs on your machine that are run remotely, then include the -X or -Y flags:
The Tunnel Man Mac Os 7
Try -X first, as it is more secure. If there are problems, try the -Y option instead.
How to avoid interrupted connections
My DSL service provider seems to delight in causing my ssh connections to hang up. This irks me. I finally discovered a very simple solution. Create a file called ~/.ssh/config and put into it the following three lines:
Problem solved (at least for me).
How to set up passwordless logins
The Tunnel Man Mac Os Catalina
Generate a public key on the computer you want to log in from:
....
Copy the public key to the computer you want to log in to.
Log into the remote computer
and append that public key to the appropriate file in your remote account's .ssh directory:
If the .ssh directory does not exist, you must first issue the command
and if the file ~/.ssh/authorized_keys does not yet exist, replace the above cat command with
(but do this only if ~/.ssh/authorized_keys does not yet exist, or it will clobber the file rather than append to the bottom of it.
With the 10.9 update, I found that I had to copy authorized_keys2 to authorized_keys Packing (dark-rehart) mac os.
Test it.
It should now be set up for passwordless secure login.
Connecting securely with ssh tunnels
The idea of how to establish and use ssh tunnels, and why you might want to do this, is best illustrated with some examples. I have chosen two examples that you might very well want to put to use: Using a web proxy to access restricted websites (like scientific literature your library has a subscription to), and connecting to a mail server from anywhere, even if your local service provider tries to prevent this (DSL home service providers, hotel internet, etc).
Example One: Tunneling to a proxy server for web browsing
- Problem: I want to read restricted-access journals from home, but I only have access from work.
- Solution: Configure Firefox or SeaMonkey to use your work computer as a proxy.
For example, I can access most scientific journals on-line from machines that have recognized IP addresses (i.e., are affiliated with our university, whose library has paid for on-line access). If I am at home or on the road, I cannot do this easily unless I use a proxy server. Fortunately, this is fairly easy to do.
Establish the SSH tunnel connection
The syntax for establishing tunnel connections is as follows:
Choose a port, 8080, or any un-used non-root port. The -N flag says to establish the connection but not to make it a login shell, and the -D flag says to use dynamic port forwarding with ssh acting as a SOCKS server.
Configure FireFox or SeaMonkey Preferences to use a proxy
On Mac OS X, I use Safari as my primary web browser, but I keep several on hand. Because of this, I can dedicate FireFox as my proxy web browser. If FireFox is your primary web browser, other browsers in the Mozilla family, such as SeaMonkey, have this capability as well.
- In Firefox.app, go to Preferences > General and hit the 'Connection Settings' button on the lower right side of the panel. A second panel will be revealed. Enter what is shown here:
Then click the 'OK' button.
Thanks very much to James Davis and Adam Smith of UCSC SOE for the tip.
- With SeaMonkey, go to Preferences > Advanced > Proxies > Manual Proxy Configuration > Advanced and you will get essentially the same configuration pane as pictured above. (SeaMonkey also has a nice free WYSIWYG HTML editor, called Composer.)
.
Example Two: Tunneling to a remote mail server
- Problem: I want access to my email securely from any connection point in the world.
- Solution: Configure smtp and pop or imap SSH tunnels.
Apple's Mail program logs onto a mail server computer every time it checks your mail, and every time it sends your mail. Depending on your mail server, it might send your password over the internet in clear text, as our POP3 server does. This is something worth avoiding, especially if you are on the road or using a commercial internet service provider. To get around this problem, you can create a 'tunnel' using ssh. Essentially, you can trick the mail program into using a pre-established ssh connection instead of using the insecure connection, thereby avoiding having to send your password in clear text. In fact, if you have enabled passwordless login, you can avoid dealing with passwords altogether. As side benefits, the connection seems to be established faster, and you can send mail from anywhere that allows you to make an ssh connection to the mail-server computer. (Many locations and DSL providers forbid you to make an smtp connection to your own mail server to avoid spamming issues and to try to force you to use theirs.)
Establish the SSH tunnel connection
The syntax for establishing tunnel connections is as follows:
That is pretty much all there is to establishing the required tunnels for POP3 mail, but a bit of explanation is in order. If you would normally log into the computer that is your email host with a command of the form
then just subtitute what you would actually type for this to the right of the -N option flag in the above two tunnel commands. (These are the same names you put in the email program for POP3 mail server and smtp server, respectively.) The ports (110 and 25) are the (insecure) ports used for POP3 and smtp mail. (If you are using the ssl secure ports, there is no need to be doing this). Again, these are the same as you used for configuring mail. The -N flag says to establish the connection but not to make it a login shell. Don't change ``localhost.' The other two ports (1110 and 2525) are arbitrary choices. You can pick any (unused) port (although the ones below 1024 are reserved for root). The -L flag tells ssh to do port forwarding (i.e., to establish the tunnel, treating the local port 1110 as if it were the remote port 110). The (optional) -C flag is for compression. This is handy on a lower-speed connection, but might actually slow stuff down on a high-speed connection.
How to get the Mail.app program to use the tunnels
To get Mail.app to use your ssh tunnels, you have to reconfigure its settings.
- First, establish the above tunnels.
- Then open Mail.app and under Preferences, go to Accounts and open the Account Information tab. Where it says Incoming Mail Server, you should enter 127.0.0.1 and where it says Outgoing Mail Server (SMTP), you should change the Server Settings by clicking the button, and add in 127.0.0.1 and port 2125 (or whatever port number corresponds to what you chose for the second tunnel command) and make these the default settings. This is illustrated in the following two screen shots below:
- Then go to Advanced tab, click on it to reveal the new pane, and enter the port 1110 (or whatever you picked for the first tunnel). You should now be set to collect and send your mail via ssh tunnels. If the tunnels become interrupted, you will have to re-establish them.
SSH Tunnel Manager
I find that it is easy to start and maintain the tunnels using a simple free gui application called SSH Tunnel Manager. This saves you typing and remembering the above commands. Should you require permanent, always-on tunnels, it might be better to run a launchd item to do this.
