SFTP、SSH 和SSH隧道 [英] SFTP, SSH & SSH Tunneling
问题描述
我想详细了解 SSH 隧道的概念,因为我正在围绕这个主题学习一些东西.我已经在公共论坛上查看了一些细节,但仍有一些问题.
- SFTP 服务正在远程服务器中运行,我已获得连接到它的凭据.我使用像 WinScp 这样的 GUI 来连接远程服务器.SSH 隧道在这里的作用是什么?
- 远程 SFTP 服务器管理员要求我从我的机器生成 RSA 公钥并将其添加到远程服务器.现在,我可以在没有密码的情况下从 SSH 终端直接连接到服务器.SSH 隧道在这里的作用是什么?
- 隧道是隐式的还是需要在某些情况下显式调用?
请说明.
SSH 隧道、SSH 控制台会话和 SFTP 会话在功能上是无关的.它们可以在单个会话期间同时使用,但通常情况并非如此,因此不要试图在 ssh/sftp 会话中寻找隧道的任何关系或作用.
将 ssh 隧道与多个 ssh/sftp 会话混合使用是没有意义的.基本上,您将使用专用的 ssh 会话进行隧道传输,并使用额外的会话进行控制台和传输.
SSH 隧道到底是什么?
通常双方(您和服务器)都位于不同的网络中,在这些网络之间不可能进行任意网络连接.
例如服务器可以在其网络上看到由于 NAT 而对外部网络不可见的工作站节点和服务节点.
对于发起远程服务器连接的用户同样有效:因此您(ssh 客户端)可以看到您的本地资源(最坏的节点和服务器节点),但无法看到远程服务器网络上的节点.
ssh 隧道来了.
SSH 隧道不是帮助 ssh 相关事物(例如远程控制台 ssh 会话和安全文件传输)的工具,而是另一种方式 - 它是 ssh 协议,可帮助您构建传输到隧道通用 TCP 的传输连接方式与 TCP 代理的工作方式相同.一旦这样的管道建成并投入使用,它就不知道通过这样的管道/隧道传输了什么.
它的概念类似于 TCP 代理.
TCP 代理运行在单个节点上,因此它充当连接的接受者和传出连接的发起者.
在 SSH 隧道的情况下,TCP 代理的这种概念分为两半 - 一个节点(参与 ssh 会话)执行侦听器(连接的接受者)的角色,第二个节点执行代理的角色(即发起传出连接)).
当您与远程服务器建立 SSH 会话时,您可以配置两种类型的隧道,它们在 ssh 连接处于活动状态时处于活动状态.多个 ssh 客户端使用像
这样的符号- R [IP1 :] PORT1 : IP2 : PORT2
- L [IP1 :] PORT1 : IP2 : PORT2
在这个 ssh 隧道中最令人困惑/最难理解的部分是这些 L 和 R 标记/开关(或其他).
这些字母 L 和 R 会让初学者很困惑,因为这个游戏实际上有 6 个(!!!)方(每个方都有自己的观点,什么是本地的,什么是远程的):
- 你
- ssh 服务器
- 你的邻居想要向任何看到服务器的人公开他们的端口
- 想要连接到任何服务服务器的邻居看到
- 任何看到服务器并想要连接到您的任何服务的人邻居提供(案例#3的对面/插座)
- 本地服务器网络中想要公开的任何服务您的 LAN(案例#4 的对面/插座)
就 ssh 客户端而言,这些隧道类型是:
- R"隧道(服务器侦听) - 您将本地局域网中的网络服务暴露给远程局域网(您指示 sshd 服务器在远程端启动侦听端口并路由所有传入连接)
- "L" 隧道(您监听) - 服务器将其远程 LAN 的资源公开到您的 LAN(您的 ssh 客户端开始监听您工作站上的端口.您的邻居可以通过连接访问远程服务器网络服务到您工作站的端口.服务器代表您的 ssh 客户端与本地服务建立传出连接)
因此,SSH 隧道旨在提供对通常由于网络限制或限制而无法访问的服务的访问.
这是在创建隧道时要记住的简单对比直觉规则:
- 使用-L开关打开对R表情服务的访问
和
- 打开对L本地服务的访问您使用-R开关
R"隧道示例:
Jack 是您的同事(后端开发人员),他在其 IP 地址为 10.12.13.14 的工作站上开发服务器端代码.您是组织工作条件的团队负责人(或系统管理员).你和 Jack 坐在同一个办公室,想通过远程服务器将他的 web 服务器暴露给外界.因此,您使用以下命令连接到 ssh 服务器:
ssh me@server1 -g -R 80:ip-address-of-jack-workstation:80在这种情况下,Internet 上的任何人都可以通过访问 http://server1/ 来访问 Jack 当前版本的网站>
假设世界上有许多 IoT Linux 设备(例如 raspberry pi)位于多个家庭网络中,因此无法从外部访问.他们可以连接到主服务器并将自己的端口 22 暴露给服务器,以便管理员能够连接到所有这些服务器.因此,RPi 设备可以通过以下方式连接到服务器:RPi 设备 #1
ssh rpi1@server -R 10122:localhost:22RPi 设备 #2
ssh rpi1@server -R 10222:localhost:22RPi 设备 #3
ssh rpi1@server -R 10322:localhost:22和系统管理员在服务器上时可以连接到其中任何一个:
ssh localhost -p 10122 # 连接第一个设备ssh localhost -p 10222 # 连接第二个设备ssh localhost -p 10322 # 连接第三个设备远程场所的管理员阻止了 ssh 传出连接,并且您希望生产服务器通过您的连接联系 bitbucket...
#TODO:添加示例ssh 隧道的典型陷阱:
将远程服务映射到本地特权端口
ssh me@server -L 123:hidden-smtp-server:25 # 失败#bind 由于特权端口而失败#我们尝试使用 sudo ssh 来允许 ssh 客户端绑定到本地端口交换机sudo ssh me@server -L 123:hidden-smtp-server:25 # 失败#这通常会导致公钥被拒绝,因为 ssh 在/root/.ssh/id_rsa 中查找密钥#so 你需要强制 ssh 在 root 帐户下运行时使用你的密钥须藤 ssh me@server -i/home/me/.ssh/id_rsa -L 123:hidden-smtp-server:25通过公共服务器从本地网络向任何人公开某些服务:
典型的命令是
ssh me@server -R 8888:my-home-server:80#经常没有人无法连接到服务器:8888,因为 sshd 绑定到本地主机.#为了工作,您需要编辑/etc/ssh/sshd_config 文件以启用GatewayPorts(文件中的行需要是GatewayPorts yes).我的隧道在我的电脑上运行良好,但我希望我的同事也能访问我的隧道
典型的工作命令是
ssh me@server -L 1234:hidden-smtp-server:25#默认情况下 ssh 绑定到环回(127.0.0.1),这就是为什么没有人可以使用这种隧道的原因.#您需要使用开关 -g 并且可能手动指定绑定接口:ssh me@server -g -L 0.0.0.0:1234:hidden-smtp-server:25I would like to understand the concept of SSH tunneling in detail as I am learning a few things around this topic. I have gone through some details in public forum but still got a few questions.
- An SFTP service is running in a remote server and I have been given credentials to connect to it. I am using GUI like WinScp to connect the remote server. What's the role of SSH tunneling here?
- Remote SFTP Server admin asked me to generate RSA public key from my machine and its added to the remote server. Now, I can directly connect to the server from SSH terminal without password. What's the role of SSH tunneling here?
- Is tunneling implicit or need to be called explicitly for certain circumstances?
Please clarify.
SSH tunneling, SSH console sessions and SFTP sessions are functionally unrelated things. They can be used simultaneously during single session but usually it is not the case so do not try to find any relation or role of tunneling in ssh/sftp session.
It does not makes sense to mix ssh tunneling with multiple ssh/sftp sessions. Basically you would use dedicated ssh session for tunneling and extra sessions for console and transfers.
What the heck SSH tunneling is?
Quite often both parties (you and server) reside in different networks where arbitrary network connections between such networks are impossible.
For example server can see on its network workstation nodes and service nodes which are not visible to outside network due to NAT.
The same is valid for the user who initiates connection to the remote server: so you (ssh client) can see your local resources (worstation nodes and server nodes) but can't see nodes on network of remote server.
Here comes ssh tunneling.
SSH tunnel is NOT a tool to assist ssh related things like remote console ssh sessions and secure file transfers but quite other way around - it is ssh protocol who assists you with building transport to tunnel generic TCP connections the same way TCP proxy works. Once such pipe is built and in action it does not know what is getting transferred via such pipe/tunnel.
Its concept is similar to TCP proxy.
TCP proxy runs on single node so it serves as acceptor of connections and as iniciator of outgoing connections.
In case of SSH tunneling such concept of TCP proxy is split in two halves - one of the nodes (participating in ssh session) performs role of listener(acceptor of connections) and second node performs role of proxy (i.e. initiates outgoing connections).
When you establish the SSH session to the remote server you can configure two types of tunnels which are active while your ssh connection is active. Multiple ssh clients use notations like
- R [IP1 :] PORT1 : IP2 : PORT2
- L [IP1 :] PORT1 : IP2 : PORT2
The most confusing/hard part to understand in this ssh tunneling thing are these L and R markers/switches(or whatever).
Those letter L and R can confuse beginners quite a lot because there are actually 6(!!!) parties in this game(each with its own point of view of what is local and what is remote):
- you
- ssh server
- your neighbors who want to expose theirs ports to anyone who sees the server
- your neighbors who want to connect to any service server sees
- anyone who sees the server and want to connect to any service your neighbor provides (opposite side/socket of case #3)
- any service in a local network of server who wants to be exposed to your LAN (opposite side/socket of case#4)
In terms of ssh client these tunnel types are:
- "R" tunnel (server listens) - YOU expose network services from your LOCAL LAN to remote LAN (you instruct sshd server to start listening ports at remote side and route all incoming connections )
- "L" tunnel (you listens) - Server exposes resources of its REMOTE LAN to your LAN (your ssh client starts listening ports on your workstation. your neighbors can access remote server network services by connecting to the ports of your workstation. server makes outgoing connections to local services on behalf of your ssh client)
So SSH tunneling is about providing access to the service which typically is inaccessible due to network restrictions or limitations.
And here is simple conter-intuitive rule to remember while creating tunnels:
- to open access to Remote service you use -L switch
and
- to open access to Local service you use -R switch
examples of "R" tunnels:
Jack is your coworker(backend developer) and he develops server-side code at his workstation with IP address 10.12.13.14. You are team lead (or sysadmin) who organizes working conditions. You are sitting in the same office with Jack and want to expose his web server to outside world through remote server. So you connect to ssh server with following command:
ssh me@server1 -g -R 80:ip-address-of-jack-workstation:80
in such case anyone on the Internet can access Jack's current version of website by visiting http://server1/
Suppose there are many IoT Linux devices (like raspberry pi) in the world sitting in multiple home networks and thus not accessible from outside. They could connect to the home server and expose theirs own port 22 to the server for admin to be able to connect to all those servers. So RPi devices could connect to the server in a such way: RPi device #1
ssh rpi1@server -R 10122:localhost:22
RPi device #2
ssh rpi1@server -R 10222:localhost:22
RPi device #3
ssh rpi1@server -R 10322:localhost:22
and sysadmin while being at server could connect to any of them:
ssh localhost -p 10122 # to connecto first device
ssh localhost -p 10222 # to connecto second device
ssh localhost -p 10322 # to connecto third device
admin on remote premises blocked ssh outgoing connections and you want production server to contact bitbucket through your connection...
#TODO: add example
Typical pitfalls in ssh tunneling:
mapping remote service to local priviledged port
ssh me@server -L 123:hidden-smtp-server:25 # fails
#bind fails due to priviledged ports
#we try to use sudo ssh to allow ssh client to bind to local port switches
sudo ssh me@server -L 123:hidden-smtp-server:25 # fails
#this usually results to rejected public keys because ssh looks for the key in /root/.ssh/id_rsa
#so you need to coerce ssh to use your key while running under root account
sudo ssh me@server -i /home/me/.ssh/id_rsa -L 123:hidden-smtp-server:25
exposing some service from local network to anyone through the public server:
typical command would be
ssh me@server -R 8888:my-home-server:80
#quite often noone can't connect to server:8888 because sshd binds to localhost.
#To make in work you need to edit /etc/ssh/sshd_config file to enable GatewayPorts (the line in file needs to be GatewayPorts yes).
my tunnel works great on my computer for me only but I would like my coworkers to access my tunnel as well
typical working command you start with would be
ssh me@server -L 1234:hidden-smtp-server:25
#by default ssh binds to loopback(127.0.0.1) and that is the reason why noone can use such tunnel.
#you need to use switch -g and probably manually specify bind interface:
ssh me@server -g -L 0.0.0.0:1234:hidden-smtp-server:25
这篇关于SFTP、SSH 和SSH隧道的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
