130

I have to set up a tunnel between two hosts.

For this I use ssh in this way:

ssh -L MY_LOCAL_PORT:FOREIGN_ADDRESS:FOREIGN_PORT MYUSER@SSH_SERVER

after that, I log in to my SSH_SERVER.

How can I avoid this feature?! I have only to set up a tunnel. I don't have to login into my SSH_SERVER...

I've tried the -N option, but it kept my shell busy.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Bau Miao
  • 1,523
  • SSH -N -L xx:xx:xx user@server & <-- have you tried that before ? – Lawrence Nov 12 '13 at 07:45
  • Hey, you have right. I've tried on another host and the -N option works. So I've discovered that the problem is on my ssh client (I don't know why, and I will search the reason). Thanks a lot! – Bau Miao Nov 12 '13 at 09:41
  • 2
    man ssh shows how: ssh -f -L 1234:localhost:6667 server.example.com sleep 10 && irc -c '#users' -p 1234 pinky 127.0.0.1 
     The -f option backgrounds ssh and the remote command ``sleep 10'' is specified to allow an amount of time (10 seconds, in the example) to start the service which is to be tunnelled.  If no connections are made
 within the time specified, ssh will exit.
    – lionello Jun 05 '17 at 07:02

3 Answers3

134

As said in other posts, if you don't want a prompt on the remote host, you must use the -N option of SSH. But this just keeps SSH running without having a prompt, and the shell busy.

You just need to put the SSH'ing as a background task with the & sign :

ssh -N -L 8080:ww.xx.yy.zz:80 user@server &

This will launch the ssh tunnelling in the background. But some messages may appear, especially when you try to connect to a non-listening port (if you server apache is not launched). To avoid these messages to spawn in your shell while doing other stuff, you may redirect STDOUT/STDERR to the big void : 

ssh -N -L 8080:ww.xx.yy.zz:80 user@server >/dev/null 2>&1 &

Have fun with SSH.

Adrien M.
  • 3,566
124

-f -N is what you are looking for:

ssh -f -N -L MY_LOCAL_PORT:FOREIGN_ADDRESS:FOREIGN_PORT MYUSER@SSH_SERVER

From the ssh man page:

-f Requests ssh to go to background just before command execution. This is useful if ssh is going to ask for passwords or passphrases, but the user wants it in the background. This implies -n.

-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).

-n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background.

AdminBee
  • 22,803
neu242
  • 1,738
  • 8
    Once the tunnel is set up, how do you close it with this method? – magnetik Dec 07 '15 at 08:02
  • @magnetik Find the process with ps and kill it – neu242 Dec 08 '15 at 08:45
  • 25
    @magnetik and @neu242 the better is to use "master socket" ssh -N -f -M -S /tmp/file-sock -L port:server:port_to user@... so you can kill the connexion later with ssh -S /tmp/file -o exit user@.... (or kill). That way, no need to ps. You can tell to automatically create that file in ~/.ssh/config. – Metal3d Dec 14 '15 at 13:47
  • 3
    I mean "control socket" and not "master socket" – Metal3d Dec 14 '15 at 13:56
  • 18
    It should be ssh -S /tmp/file-sock -O exit, not -o https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing#Setting_Up_Multiplexing – fetsh Apr 01 '16 at 15:08
  • 1
    This should be the accepted answer. – Jaap Versteegh Apr 16 '22 at 08:49
  • Or do nothing in foreground:ssh -L MY_LOCAL_PORT:FOREIGN_ADDRESS:FOREIGN_PORT MYUSER@SSH_SERVER tail -f /dev/null – David Lakatos May 09 '23 at 09:27
4

This is my experience of using ssh for connecting a computer without static ip address from a remote computer.This is required to manage projects in server (serving in LAN) with no static ip to use

Requirement for setup and demo:

  • Linux in with an ssh server with static IP ( call it boss.com )
  • Linux in with an ssh/web server with no static IP. (call it target)
  • Linux / Android phone with JuiceSSH

Ensure the following is in /etc/ssh/sshd_config:
GatewayPorts yes

Run following in target computer to use boss.com:1008 as web address for target

ssh -R 1008:127.0.0.1:80 root@boss.com

Now you can excess target web server as boot.com:1008 from any device (try with browser from your mobile device)

Run following in target computer to connect target computer via ssh(at 2048 port)

ssh -R 1008:127.0.0.1:2048 root@boss.com

Now you can excess target computer with following command

ssh root@boss.com:1008

Or use JuiceSSH from android phone to test

Accessing server with root password is not good idea.

Create user mytunnel in boss.com
replace root with mytunnel in above examples

Lastly do following to ensure that mytunnel user can do only tunneling work via boss.com

  • in /etc/passwd in boss.com, replace shell of mytunnel from /bin/bash to /bin/false

  • add -f -N in above commands
    ssh -f -N -R 1008:127.0.0.1:80 root@boss.com
    ssh -f -N -R 1008:127.0.0.1:2048 root@boss.com

  • Now, user mytunnel can use only ssh-tunnel functionality from server

Garo
  • 2,059
  • 11
  • 16
ShaileshKumarMPatel
  • 49
  • 3