jpabloae.blog

Release Engineering at Openbravo

SSH: a Swiss knife for system integrators

Give me a place to stand on, and I will move the Earth.

This is a legend ascribed to the famous Archimedes, genius of antiquity. When he understood the basic principles behind the lever he felt its power and he started seeing them in a different way. His paradigm changed.

In a similar way SSH is a tool that can completely change the way you work, for good. Let me show you why you, as a system integrator, should be interested in its wonders. And I can assure you that if you get familiar with the basic principles behind it you’ll be able to perform tasks you would never possibly imagine.

Case 1: Browsing through a remote computer

There are multiple situations where browsing through a remote computer is interesting:

  • IP address restrictions: a customer has restricted access so that I can only access a remote machine from my network at work. I am at home and I really need to access this server.
  • Content filtering: I am located in a network or a country that restricts my Internet connection. And I really need to access some pages which are key to do my job.
  • Remote LAN access: I have access to a remote computer. But I would like to access the ERP or database of another computer in the same local network.

So this is the magic that makes this possible:

ssh -D 8888 johndoe@remote_computer

This basically converts the remote computer into a proxy server only for you. So that you just need to provide this information to your web browser. Using Firefox as an example, you’d need to go to Preferences → Advanced → Network → Settings, then select Manual proxy configuration and finally enter localhost in the SOCKS Host field and 8888 as the port number. The simplest way to verify it’s working is to visit whatismyip.org so that you can verify your IP address, it should be the remote one.

Firefox Preferences, Advanced sectionFirefox proxy settings

Case 2: Securely connect to a remote database

This is a typical case scenario. The remote machine has only SSH opened and there is no direct access to the database. Let’s suppose it’s PostgreSQL running on port 5432 on the remote computer, but the port is not opened to the outside world, only to local connections. So as have SSH access you can ask it to redirect the remote 5432 port into any port of your local machine, like 5433:

ssh -L 5433:localhost:5432 johndoe@remote_computer

Now you can start psql, pgAdmin or your favorite client and use localhost as the host and 5433 as the port in the connection details.

PgAdmin3 through a SSH tunnel

As for Oracle the concept is the same and just the port numbers change:

ssh -L 1522:localhost:1521 johndoe@remote_computer

Case 3: Expose my local ERP into a remote network

Let’s suppose that I have Openbravo ERP beautifully running in my local machine, it includes some nice new changes we’ve been working on. I would like to show it to Mike and Sandra, but they are located in a remote network. I am in a hotel, there is no way I can ask the IT staff of the hotel to open a port for my users to access the ERP in my computer.  SSH comes to the rescue again: basically you can perform the opposite operation of Case 2, and forward your local Web Server port into any port of a remote machine:

ssh -R :9999:localhost:80 johndoe@remote_computer

So now I can ask Mike and Sandra to enter http://local_ip_of_remote_computer:9999 and bingo, they can access my ERP installation.

Important note: for this feature to work the server’s SSH configuration (sshd_config) must have the GatewayPorts option set to yes.

Case 4: Securely connect to a remote database available only in the LAN

Now let’s suppose I have SSH access to remote_computer, but not to remote_computer-2, which is is in the same LAN as the first one. And I want to access the database in remote_computer-2 using my graphical SQL client. There are multiple ways of solving this situation, by using variants of Case 1 or Case 2.  We’ll do it extending the first case. Firstly,  open the SSH connection and establish the local proxy server:

ssh -D 8888 johndoe@remote_computer

Now we want to tell our PostgreSQL client to use this proxy. But usually they don’t support this feature. So here proxychains comes to the rescue. This is a tool that allows you to make any program use the Internet connection through that proxy. Once it is installed, it requires a minimal configuration in $HOME/.proxychains/proxychains.conf, only required the first time you use it:

DynamicChain
tcp_read_time_out 15000
tcp_connect_time_out 10000

[ProxyList]
socks5 127.0.0.1 8888

From now on you can prepend the proxychains command to your program and it will go to the Internet using the proxy server connection. So for example in our case we would go a terminal and run:

proxychains pgadmin3

or

proxychains psql -d openbravo -U tad -h localhost -p 5433

Conclusions

As you can see SSH opens a new world of possibilities for you. Invest some time playing with it, you won’t regret.

Some final words for Windows users: don’t worry, this is not valid for UNIX based systems only. If you run Windows in your computer you can use PuTTY to achieve exactly the same results.

UPDATE (2010/04/26): adding the GatewayPorts requirement and the corrected ssh command based on Asier’s comments.

About these ads

Written by jpabloae

27/02/2010 at 12:37

Posted in openbravo

Tagged with ,

5 Responses

Subscribe to comments with RSS.

  1. Hi,

    Speaking about Case 3, which btw is a very useful tip, I would like to point out some extra steps that need to be done in order to make it work.

    1.- Edit /etc/ssh/sshd_config and uncomment the line #GatewayPorts no , writing GatewayPorts yes

    2.- Instead of ssh -R 9999:localhost:80 johndoe@remote_computer , execute ssh -R :9999:localhost:80 johndoe@remote_computer

    Use it !

    Cheers

    Asier

    26/04/2010 at 11:38

  2. Hi Asier. You are right about both points. I overlooked those details, so I’ll update the post to include them.

    Thank you!

    jpabloae

    26/04/2010 at 12:27

  3. Thank you so much for Case 4: Securely connect to a remote database available only in the LAN, i been looking for that all over

    jakup

    08/12/2010 at 01:19

  4. Hi,

    Thanks for the guide. On my install, Windows 7 with VMware Player followed all the steps with the default settings, and openbravo works well. Now trying to install iReport. Followed the instruction on http://wiki.openbravo.com/wiki/How_to_create_a_Report like outlined on Case 2, having trouble establishing ssh tunnel. Test options:
    $ ssh -L 5433:192.168.157.131:5432 username@computer_name (connection to host computer_name port 22: connection denied)
    $ ssh -L 5433:192.168.157.131:5432 username@192.168.157.131 (permission denied (publickey))

    Suggestion?

    hh

    04/01/2012 at 02:31

    • Hi. The “permission denied (publickey)” message means that the server doesn’t know about your public key. Have a look at this wiki document for more information.

      Juan Pablo

      jpabloae

      09/01/2012 at 15:23


Comments are closed.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: