- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
SSH tunneling, also known as SSH port forwarding, provides a secure method for client applications to communicate with remote servers. By encrypting traffic, SSH tunnels ensure data protection during transmission. This article explores the significance of SSH tunneling, its advantages, how it works, and its various use cases.
What is an SSH Tunnel?
An SSH tunnel (also known as SSH port forwarding) is a method by which client applications can securely communicate with remote servers. The SSH client and server provide the SSH tunnel and encrypt traffic, providing security during the transmission of data. When using an SSH tunnel to interact with remote services, if any of the data were intercepted in transit, it would be securely encrypted.
Why Do You Need SSH Tunneling?
SSH tunneling is a method used to connect a client application on a local machine to services on remote machines. However, there are other ways to accomplish the same goal. Many services that you might wish to connect to on remote servers, such as a database, can have ports open externally to accept connections directly from over the internet. You can also limit these kinds of connections to devices that exist on your private network, or on a virtual private network (VPN). This kind of perimeter-based security, which automatically rejected external connections and gave at least some implicit trust to on-premise connections was a very common security practice prior to the popularization of cloud computing.
Benefits of SSH Tunneling
If many applications allow for remote connections over the internet, why are SSH tunnels ever necessary? There are several key advantages to SSH tunneling.
- SSH tunneling (or port forwarding) bypasses the problem of some services not having native encryption for remote connections. If the connection is not secure between the client and server, your traffic is vulnerable to interception and potentially manipulation. SSH tunnels are always encrypted in a standardized way, thus mitigating this concern.
- SSH tunnels also solve the security problem of having to expose ports for those services to the internet. A previously common solution to this vulnerability was the use of physical perimeters or VPNs, but with the evolving landscape of remote work and cloud infrastructure, it is less of a viable option. Rather than be resigned to having to have one or more ports open to connections from anywhere, you use SSH tunneling to ensure that the traffic securely reaches the server, then forward it along to the correct destination.
How Do SSH Tunnels Work?
SSH tunneling is a fairly straightforward process. On the server in question, the remote service (for example, a database) listens on a local port, but does not open ports for that service to the internet.
Your SSH client connects to the SSH service on the remote server and establishes a secure tunnel. You will need to configure your SSH client to forward traffic to a local port to the remote port that you desire (for example, port 3306 for MySQL), or if you are using the command line only, specify that, in this format:
$ `ssh -L <YOUR_LOCAL_PORT>:<YOUR_SERVER_IP>:<YOUR_REMOTE_PORT> <YOUR_USER>@<YOUR_SERVER>`
`ssh -L 8000:22.214.171.1249:3306 exampleuser@exampleserver`
At that point, when you use your local application (such as a database client, or the command line) to attempt to connect to the remote service, you start the connection using your chosen port for that application locally (for example, `localhost:8000`) and traffic that is sent to that port is forwarded over the SSH tunnel to the specified local port (`3306`) that is open on the server.
SSH reverse tunneling is a similar, but opposite, effect. To forward local traffic from a port on the remote machine to one of the client’s local ports over the SSH tunnel, you can replace the `-L` flag with a `-R` flag. In the example above, this would now forward traffic from the server’s local 8000 port to the client’s port 3306, via the SSH tunnel.
SSH Tunneling Use Cases
There are a variety of applications for SSH tunneling. Secure access to databases is one of the primary use cases in the DevOps world. Exposing critical databases to the internet directly increases risk, so SSH tunnels are used. Another common use case is internally hosted web applications or other software. This can be a way to offer web applications (or really any server-client application) that you need to host for a variety of users to connect to, but do not wish to be available to the public, or even the entirety of an organization.
How to Set up SSH Tunneling with StrongDM
StrongDM provides a single platform with which to manage access to your organization’s resources in a secure and highly auditable fashion. As such, StrongDM provides the ability to manage direct access to resources as a cornerstone of the service. However, the ability to set up local port forwarding through StrongDM is also available, to provide maximum flexibility.
In order to forward client ports to ports on your configured resource, you must have enabled port forwarding as an organization, and toggled it on when configuring the resource in question. Then, the user may employ the same `-L` flag and syntax when using `sdm` at the command line that they would when using `ssh` without StrongDM, in the format `sdm ssh [Server Name] -L [Local Port to Forward]:[Target Address]:[Target Port]`. See the documentation on local port forwarding for more details.
The use of SSH tunnels is extremely useful when interacting with services that require higher security for traffic that is external to a secure perimeter without requiring a VPN or exposing them directly to the internet. But they don’t solve every access problem facing an organization. Individual credentials must be managed, or shared credentials doled out insecurely. SSH tunnels provide secure access, but at the cost of decreased visibility and auditability. StrongDM can boost your ease of access management, lower your security risks, and increase the amount of auditable interactions in your network. And if you still need local port forwarding, StrongDM has that covered as well.
StrongDM improves workflow and simplifies administration. If you’re ready to step away from the hassles of traditional SSH key management to more modern ways of authenticating, securing, and tracking access, give StrongDM a try. You’ll only need five minutes to connect to your first database or server.
About the Author
Jeff Smith, Lead Technical Writer, has led projects and teams working on documentation in access and security for more than six years. Learning these technologies and helping other people do the same is his passion. Jeff contributes occasionally to various technical blogs and publications and sometimes writes on non-software topics such as productivity, project management, and tech news. To contact Jeff, visit him on LinkedIn.