SSH tunnel hell
Tuesday, January 31 2012
Today I was finally granted access to a web server whose security system seemed nearly military-grade. My ip address had to be on a white list, and I had to provide my computer's public key (the first time I've ever had to do that). Initially I didn't even know where my computer kept its encryption keys; it's not like the programs that use these (Filezilla, Putty, or Kitty) make it obvious.
Once I got a working connection, I fretted about what would happen when my IP address inevitably changed. Verizon DSL is not a particularly reliable form of broadband internet, and whenever the connection drops, the IP address changes. It's rare to go a whole 24 hours without that address changing at least once. This wouldn't be a problem when working with some people, but my contact, the guy who types my IP address into the white list, is not especially fast at getting back to me. I worried that my address would change and then I'd be down for another week.
So I did some research about perhaps setting up a "SSH tunnel" (something I didn't even know existed until today). A SSH tunnel allows you to use a third computer as an intermediary in establishing a connection to a second computer. The best description I found of this was on a page called Transparent Multi-hop SSH. Following their example code, I set up an intermediary computer on a Linux Virtual Private Server to which I have access. This VPS had the advantage of having a fixed IP address, which, if it could serve as an intermediary, would obviate the need to keep updating my address in a white list.
I was able to make multi-hop ("tunnel") connections from the command line, but I was having difficulty getting my drag-and-drop SFTP clients to form multi-hop connections. Filezilla didn't seem to support this at all, at least not without the assistance of Putty (I use a version called Kitty). But Putty has its own problems; supposedly you can set up an SSH tunnel, but there's no way to save the settings you give it, so you end up having to type in the same boring data over and over, that is, if it works at all. But I couldn't get it to work; Putty might be a great program, but its documentation is terrible. Their description of the process could have really used a diagram. What is Server A? What is Server B? Argh!
In the end I was able to get drag-and-drop SFTP working, but not until after hours of experimenting with three or four different client programs and plenty of aggravated moans. The client that finally allowed me to do this was WinSCP. But getting that working was easy. It turned out that it wasn't enough to create a "Tunnel" under the "Connection" settings; you also had to also tell it to "Allow agent forwarding."
For linking purposes this article's URL is:feedback
previous | next