Configuring SSH Tunnels in Oracle Linux

1
0
Send lab feedback

Configure SSH Tunnels Using Oracle Linux

Introduction

SSH is the default standard for making secure connections or file transfers over an untrusted network. SSH tunneling or SSH port forwarding allows for the encapsulation of specific TCP data traffic during transit without the fear of it being eavesdropped or intercepted. This approach even allows for adding network security to legacy applications that do not natively support encryption.

Objectives

In this tutorial, you will learn how to:

  • Create a dynamic port forwarding tunnel
  • Establish a local port forwarding tunnel

Prerequisites

  • Minimum of two Oracle Linux systems

  • Each system should have Oracle Linux installed and configured with:

    • A non-root user account with sudo access
    • Key-based SSH, also known as password-less SSH, between the hosts
    • Access to the Internet

This tutorial uses the Cockpit web-based application to test the SSH tunnel, available by default on Oracle Linux cloud images. You can also use VNC services or other web applications and services just as easily.

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

  1. Open a terminal on the Luna Desktop.

  2. Clone the linux-virt-labs GitHub project.

    git clone https://github.com/oracle-devrel/linux-virt-labs.git

  3. Change into the working directory.

    cd linux-virt-labs/ol

  4. Install the required collections.

    ansible-galaxy collection install -r requirements.yml

  5. Update the Oracle Linux instance configuration.

    cat << EOF | tee instances.yml > /dev/null
compute_instances:
  1:
    instance_name: "ol-node-01"
    type: "server"
  2:
    instance_name: "ol-node-02"
    type: "server"
passwordless_ssh: true
EOF

  6. Deploy the lab environment.

    ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e "@instances.yml"

    The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

    The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.

    Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Configure SSH Dynamic Port Forwarding

Dynamic port forwarding enables communications across various ports by making SSH behave as a SOCKS proxy server.

Note: Unless instructed otherwise, you must run all the commands in this section from your SSH client desktop.

  1. Open a terminal and connect via SSH to the ol-node-01 instance.

    ssh oracle@<ip_address_of_instance>

  2. Use cURL to obtain the public IP address.

    curl -w '\n' ifconfig.me

    Notice that the returned IP address matches the public IP address of ol-node-01.

  3. Connect via SSH using the -D option to the ol-node-02 instance.

    ssh -CNfq -D 8080 oracle@<ip_address_of_instance>

    Where:

    • -D: specifies a local ''dynamic'' application-level port forwarding listening on port 8080
    • -f: requests ssh to run in the background
    • -N: does not run a remote command
    • -q: is quiet mode and suppresses most warning and diagnostic messages

    Approve the fingerprint. The dynamic tunnel runs in the background and returns us to the bash prompt on ol-node-01.

    For more details, check out the manual page man ssh.

  4. Use cURL again, but specify the --socks5 option.

    Notice that you are on the ol-node-01 instance.

    This option tells cURL to use a SOCKS proxy on the localhost at port 8080, which matches what you specified when creating the SSH dynamic tunnel connection.

    curl -w '\n' --socks5 localhost:8080 ifconfig.me

    The output now should display the public IP address of the ol-node-02 instance. This output happens because the cURL request travels through the SSH tunnel and then out to the internet to retrieve the IP address.

  5. Use cURL with proxy environment variables.

    By using the dynamic port forwarding service, you can redirect or forward TCP traffic from one system to another over a secure connection. This service functions as a rudimentary VPN. Thus, you can configure a local web browser to use the SOCKS proxy for forwarded browsing. Or, as an alternative, you can configure SOCKS proxy settings by defining a variable as follows and then retesting.

    export {http,https,ftp}_proxy="socks5://localhost:8080"
curl -w '\n' ifconfig.me

Configure SSH Local Port Forwarding

Local port forwarding over SSH maps a local port on the client system to a remote port on the server system. This configuration enables you to access services on the remote system that are otherwise inaccessible because the services might be running behind a firewall or not listening on a public network interface.

Cockpit is a good example of such a service. Typically, if you want to run the Cockpit web console for a system connected to the Internet, you would expose the service on a public-facing network, which is not advisable.

For this tutorial, we have the following configuration on the remote ol-node-01 instance:

  • the Cockpit packages preinstalled
  • an enabled firewalld service with the Cockpit port closed

  1. Start the Cockpit service on ol-node-01.

    sudo systemctl enable --now cockpit.socket

  2. Close the SSH connection to ol-node-01.

    exit

  3. Open a new browser and enter the URL https://<ip_address_of_instance>:9090 to open the Cockpit dashboard.

    The <ip_address_of_instance> is the public IP address of the ol-node-01 instance.

    The connection fails.

  4. Switch to the previous open terminal.

  5. Connect via SSH using the -L option to the ol-node-01 instance.

    ssh -fq -L 9090:localhost:9090 oracle@<ip_address> sleep 1800

    Where:

    • -L: specifies the local port 9090 on the client gets forwarded to the remote host and port 9090
    • -f: requests ssh to run in the background
    • -q: is quiet mode and suppresses most warning and diagnostic messages
    • sleep <n>: specifies a waiting period in seconds that the tunnel waits for a connection before the tunnel automatically closes

  6. Switch to the browser and enter the URL https://localhost:9090 to connect to the Cockpit service through the SSH tunnel.

    Note: Most browsers display a security risk warning when accessing a site using a self-signed certificate. Approve the security warning based on the browser used. For Chrome, click the Advanced button and then the Proceed to localhost (unsafe) link.

    The Cockpit login screen should appear for the ol-node-01 instance.

  7. Log in to Cockpit using oracle for the username and password.

    The Cockpit Overview page displays, and you can securely manage the instance using a browser, even though we did not expose the service on any public-facing network.

Next Steps

This tutorial shows how to create and use SSH tunnels with Oracle Linux. These tunnels also help users access these applications without opening additional ports on your Oracle Linux firewall. For further topics and training, see the Related Links section below.

SSR