ssh -L syntax question

What is the difference between ssh -L 2000:localhost:5900 frank@server.me.org and
ssh -L 2000:server.me.org:5900 frank@server.me.org ?

grandsatrap wrote:
> What is the difference between ssh -L 2000:localhost:5900 frank@...
>  
This one will forward local connections to port 2000, by connecting them
to 127.0.0.1:5900 from server.me.org
> and
> ssh -L 2000:server.me.org:5900 frank@... ?
>  
This one will forward local connections to port 2000, by connecting to
the IP address that "server.me.org" resolves to, at port 5900 from
server.me.org.

I am not sure, but I think that the lookup is done from server.me.org,
rather than your "local" machine. It will probably look in /etc/hosts
first, and then ask via DNS.

The distinction here is important, as 127.0.0.1 is (almost) always
assigned to the lo0 interface, whereas the IP returned from resolving
"server.me.org" will most likely be assigned to the same network
interface that you are connecting on. So, for instance, you could set
your VNC server to only listen for incoming connections on port
127.0.0.1, for a more "secure" approach using ssh in this fashion.
Otherwise, you have to make sure that your firewall blocks incoming on
port 5900.

--
Coleman

Well, for starters

> What is the difference between ssh -L 2000:localhost:5900 frank@...
> and
> ssh -L 2000:server.me.org:5900 frank@... ?

localhost is 127.0.0.1 and server.me.org is a different ip address.

I'm not sure what your trying to figure out here.

[frank.vcf]

---

begin:vcard
fn:Frank Bernhardt
n:Bernhardt;Frank
org:b.c.s.i.
adr:;;14 Halton Court;Markham;ON;L3P 6R3;Canada
email;internet:frank@...
title:President
tel;work:905-471-1691
tel;fax:905-471-3016
tel;cell:416-540-7694
version:2.1
end:vcard

---

It depends on how the host at server.me.org resolvs the name
"server.me.org" and wether the service listening on port 5900 listens on
every interface or only on the loopback interface.
Basically if the remote host can resolve "server.me.org" as one of its
own interfaces and the service on port 5900 listens on every interface,
there would be no difference amog your two examples.

Best regards,


Gerardo H. Fisanotti
DvSHyS - Div. Soporte de Hardware y Software de Base
gfisanotti@...

grandsatrap wrote:

On Thu, Mar 13, 2008 at 02:29:16PM -0700, grandsatrap wrote:
> What is the difference between ssh -L 2000:localhost:5900 frank@...
> and
> ssh -L 2000:server.me.org:5900 frank@... ?

In the first one, the sshd on server.me.org will make connections to
localhost:5900.  Assuming IPv4, this will make connections to 127.0.0.1
port 5900.

In the second one, the sshd on server.me.org makes connections to
server.me.org:5900.  If we suppose the IP address of server.me.org
is 192.168.1.5, this means sshd will make connections to 192.168.1.5
port 5900.

This matters if the service running on port 5900 is bound only to a
single interface (e.g. the loopback interface, 127.0.0.1) instead of
all interfaces.  If the service is only listening on loopback, then
the first one will reach it, but the second one will not.

It may also affect the source IP address seen by the service, which
could matter if you filter connections by source IP, or log the source
IPs, etc.