Oracle Cloud Infrastructure Documentation
Try Free Tier

Remote Access Using SSH

Use SSH connections to securely access remote resources, networks, and applications.

Remotely Access Services and Networks Using SSH

SSH port forwarding, also known as SSH tunneling, securely transports data over an encrypted SSH connection between a local and a remote system. After an SSH tunnel is established, the SSH client listens on a specified local port and forwards any traffic arriving at that port through the connection to the corresponding remote port.

By encrypting data in transit, SSH port forwarding ensures that sensitive information is secure and inaccessible, allows for secure access to remote services and networks without direct exposure to the internet, and bypasses firewalls and network restrictions.

The three main types of SSH port forwarding are:

You can use port forwarding to access a service that's not exposed to the public network interface. You might set up a local port forward to access a service (such as a database) on a remote server. The database on the server isn't exposed to the public network interface, but you could create a tunnel from a local machine to the internal database server port. You can then connect to localhost and all traffic would get forwarded across the SSH tunnel to the remote database.

You can use reverse port forwarding to give someone outside the local network access to an internal service. For example, you might want to show a fellow developer a web application that you have developed on the local machine. Because the machine doesn't have a public IP, the other developer can't access the application over the internet. However, if you have access to a remote SSH server, you can set up reverse port forwarding to provide the developer access.

Configure Port Forwarding on Server

To configure SSH port forwarding, edit the /etc/ssh/sshd_config file on the server. At a minimum verify the following parameters:

  • AllowTCPForwarding

    Allows TCP port forwarding. When omitted, the default is yes which enables single TCP port forwards and SOCKS proxying

  • AllowStreamLocalForwarding

    Allows forwarding of UNIX domain sockets. When omitted, the default is yes.

Local Port Forwarding

Local port forwarding over SSH maps a local port on the client system to a remote port on the server system. This configuration enables you to access services on the remote system that are otherwise inaccessible because the services might be running behind a firewall or might not be listening on a public network interface.

To create a direct TCP forward tunnel, use the ssh -L option:

ssh -L <bind_address>:<port>:<destination>:<destination_port> <user>@<remote_ssh_server>
  • bind_address

    Optional and assigns a local interface to listen for connections. If omitted, ssh only binds on the loopback interfaces. To bind on all interfaces, you can use “0.0.0.0” or “::”.

  • port

    The local port number. You can use any port number greater than 1024.

  • destination

    The IP or hostname of the destination machine. If the destination is on the remote server itself, you can use localhost.

  • destination_port

    Port on the destination machine.

  • user@remote_ssh_server

    The remote SSH user and server IP address.

For example:

ssh -L <8080>:localhost:<8888> <user>@<129.145.0.164>

This would open an SSH connection to the remote server at 192.168.1.20 and open a tunnel to the localhost port 8888.

Dynamic Port Forwarding

Use dynamic port forwarding to have the SSH client listen on a specified binding port and act as a SOCKS proxy server. You don't need to specify a destination host as all incoming connections on the specified port forward through the tunnel to a dynamic port on the destination machine.

To create a dynamic port forward, use the ssh -D option.

ssh -D <bind_address>:<port> <user>@<remote_ssh_server>

Reverse Port Forwarding

A reverse tunnel forwards any connection received on the remote SSH server to the local client network.

To create a reverse port forward, use the ssh -R option.

  • For local port reverse forwarding:
    ssh -R <bind_address>:<port>:<destination>:<destination_port> <user>@<remote_ssh_server>
  • For dynamic port reverse forwarding:
    ssh -R <bind_address>:<port> <user>@<remote_ssh_server>

Remotely Access X11-based Applications Using SSH

X11 forwarding lets you use an SSH connection to launch a graphical X11-based application on a remote Oracle Linux system and use it from a local system. The remote system doesn't need to have an X11 server or graphical desktop environment running, but the local system must have an X11-compatible service running.

Enable X11 forwarding on the remote server

  1. Enable X11Forwarding in the /etc/ssh/sshd_config file.

    If X11Forwarding is omitted from /etc/ssh/sshd_config, the default is no. To enable X11 forwarding, add an entry that sets the value for this parameter to yes.

    X11Forwarding yes
  2. Install the X11 packages:
    dnf install xorg-x11-xauth xorg-x11-fonts-\* xorg-x11-utils dbus-x11
    If you have never run a graphical application on the remote server, the first time that you connect to the remote server using X11 forwarding, a warning message is displayed: 
    /usr/bin/xauth: file /home/user/.Xauthority does not exist

    You can ignore this warning as the .Xauthority file is automatically created.

  3. Restart the sshd service for the change to take effect:
    sudo systemctl restart sshd.service

Launch an application remotely using X11 forwarding

  1. Log into the remote server using SSH:
    ssh -X <user>@<server1.example.com>

The authenticity of host 'remote-server (192.168.122.120)' can't be established.
ECDSA key fingerprint is SHA256:uYwFlgtP/2YABMHKv5BtN7nHK9SHRL4hdYxAPJVK/kY.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
  2. Enter yes.
    Warning: Permanently added 'remote-server' (ECDSA) to the list of known hosts.
  3. Launch a graphical application on the remote server which displays on your local system. For example, to run a graphical text editor like gedit, enter:
    gedit &
    Adding the & (ampersand) at the end runs the application in the background, freeing up the terminal for other commands.

Was this article helpful?