# Open SSH Tunnel On Demand

## lieut_data

To access the newsgroups at my university, I launch a script that creates an SSH tunnel, forwarding the appropriate ports, after which I'm able to use Thunderbird to graphically interact with the NG.

Is there a means that I could have this tunnel created on-demand, when Thunderbird tries to connect either to the server directly, or to the local port (presumably triggering some script...)

----------

## Genone

Had the same issue in the past, I simply used a wrapper script that first created the tunnel, then launched my MUA. I could think of two ways to eventually implement it in the way you imagine:

a) some iptables magic with a userspace callback (no clue if that's really possible or how to do it though)

b) write a daemon that listens on the local port (permanently) and creates the tunnel on a connection attempt (quite a bit of work probably, though maybe xinetd could help a bit)

----------

## nubla

Hi lieut_data,

i have setup an ssh tunnel with cert-based authentication from my machine to a proxy on my debian vserver. I had written a small init-script for this, which use the ssh-command:

```
ssh -f -N -L port-on-local:127.0.0.1:port-on-server user-on-remotebox@xxx.xxx.xxx.xxx
```

As i had read your post, i tried to setup an on-demand solution, because it gives much more possibilities for usage. It works now, but i haven't tested it over a long time. So maybe the following mini-howto can be improved  :Wink: 

At first setup the cert-based authentication. As your user, who should connect to the remotebox (not use root for security reasons):

```
$ ssh-keygen -t dsa

$ ssh-copy-id -i ~/.ssh/id_dsa.pub user-on-remotebox@remotebox
```

Now ssh to your remotebox install netcat on it and change the file /home/user-on-remotebox/.ssh/authorized_keys from

```
ssh-dss blah...
```

to

```
command="netcat localhost [wished-port-on-remotebox]",no-port-forwarding ssh-dss blah...
```

Return to your local machine and add to /etc/services eg.:

```
# Local services

my-tunnel    63000/tcp
```

Then create under /etc/xinet.d the appropriate file:

vim /etc/xinet.d/my-tunnel

```

# default: on

# description: SSH on demand tunnel

service my-tunnel

{

     socket_type         = stream

     wait                = no

     user                = [your-local-cert-user]

     server              = /usr/bin/ssh

     server_args         = -q -T [user-on-remotebox]@[remotebox]

     disable             = no

     bind                = 127.0.0.1

     only_from           = 127.0.0.1

}

```

Replace the bracket items with your data. And do a /etc/init.d/xinetd restart

I had to use "only_from = 127.0.0.1", but i don't know why it is not working without it. Further the system seems to differ between 127.0.0.1 and localhost, i always use 127.0.0.1. So if you setup all with localhost use localhost:port to point to the tunnel, else use 127.0.0.1:port.

I use the tunnel to "merge" the two loopback interfaces on one port. You want to reach a news-server from your remote machine. So you have to tune the above a bit for your needs. I used this two links and mixed them a bit:

http://kb.gnuher.de/various/HOWTO%20-%20SSH-Tunnel%20on%20demand.txt -> exactly your problem but in german

http://www.debian-administration.org/articles/487 -> smtp example with 3 different ways.

Hope that helped you  :Smile: 

One problem still exists. I use the tunnel for surfing from untrusted networks, but the tunnel is started for every connection. Because there is a small delay on connecting ssh on my vserver, there is always a small delay before loading a site. Is there a possibility to define something like a connection-lifetime in xinetd (5 or 10 minutes for example)?

----------

