Home / server / Questions / 457295
Accepted
aef
Asked: 2012-12-12 19:13:52 +0800 CST

Removing port forwardings programmatically on a ControlMaster SSH session

  • 772

Quite a while ago I got an answer telling me how to add a port-forwarding on a running SSH ControlMaster process. To know that helps a lot, but I'm still missing a way to remove such a port forwarding after I don't need that anymore.

As far as I know, you can do that through the internal command key sequence on normal connections, this seems to be disabled for ControlMaster clients. Even if that would be possible I would need a solution which I can automatize with scripts, which is surely not so easy this way.

Is there a way to do it? And is it easily automatizable?

security

1 Answers

  1. Best Answer

    As my previous answer notes, the ssh man page explains the -O ctl_cmd in detail, where ctl_cmd is one of check, forward, cancel, or exit.

    -O ctl_cmd
        Control an active connection multiplexing master process.  When the -O option is
        specified, the ctl_cmd argument is interpreted and passed to the master process.
        Valid commands are: “check” (check that the master process is running), “forward”
        (request forwardings without command execution), “exit” (request the master to
        exit), and “stop” (request the master to stop accepting further multiplexing
        requests).

    You can use the ctl_cmd's to accomplish the automation you want for your scripts. You'll need to first create a ControlMaster socket with the -S like and ssh to the remotehost like this:

    ssh -v -M -S/tmp/controlmaster-remotehost remotehost

    and then from your local machine you can forward and cancel ports as you like. You can forward multiple ports with one command:

    ssh -O forward -S/tmp/controlmaster-remotehost -L5555:localhost:22 -L3333:localhost:22 remotehost

    and/or handle them one at a time:

    ssh -O cancel  -S/tmp/controlmaster-remotehost -L5555:localhost:22 remotehost
ssh -O cancel  -S/tmp/controlmaster-remotehost -L3333:localhost:22 remotehost

    I created a gist with a side-by-side session showing the ssh -O ctl_cmd in action; with port forward/cancel from localhost on the left side, and the output of ssh connected to remotehost on the right side:

    https://gist.github.com/raw/4265549/999d90b8f85190a41eed00e4d60d5d22da6c67b9/ssh-controlmaster-side-by-side.log

    These commands are only available as of OpenSSH 6.0:

     * ssh(1): support for cancelling local and remote port forwards via the
   multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host"
   to request the cancellation of the specified forwardings
 * support cancellation of local/dynamic forwardings from ~C commandline

    If you have an earlier version you'll need to upgrade. If you're on Mac OS X you can install macports and then upgrade using: sudo port install openssh which will install it into /opt/local/bin.

    • 6