Start a new topic
Answered

How to define a ssh tunnel using dynamic folder script

Hello,


I wrote a dynamic folder script to create SSH TerminalConnections. This works very well. But I need SSH tunnels for some of the connections. I read the RoyalJSON documentation but did not found properties regarding SSH tunnels.

Does anyone know how to define such ones?


Thanks in advance,

Helge


Best Answer

Hi Helge,


you can already do this by setting RoyalDocument properties directly. This is one level below rJSON and requires knowledge of our document format. See this article for more details.


In this specific case, you'd want to use the "SSHForwardedPorts" property.

Here's an example rJSON which configures a single SSH connection with two tunnels:


{ "Objects": [{
  "Type": "TerminalConnection",
  "TerminalConnectionType": "SSH",
  "Name": "Tunnel Test",
  "ComputerName": "localhost",
  "Properties": {
    "SSHForwardedPorts": "L1234=targethost:22,4R4321=anothertargethost:321"
  }
}]}


The format of the "SSHForwardedPorts" property is a comma separated list of tunnel configurations.


The first character of the tunnel configuration can be either "4" or "6" if you want to explicitly specify the IP protocol to use. You can also choose to omit it, like in the example's first tunnel configuration. In this case the IP protocol will be set to "Auto".


The next character specifies the forwarding mode which can be either "L" (for Local) or "R" for Remote or "D" for Dynamic.


The next portion of the configuration is the source port.


For local and remote port forwardings, you then specify the target host and port using "=targethost:targetport".


Hope that helps!


cheers,

felix


Hi Helge,


here's a short example which creates a Secure Gateway object and a SSH connection. The Secure Gateway is assigned to the connection.


{
  "Objects": [
    {
      "Name": "My Tunnel",
      "Type": "SecureGateway",
      "ComputerName": "10.0.0.1",
      "Username": "root",
      "Password": "pass123",
      "ID": "MyTunnel"
    },
    {
      "Name": "My Connection",
      "Type": "TerminalConnection",
      "TerminalConnectionType": "SSH",
      "ComputerName": "10.1.0.1",
      "Username": "user",
      "Password": "pass321",
      "SecureGatewayID": "MyTunnel"
    }
  ]
}


Hope that helps!


cheers,

felix

Hello Felix,


I think there is a misunderstanding. I don't want to create a SSH connection over a secure proxy but I want to configure a tunnel in a SSH connection.


image


Oh, yeah I guess I misunderstood that.


May I ask why you want to define an SSH tunnel manually? Do you need to use the tunnel outside of Royal TSX or do you intend to use something other than local port forwarding?

I ask because in most cases using a Secure Gateway object is the better and easier choice.


cheers,

felix

I have 2 use cases:

  1. Do a local port forwarding to access databases with pgAdmin and some other 3rd party tool. I don't think that this can be achieved with a SecureGateway object.
  2. Access some website through the ssh tunnel. This can be achieved with a SecureGateway and a WebConnection object. I tested this out but it does not work as expected. Here is my setup:

 

{
  "Objects": [
    {
      "Name": "My Tunnel",
      "Type": "SecureGateway",
      "ComputerName": "proprietary.company.ssh.gateway",
      "SecureGatewayCredentialID": "Cred01",
      "CustomField1": "hostname",
      "ID": "MyTunnel"
    },
    {
      "Name": "My Connection",
      "Type": "WebConnection",
      "URL": "http://localhost:8080/",
      "CustomField1": "hostname",
      "SecureGatewayUsage": "Always",
      "SecureGatewayID": "MyTunnel"
    }
  ]
}

 And here is the credential specification (some special with username and key):

 

{
			"Username": "user@2nduser@$Target.CustomField1$",
			"KeyFileContent": "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6**********5

**************************************
-----END RSA PRIVATE KEY-----
",
			"KeyFilePassphrase": "********"
}

 But if I start the web connection it asks me for the credential of the SecureGateway and then I have to specify the username and password (which can be used instead of the private key but needs a hardware token). So this is no feasible solution but would work with a simple local port forwarding on the TerminalConnection.


This is the reason why I'm searching for some way to configure it with RoyalJson ....

Today in the morning I saw the new TSX 5 Beta version and found the problem with the credentials was fixed. Really great work guys!


Now ... just waiting for the "tunnel" property ;o)


Answer

Hi Helge,


you can already do this by setting RoyalDocument properties directly. This is one level below rJSON and requires knowledge of our document format. See this article for more details.


In this specific case, you'd want to use the "SSHForwardedPorts" property.

Here's an example rJSON which configures a single SSH connection with two tunnels:


{ "Objects": [{
  "Type": "TerminalConnection",
  "TerminalConnectionType": "SSH",
  "Name": "Tunnel Test",
  "ComputerName": "localhost",
  "Properties": {
    "SSHForwardedPorts": "L1234=targethost:22,4R4321=anothertargethost:321"
  }
}]}


The format of the "SSHForwardedPorts" property is a comma separated list of tunnel configurations.


The first character of the tunnel configuration can be either "4" or "6" if you want to explicitly specify the IP protocol to use. You can also choose to omit it, like in the example's first tunnel configuration. In this case the IP protocol will be set to "Auto".


The next character specifies the forwarding mode which can be either "L" (for Local) or "R" for Remote or "D" for Dynamic.


The next portion of the configuration is the source port.


For local and remote port forwardings, you then specify the target host and port using "=targethost:targetport".


Hope that helps!


cheers,

felix

Hello Felix,


sorry for my late reply but I was busy the last weeks. Your solution perfectly works for me. I'm now using a combination of Secure Gateway and Web Sites for connecting to our applications administrative console and SSH tunnels for the databases. The one thing which would be nice to have is some standalone SSH tunnel management but I'm not sure how this can fit into the Royal TSX application concept.


Regards,

Helge

Hey Helge,


I'm glad my solution works for you!

Regarding standalone tunnels: This is something we've already been thinking of but since we had only a couple feature requests by users we haven't yet implemented something like this.

I'd suggest you create a new feature request in our ideas forum so that we can better track this idea and other users can chime in on the discussion.


cheers,

felix


1 person likes this
Login or Signup to post a comment