(This is part two in a series of posts on ssh.)

Ssh tunneling can be a bit mind bending at first, but it's simple when you get used to it. Assume that you're trying to ssh between two sites that do not allow incoming ssh. Maybe your IT at work is unenlightened and doesn't have an ssh gateway. And your ISP has braindead configuration rules that don't allow incoming ssh or they make it difficult.

What you need to get around this is a server "in the cloud" that permits ssh logins. This could be a hosting server that you pay for, or even a friend with an enlightened ISP who will give you a login account.

On your work PC, use ssh to login to the "cloud" server. Using the "-R" argument, you tell ssh to listen on a TCP port on the cloud server. Any connection coming in to this server will be forwarded back through the ssh connection to the TCP port you specify. For example, on mymachine.work.com, ssh -R 4022:localhost:22 me@cloud.example.com tells ssh to listen on cloud's port 4022. Incoming connections to that port on cloud will be forwarded to port 22 (ssh) on mymachine.

By default, ssh will only listen to port 4022 on cloud's localhost interface. So to log in to work, you will first need to log into cloud, and then use ssh -p 4022 myworklogin@localhost to log into work.

We'll work around this limitation in the next post in this series.