-D option to the ssh client command.
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura-
tion file.
IPv6 addresses can be specified by enclosing the address in
square brackets. Only the superuser can forward privileged
ports. By default, the local port is bound in accordance with
the GatewayPorts setting. However, an explicit bind_address may
be used to bind the connection to a specific address. The
bind_address of “localhost” indicates that the listening port be
bound for local use only, while an empty address or ‘*’ indicates
that the port should be available from all interfaces.E.g., if I wished to create a SOCKS proxy server at the SSH server end from an SSH client using the registered port commonly used as the listening port for a SOCKS proxy, i.e., TCP port 1080, I could use the command below, assuming that I have a jdoe account on the SSH server at example.com.
$ ssh -D 1080 jdoe@example.com
I could then configure browsers on the system where I issued the SSH command to connect to example.com to use a SOCKS proxy on the localhost address, 127.0.0.1. You don't need to install any SOCKS proxy software on the remote server end; the SSH client command causes the SSH server to create a SOCKS proxy server for use during the SSH session.
If I wanted to use some other port, rather than the standard port of 1080,
I could put that port number after the -D.
The command above will give me an interactive login session on the remote
SSH server. I.e., after I enter the password to log into the remote SSH server,
I will see a shell prompt. But suppose I only need to establish the
SSH connection for port forwarding or to set up the SOCKS proxy connection
and would rather not have an interactive login session. In the case where
I wish to use a SOCKS proxy, but have a noninteractive SSH connection, I
can also specify the -N option.
-N Do not execute a remote command. This is useful for just for-
warding ports (protocol version 2 only).E.g., I could use a command similar to the one below:
$ ssh -D 1080 -N jdoe@example.com Password:
After I supplied the password for the account at the password prompt, I would not see any other response from the remote system, which might lead you to believe that the connection wasn't established, but at this point you should be able to configure browsers to use the the SOCKS proxy connection successfully.
But, if you wished to be returned to the shell prompt on the client system,
i.e., the one from which you issued the command, then you can also include the
-f option.
-f Requests ssh to go to background just before command execution.
This is useful if ssh is going to ask for passwords or
passphrases, but the user wants it in the background. This
implies -n. The recommended way to start X11 programs at a
remote site is with something like ssh -f host xterm.
If the ExitOnForwardFailure configuration option is set to “yes”,
then a client started with -f will wait for all remote port for-
wards to be successfully established before placing itself in the
background.E.g., I could use a command similar to the one below:
$ ssh -D 1080 -fN jdoe@example.com Password: $
The -f and -N options can be separated or
combined. e.g. -fN. By including the -f option,
I can continue working at the shell prompt on the local system from which
I entered the command with the SSH connection that established the SOCKS
proxy connection continuing to run in the background.
You can see other options supported by the SSH command by viewing the ssh man page.