Create a tunnel-only connection to a SSH server using graphical Putty on windows

Sometimes you don't need a shell on a server, but you need to connect to a service that is not exposed on the internet for a different number of reasons, from security to ease of use.

In this case, you can use a server which has a working ssh service as a bastion host to reach the server using a SSH tunnel.

In this way you can create a connection between the client host and the service host though the ssh connection. The data will also be encrypted by the ssh session key so if the service doesn't use an encrypted channel, your data will be secure from eavesdropping.

This is a standard ssh behaviour but unfortunately this can be rather difficult to use if your client machine has windows as OS.

First, you need to have a moderately recent version of Putty, you can get it here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and open it, you will get a configuration dialog.

• In the first screen, you are in the “Session” section and you can insert your bastion host name and ssh port (ssh port is 22 by default). You can define a session different by the default one, remember to save it after you do all the configurations otherwise you session will miss the configurations you make after saving!

• Then you must go in Connection|Data section and insert the Auto-login username, this is convenient if you have a dedicated user for your tunnel connection because it saves you to enter the username all the times.

• Then you must go in Connection|SSH section and select “Don't start a shell or command at all” in the Protocol Options. Here if you need it you can select Enable compression if your target service uses a lot of streaming uncompressed data, but it's totally optional and can impact performance on some services.

• Then you go configuring the actual tunnel in Connection|SSH|Tunnel. The source port is the port that will be listening on you client localhost interface and which must be contacted to reach the final service. The Destination is a combination of host and port which has source from the bastion host, so if the bastion host and the service host are the same and the service is an http server, you can insert localhost:80 as destination. Otherwise you can insert the private ip address and destination port of the service host.

NB:  In the particulare case of http, you must verify that the service host is not serving Virtual Hosts as httpd, otherwise there could be problems because the service is not contacted with the right name. There are workarounds to it like for instance modifying the client hosts.txt file.

• Remember to save the section, even if you decided to only have a Default Settings session earlier, you have to go back to the Session section, select the session (or type a new name) and choose “Save”. 

• Then you can open the session (either by selecting it and clicking Open or by double-clicking it), Putty will ask you for the password (if you used Auto-login username, otherwise will ask you for a user first) and the drop you to a black terminal with nothing more. 

• Finally, you can point your client (as a web browser for http, a dbclient for a database or a game) to localhost and the port you choose as source port.

If everything went well, you should have your service ready to use!

TODO: make screenshots of all Putty configurations.