ssh-tunnelSSH tunneling, port forwarding, and remote access patterns. Use when setting up local/remote/dynamic port forwards, configuring jump hosts, managing SSH keys, multiplexing connections, transferring files with scp/rsync, or debugging SSH connection issues.
Install via ClawdBot CLI:
clawdbot install gitgoodordietrying/ssh-tunnelRequires:
SSH tunneling, port forwarding, and secure remote access. Covers local/remote/dynamic forwards, jump hosts, ProxyCommand, multiplexing, key management, and connection debugging.
# Forward local port 5432 to remote's localhost:5432
# Use case: access a remote PostgreSQL database as if it were local
ssh -L 5432:localhost:5432 user@remote-server
# Then connect locally:
psql -h localhost -p 5432 -U dbuser mydb
# Forward to a different host accessible from the remote
# Remote server can reach db.internal:5432, but you can't
ssh -L 5432:db.internal:5432 user@remote-server
# Forward multiple ports
ssh -L 5432:db.internal:5432 -L 6379:redis.internal:6379 user@remote-server
# Run in background (no shell)
ssh -fNL 5432:db.internal:5432 user@remote-server
# -f = background after auth
# -N = no remote command
# -L = local forward# Make your local port 3000 accessible on the remote server's port 8080
ssh -R 8080:localhost:3000 user@remote-server
# On the remote: curl http://localhost:8080 → hits your local :3000
# Expose to all interfaces on the remote (not just localhost)
# Requires GatewayPorts yes in remote sshd_config
ssh -R 0.0.0.0:8080:localhost:3000 user@remote-server
# Background mode
ssh -fNR 8080:localhost:3000 user@remote-server# Create a SOCKS5 proxy on local port 1080
ssh -D 1080 user@remote-server
# Route browser traffic through the tunnel
# Configure browser proxy: SOCKS5, localhost:1080
# Use with curl
curl --socks5-hostname localhost:1080 https://example.com
# Background mode
ssh -fND 1080 user@remote-server# Connect through a bastion host
ssh -J bastion-user@bastion.example.com target-user@internal-server
# Chain multiple jumps
ssh -J bastion1,bastion2 target-user@internal-server
# With port forward through bastion
ssh -J bastion-user@bastion -L 5432:db.internal:5432 target-user@app-server# Equivalent to ProxyJump but works on older OpenSSH
ssh -o ProxyCommand="ssh -W %h:%p bastion-user@bastion" target-user@internal-server# ~/.ssh/config
# Bastion host
Host bastion
HostName bastion.example.com
User bastion-user
IdentityFile ~/.ssh/bastion_key
# Internal servers (automatically use bastion)
Host app-server
HostName 10.0.1.50
User deploy
ProxyJump bastion
Host db-server
HostName 10.0.2.30
User admin
ProxyJump bastion
LocalForward 5432 localhost:5432
# Now just: ssh app-server
# Or: ssh db-server (auto-forwards port 5432)# ~/.ssh/config
# Global defaults
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
AddKeysToAgent yes
IdentitiesOnly yes
# Named hosts
Host prod
HostName 203.0.113.50
User deploy
IdentityFile ~/.ssh/prod_ed25519
Port 2222
Host staging
HostName staging.example.com
User deploy
IdentityFile ~/.ssh/staging_ed25519
# Wildcard patterns
Host *.dev.example.com
User developer
IdentityFile ~/.ssh/dev_key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null# ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
# First connection opens socket, subsequent connections reuse it
# Much faster for repeated ssh/scp/rsync to same host# Create socket directory
mkdir -p ~/.ssh/sockets
# Manually manage control socket
ssh -O check prod # Check if connection is alive
ssh -O stop prod # Close the master connection
ssh -O exit prod # Close immediately# Ed25519 (recommended — fast, secure, short keys)
ssh-keygen -t ed25519 -C "user@machine" -f ~/.ssh/mykey_ed25519
# RSA 4096 (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "user@machine" -f ~/.ssh/mykey_rsa
# Generate without passphrase (for automation only)
ssh-keygen -t ed25519 -N "" -f ~/.ssh/deploy_key# Copy public key to remote server
ssh-copy-id -i ~/.ssh/mykey_ed25519.pub user@remote-server
# Manual (if ssh-copy-id unavailable)
cat ~/.ssh/mykey_ed25519.pub | ssh user@remote-server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"# Start agent (usually auto-started)
eval "$(ssh-agent -s)"
# Add key to agent
ssh-add ~/.ssh/mykey_ed25519
# Add with expiry (key removed after timeout)
ssh-add -t 3600 ~/.ssh/mykey_ed25519
# List loaded keys
ssh-add -l
# Remove all keys
ssh-add -D
# Agent forwarding (use your local keys on remote hosts)
ssh -A user@remote-server
# On remote: ssh git@github.com → uses your local key
# SECURITY: only forward to trusted hosts# SSH is strict about permissions. Fix common issues:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 # Private key
chmod 644 ~/.ssh/id_ed25519.pub # Public key
chmod 600 ~/.ssh/config
chmod 600 ~/.ssh/authorized_keys# Copy file to remote
scp file.txt user@remote:/path/to/destination/
# Copy from remote
scp user@remote:/path/to/file.txt ./local/
# Copy directory recursively
scp -r ./local-dir user@remote:/path/to/
# Through jump host
scp -o ProxyJump=bastion file.txt user@internal:/path/
# With specific key and port
scp -i ~/.ssh/mykey -P 2222 file.txt user@remote:/path/# Sync directory (only changed files)
rsync -avz ./local-dir/ user@remote:/path/to/remote-dir/
# Dry run (preview changes)
rsync -avzn ./local-dir/ user@remote:/path/to/remote-dir/
# Delete files on remote that don't exist locally
rsync -avz --delete ./local-dir/ user@remote:/path/to/remote-dir/
# Exclude patterns
rsync -avz --exclude='node_modules' --exclude='.git' ./project/ user@remote:/deploy/
# With specific SSH options
rsync -avz -e "ssh -i ~/.ssh/deploy_key -p 2222" ./dist/ user@remote:/var/www/
# Resume interrupted transfer
rsync -avz --partial --progress large-file.tar.gz user@remote:/path/
# Through jump host
rsync -avz -e "ssh -J bastion" ./files/ user@internal:/path/# Increasing verbosity levels
ssh -v user@remote # Basic debug
ssh -vv user@remote # More detail
ssh -vvv user@remote # Maximum detail
# Common issues visible in verbose output:
# "Connection refused" → SSH server not running or wrong port
# "Connection timed out" → Firewall blocking, wrong IP
# "Permission denied (publickey)" → Key not accepted
# "Host key verification failed" → Server fingerprint changed# Check if SSH port is open
nc -zv remote-host 22
# or
ssh -o ConnectTimeout=5 -o BatchMode=yes user@remote echo ok
# Check which key the server accepts
ssh -o PreferredAuthentications=publickey -v user@remote 2>&1 | grep "Offering\|Accepted"
# Test config without connecting
ssh -G remote-host # Print effective config for this host# "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED"
# Server was reinstalled / IP reassigned
ssh-keygen -R remote-host # Remove old fingerprint
ssh user@remote-host # Accept new fingerprint
# "Too many authentication failures"
# SSH agent is offering too many keys
ssh -o IdentitiesOnly=yes -i ~/.ssh/specific_key user@remote
# "Connection closed by remote host"
# Often: MaxSessions or MaxStartups limit on server
# Or: fail2ban banned your IP
# Tunnel keeps dying
# Add keepalive in config or command line:
ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5 user@remote
# Permission denied despite correct key
# Check remote: /var/log/auth.log or /var/log/secure
# Common: wrong permissions on ~/.ssh or authorized_keys# If SSH session hangs (frozen terminal):
# Type these characters in sequence:
~. # Disconnect
~? # Show escape commands
~# # List forwarded connections
~& # Background SSH (when waiting for tunnel to close)
# The ~ must be the first character on a new line (press Enter first)~/.ssh/config for everything. Named hosts with stored settings are faster and less error-prone than typing long commands.ControlMaster) makes repeated connections instant. Enable it globally.rsync is almost always better than scp for anything beyond a single file. It handles interruptions, only transfers changes, and supports compression.-A) is convenient but a security risk on untrusted servers. The remote host can use your agent to authenticate as you. Prefer ProxyJump instead.ServerAliveInterval 60 in config prevents most "broken pipe" disconnections.~/.ssh/config organized with comments. Future-you will appreciate it.~. escape sequence is the only way to kill a stuck SSH session without closing the terminal.Generated Mar 1, 2026
Developers working from home need to access a PostgreSQL database behind a corporate firewall. Using local port forwarding, they can securely tunnel database traffic through an SSH server, allowing them to connect as if the database were local. This ensures data security while enabling remote productivity without exposing the database directly to the internet.
A web developer creates a local application on port 3000 and needs to share it with a remote client for feedback. By setting up a remote port forward, the developer makes the local server accessible on the client's remote machine via a specific port. This eliminates the need for complex deployment or public hosting during development phases.
Employees traveling or working remotely require secure internet access to bypass network restrictions or protect sensitive data. By establishing a dynamic port forward, they create a SOCKS5 proxy that routes all browser traffic through a trusted corporate server. This provides encrypted browsing and access to internal resources without compromising security.
System administrators need to access internal servers located in private subnets, such as application or database servers, through a bastion host. Using ProxyJump or ProxyCommand in SSH configs, they can securely chain connections without exposing internal systems. This simplifies access management and enhances security in cloud or on-premise environments.
Organizations need to regularly back up files from local servers to remote storage using secure protocols like scp or rsync. By leveraging SSH key management and agent forwarding, automated scripts can transfer data without manual password entry. This ensures reliable, encrypted backups for compliance and disaster recovery purposes.
Offer a subscription-based service that provides managed SSH tunneling solutions for businesses needing secure remote access. This includes setup, monitoring, and support for port forwarding, jump hosts, and key management. Revenue is generated through monthly or annual fees based on the number of users or servers managed.
Provide consulting services to help organizations implement and optimize SSH tunneling configurations, such as setting up secure bastion hosts or debugging connection issues. Offer training workshops on advanced SSH usage, key management, and security best practices. Revenue comes from hourly consulting rates and fixed-price training packages.
Develop and sell plugins or integrations that embed SSH tunneling capabilities into popular IDEs, CI/CD platforms, or cloud management tools. This enables developers to seamlessly access remote resources without manual configuration. Revenue is generated through one-time purchases or subscription models for enterprise features.
💬 Integration Tip
Integrate SSH tunneling with existing infrastructure by automating configurations in version-controlled SSH config files and using tools like Ansible for deployment. Ensure security by regularly rotating keys and monitoring connection logs.
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
Full desktop computer use for headless Linux servers. Xvfb + XFCE virtual desktop with xdotool automation. 17 actions (click, type, scroll, screenshot, drag,...
Essential Docker commands and workflows for container management, image operations, and debugging.
Tool discovery and shell one-liner reference for sysadmin, DevOps, and security tasks. AUTO-CONSULT this skill when the user is: troubleshooting network issues, debugging processes, analyzing logs, working with SSL/TLS, managing DNS, testing HTTP endpoints, auditing security, working with containers, writing shell scripts, or asks 'what tool should I use for X'. Source: github.com/trimstray/the-book-of-secret-knowledge
Deploy applications and manage projects with complete CLI reference. Commands for deployments, projects, domains, environment variables, and live documentation access.
Monitor topics of interest and proactively alert when important developments occur. Use when user wants automated monitoring of specific subjects (e.g., product releases, price changes, news topics, technology updates). Supports scheduled web searches, AI-powered importance scoring, smart alerts vs weekly digests, and memory-aware contextual summaries.