see here for what this is all about.
in windows, (if you dont have some unixy toolkit) get putty and you can use plink with the same syntax. putty itself (the gui) is probably easier unless your scripting.
ssh -t games.exmaple.com nethack
ssh -Y windlock.exmaple.com firefox &
home:~$ ssh -L 5900:localhost:5900 -N -f example.com home:~$ ssh -L 5901:192.168.0.101:5900 -N -f gate.example.com
work:~$ ssh -R 2022:localhost:22 -N -f home.null work:~$ ssh -R 8080:docs.internal.work.com:80 -N -f home.null
laptop:~$ ssh -D 1080 -N -f desktop.home.null
ssh normally runs your shell on the other end, but you can use any app after the ssh commands to run that instead. -t forces pseudo tty allocation, meaning it can act like a "smart" terminal (like vt102) for fancy text apps (like with ncurses). you dont need the -t if you only want some output on standard out.
this is good for top, text editors, email clients (elm, pine, mutt etc) etc but is usually easier to just ssh in and run from the shell, but this could be paired with keys that are tied to a given command.
same as above, but for GUI apps. -Y means trusted X11. -X was just for X11 but with security extensions that dont really work with most apps.
forward a local port (on localhost) to some port on the remote host over ssh. only good for tcp, but that tcp stream will be encrypted
-N means dont run a remote command (so leave it out if you also want a shell) and -f just makes ssh run in the background (after whatever you do to convince the server to let you in) so you get your shell back and dont have to worry about it.
ssh -L 8080:localhost:80 -N -f gate.example.com
^ ^ ^
| | |
| | -- and to this port on that host
| |
| -- goes to this host (from the destinations prespective)
|
-- starts at this port on localhost
so port 8080 on your machine goes to gate.example.com, and from there to localhost, which to gate.example.com is itself. so its really a tunnel from the local port 8080 to port 80 on gate.example.com
to use this tunnel (assuming its a web server on port 80 you want to encrypt your connection to) you would use http://localhost:8080/ in your browser to see whats on http://gate.example.com:80/ (or, since 80 is the default, whats on http://gate.example.com/)
if theres some other web server behind gate.example.com you want to reach, just change the destination of the tunnel (not of the ssh connection).
ssh -L 8080:internalweb:80 -N -f gate.example.com
heres a way to vnc to your workstation and your laptop at work.
ssh -L 5900:myworkstation:5900 -N -f gate.example.com vncviewer localhost:0 ssh -L 5901:mylaptop:5900 -N -f gate.example.com vncviewer localhost:1
vnc uses host:display for multiple sessions. the port is 5900 + display, which defaults to 0, so the default port is 5900. both the workstation and laptop would have the vnc server running on 5900, so to get to your laptop while you have another window on the workstation, you forward your 5901 to the laptops 5900, and vnc sees this as display :1
port forward from remote to local. just like -L except in reverse. think of this as if someone did -L from the other side. great to help someone else behind a firewall that they cant control (collage, work etc) the classic example, your work doesnt have a path for ssh to get into your box remotely, and your home has a port forwarded by your own firewall
work:~$ ssh -R 2022:localhost:22 home home:~$ ssh localhost -p 2022
and, since youll want to see your works internal web server,
work:~$ ssh -R 8080:internalweb:80 home home:~$ lynx http://localhost:8080/
dynamic port forwarding acts as a socks5 proxy, great for encrypting lots of differnt traffic at once. but the apps themselves need to be socks aware. use localhost as the proxy. note that DNS uses udp which is not covered by socks5 so if your doing this to hide where your going, the dns requests will probably give it away. if you want to hide where your going, set up an http proxy somewhere and use a local forward or use tor.
this is still good to make those wifi networks not so easily sniffable, so others at the coffee shop wont spy on your aim conversations, and an easy way to get out from restrictive firewalls.
beginning with openssh 4.3 you can make a full tunnel (layer 2) with tun/tap support (aka, probably the easiest vpn to set up.). the flag is -w. have fun.