89

I used ssh -L 10002:192.168.0.30:10002 192.168.1.135 to establish port forwarding but now I need to remove it.

How do I do this?

Regexident
  • 103
  • 3
user16654
  • 1,133
  • 2
  • 12
  • 14
  • We often realize port is still being forwarded when we fire a new ssh session running same command again and getting `Warning: remote port forwarding failed for listen port` message. – GabLeRoux Jan 08 '16 at 22:38

5 Answers5

88

If you are using Linux you can kill the process by:

ps aux | grep ssh

and then use

kill <id>

To kill the process.

If the kill command is not successfull you can try

kill -9 <id>
Martin
  • 295
  • 2
  • 7
zpon
  • 1,136
  • 8
  • 8
  • 44
    No. No. No. Please, please, please do *not* use `kill -9` until after you've tried just `kill`. Many processes will have signal handlers which will clean up their use of resources, cleanly close connections and other pre-shutdown tasks. If you kill with -9, the process dies immediately without doing the cleanup. Killing without -9 *will* work most of the time. – Doug Harris Dec 23 '09 at 18:44
  • 29
    `kill -9` without reason is like using a shotgun to kill a mosquito. :) – Darren Hall Dec 23 '09 at 21:24
  • 4
    I usually do a one liner `pgrep ssh | xargs kill`. Don't use `-9` for nothing indeed – GabLeRoux Jan 08 '16 at 22:35
  • 4
    @GabLeRoux That assumes you only have a single `ssh` command, or that all the `ssh` commands you are running are fine to kill. This is hardly a good general assumption. – tripleee Apr 14 '16 at 09:11
  • I agree, knowing exactly what you're doing is way better :) When you use port forwarding at the same time, a good way to find out which pid it is is to run `netstat -peanut`, last column will be `PID/Program name`, `grep` the port you are looking for and you'll be way closer to the solution – GabLeRoux Apr 14 '16 at 12:44
  • @tripleee, but in what case a regular user that made a port tunnel, will have more ssh processes that might not be safe to kill? – Avamander Oct 23 '16 at 09:08
  • 3
    @Avamander I connect to multiple `ssh` instances on multiple remote servers all the time, some of them without my direct active involvement. For example, Emacs Tramp mode opens an `ssh` connection behind the scenes when I visit a remote buffer. Some people use userspace filesystems which do something similar. It's not at all uncommon. In fact, I would assume single user, single `ssh` instance to be a minority fringe use case. If it works for you, good for you, but it's not good general advice. – tripleee Oct 23 '16 at 09:16
  • to complement @GabLeRoux, It is better to use `pgrep -f 'the exact comand that you want to kill' | xargs kill` – onlycparra Jun 14 '21 at 07:48
63

When using ssh multiplexing,
killing the ssh process is often undesirable (it kills all open connections with that host),

and you cannot easily access the escape because "escape not available to multiplexed sessions".

The right way is then to run the analogue of the forwarding command that you want to cancel,
but adding -O cancel. For instance:

ssh -O cancel -L 10002:192.168.0.30:10002 192.168.1.135

This will disable this port forwarding without terminating the session.
Again, this will only work if ssh multiplexing is in use for the connection to 192.168.1.135.

yurenchen
  • 375
  • 2
  • 9
a3nm
  • 1,185
  • 1
  • 11
  • 20
30

How to cancel a forwarded port in an already running SSH session:

  1. Press ~+C (tilde + capital C)
  2. Type -KL 10002 (or whatever port number)
  3. Press Enter

You should see this:

ssh> -KL 10002
Canceled forwarding.
cambunctious
  • 673
  • 1
  • 6
  • 15
  • Sorry for the nekro but I came across your answer when trying to do exactly this. I'm forwarding a port with ssh -N -L 9200:[address]:443 but when I run ssh -KL 9200 I get "Unknown port forwarding", I can't find anything about this in that context online, do you know if I'm making a stupid mistake? – Bipolarbear54 Jul 07 '22 at 14:15
  • 1
    Just in case, if the shortcut `~C` does not work, try launching `cat` on the remote shell and, while it's running, type the shortcut. Related: https://superuser.com/a/1192862/570332 (*SSH escape key ("~") only works when connection is stuck?*...) – Artfaith Apr 21 '23 at 14:56
18

You can enter an interactive console by typing ~C (capital "C"). This lets you dynamically add and remove port forwardings (among a few other things).

This sequence has to come right after a carriage return/newline. So in doubt, just type Enter~C (in sequence).

If you don't see the characters appear on the console, you're doing it right :)

You should now see an ssh> prompt.

To remove the port, simply enter -KL 10002 followed by Enter (where 10002 is your forwarded port).

The inverse - adding a new forward - can be done like this (from start to finish):

Enter~C

ssh> -L 10002:192.168.0.30:10002

Enter

exhuma
  • 1,127
  • 1
  • 11
  • 24
  • 2
    This is the right answer if you're _not_ multiplexing connections. If you are, you'll be bounced with `~C escape not available to multiplexed sessions`. If that's the case, see a3nm's excellent answer. – Alan De Smet Jul 16 '18 at 21:20
13

You could use the "escape-key" (usually ~) followed by C to get a cli to your connection. You can from there remove tunnels without taking down your connection.

Jimmy Hedman
  • 956
  • 8
  • 17
  • 1
    I'd like to know the specifics of this. I know you can _add_ tunnels after you've SSH'd in, but have yet to find out how to take one down. – carestad Nov 24 '14 at 22:40
  • 11
    When you are in CLI mode you could do help. -KL is the oppsite of -L, -KR is the oppsite of -R and -KD is the oppsite of -D. Doing "escape-key" (~) followed by # shows your tunnels. – Jimmy Hedman Nov 28 '14 at 11:02
  • 1
    @JimmyHedman you might want to edit your answer additionally to adding a comment. It makes everything more readable. And sometimes comments are hidden (in case there are too many). – exhuma Feb 19 '16 at 15:51