Re: What is The SSH?
From: Mr. Smith (backup_at_yahoo.com)
Date: 03/17/05
- Next message: postings_at_alexshirley.com: "Re: Windows Server 2003 SBS Network / WINS / NetBIOS"
- Previous message: Mr. Smith: "Re: What is The SSH?"
- In reply to: Joe: "What is The SSH?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Mar 2005 09:38:42 -0500
Building and Using SSH Tunnels
@ HOW-TO -> Networking Oct 09 2004, 00:07 (UTC+0)
mirrorshades writes:
Overview
What is an SSH tunnel?
An SSH tunnel is a secure pathway (TCP connection) between two nodes on a
network. All network traffic sent through the tunnel is encrypted -- any
packets intercepted along the way are unintelligible to anyone who does not
possess the appropriate key for decryption.
Practically speaking, an SSH tunnel takes all traffic sent to a designated
TCP port on your computer (one end of the tunnel), encrypts it, and sends it
to the remote computer (the other end of the tunnel). The remote computer
then decrypts the traffic and forwards it to a specified host and port,
either itself or another machine.
Why do I need an SSH tunnel?
The answer to this is largely up to you. Here are some examples of how a SSH
tunnel can be put to good use:
* You are on one side of a restrictive firewall or router that does not
allow network connections of the type you need. If SSH is allowed through
the router, you can use a tunnel to get through the router and use the
network service on the other side.
* You wish to send information using protocols such as SMTP or Telnet, which
use plain text to pass data (including usernames and passwords) over a
network.
* You believe that Big Brother / the FBI / Interpol / Echelon / the Bavarian
Illuminati are snooping on your network traffic, and you want to stimey
their attempts and laugh in the face of The Man.
What do I need to get started?
This article assumes that you have a basic understanding of what SSH is, and
how to use it to make a connection to a server. If you would like some
practice with SSH, there are several free shell account providers that allow
the use of SSH to connect.
You will need a working SSH client and server installation to build and test
your tunnel. There are links provided at the end of the article to sites
that offer SSH information and downloads if you do not already have client
and/or server programs.
Client? Server? Do they mean the same thing as always?
If you have a casual knowledge of the mechanics of networking, you will
likely understand these terms. For clarification, here are some definitions
that will be used throughout this article:
Client: The client computer is the one that you will be making the SSH
connection and tunnel FROM. Typically, this would be your workstation or
home computer.
Server: The server is the computer that you will be making the SSH
connection and tunnel TO. This could be a computer inside a private network,
or a shell account server on the Internet.
Target: The target is the computer that is designated as the final recipient
of network traffic sent through the tunnel. It may be the same computer as
the server, though it does not have to be.
For learning purposes, you can use the same computer as the client, server,
and target -- the connections will work the same way as they would if they
were different computers.
Procedure
Follow these steps to build and test your tunnel. These steps assume you
are seated in front of the client computer: 1. Make a normal SSH
connection to the server first, to verify that everything is working as it
should be. 2. If the server and the target are not the same computer,
verify that the server can access the appropriate port on the
target. 3. Configure your SSH client software to enable forwarding --
this is the key step in building the tunnel. For this, you will need
to specify three pieces of information: 1. The TCP
port on the client computer that will be used as the first endpoint of the
tunnel. When forwarding is enabled, SSH listens on
this port for traffic. 2. The
hostname or IP address of the target computer (the final destination for
traffic sent through the tunnel). This will be
resolved by the server; if the server and the target are the same computer,
you can use 'localhost' or '127.0.0.1'.
3. The port on the target computer that will receive the traffic that is
passed through the tunnel from the client computer
to the server. Client configuration varies depending on the
software you are using. PuTTY is an excellent SSH/Telnet client for
Windows -- if you are using PuTTY, you can set up port forwarding by going
to Connection -> SSH -> Tunnels and entering the local port, remote
host, and remote port in the "Port Forwarding" section. If you are using a
command-line SSH client, you can specify this way:
# ssh -L myport:target_address:target_port server
...filling in server, myport, target_address, and
target_port appropriately. 4. Once this initial SSH connection from
client to server has been made, verify that myport is listening on the
client computer. Use the netstat command, and look for ports with the status
of LISTEN or LISTENING. If you see your port in that list, your
tunnel is up and running. 5. Configure the application that you will
be using to send data through the tunnel; you will need to make sure that
any 'server name' or 'server address' fields read 'localhost', and that port
information matches what you specified as myport. For example, if
you are using a tunnel to send email using SMTP, you would want your SMTP
server field to read 'localhost' (or 127.0.0.1), and the port to
read myport. 6. That's it! You should now be able to use your SSH
tunnel. Note that you must leave your SSH session logged on for as
long as you use the tunnel -- close the session when you are done, and the
tunnel will be closed as well.
Example
Let's look at the following situation, and go step-by-step through
configuring the SSH tunnel: you are a system administrator for Initech, and
need to set up your home computer to be able to remotely control the
company's domain server (using VNC) when you are out of the office. The
Security Officer does not allow anything into or out of the gateway router
that is insecure -- thus, opening any ports for VNC is not an option. Using
SSH, you can build a tunnel that will pass the VNC connection data between
the domain server and your home computer.
Step 1: Request that the gateway router (route1.example.com) allow incoming
SSH connections from the Internet. These connections should be routed or
forwarded to the computer in your office, depending on the network
configuration.
Step 2: Install VNC on the domain server (192.168.1.100), and run it as a
system service. I prefer the UltraVNC package, but if you are not in a 100%
Windows environment, you will need to use a VNC client/server package for
your particular setting. Make sure that you give VNC a password, and test
the connection to make sure it is running properly. The domain server is now
the TARGET computer, with VNC listening on port 5900.
Step 3: Install an SSH server program on the computer in your office at work
(192.168.1.139). Set it to run as a system service, and be sure to leave the
computer on overnight and on the weekends. This computer is now the SERVER
computer, with SSH listening on port 22.
Step 4: Install an SSH client program on your computer at home. If you have
configured the server to use host-based or public key authentication, be
sure to have your hostname correctly configured and / or a copy of the
private key on the computer. (For extra security, require either host-based
or public key authentication, and disable password authentication for SSH.
Consult the documentation for instructions.) Your home computer is now the
CLIENT computer.
Step 5: Verify you can make an SSH connection from your home computer to the
SSH server. If it works, you know the router is passing SSH traffic
correctly.
Step 6: Build your SSH tunnel. Pick a port for your home computer to listen
on ? VNC uses 5900 by default, so you can use 5900 if you like. However, if
you happen to be running a VNC server on your machine, port 5900 will
already be in use. I recommend just adding 1 to the default port number,
just in case. The tunnel information looks like this:
myport: 5901 target_address:
192.168.1.100 target_port: 5900
Or from the command line:
# ssh -L 5901:192.168.1.100:5900 route1.example.com
(Note: If your office computers have public IP addresses, you should be able
to connect directly to the computer in your office. Because this example
uses non-routable (private) addresses, you will need to use the router
itself as the hostname for the ssh connection, and the router will then
forward the connection on to your machine. If this confuses you, don't
worry -- just pretend that you have your office computer's IP address in the
SSH command instead.)
Step 7: If the SSH connection is made successfully, use the netstat command
to verify that your home computer is listening on port 5901. If so, you're
ready to roll.
Step 8: Run the VNC viewer program on your home computer. For the connection
information, you will need to provide this string: localhost:1 -- this tells
the viewer to make a connection to 'localhost' (your computer) on port 5901
(the endpoint of the SSH tunnel). At this point, you will either be prompted
for the VNC connection password, or receive an error message if there is a
problem.
Step 9: Enter the password. Give it a minute or two, and you should see the
?Please Wait? message as VNC loads the remote desktop. Depending on your
connection speed, you may want to specify colors, compression, and other VNC
particulars that may help the app run faster over a slower connection.
(Note: UltraVNC will attempt to automatically detect the connection speed;
since the target is receiving connection information from the server, the
speed used will be that of the link between those two. If your home computer
has a slower connection speed to the server, you will need to set it for the
lower speed.)
Step 10: You've done it! The VNC session you are running is sending its data
through the SSH tunnel. Remember to close the VNC connection before you
close the SSH tunnel -- otherwise, the VNC connection will not be signed off
correctly.
Keep In Mind...
* Anything you want to send through the tunnel must be sent to
localhost:myport. If you are not sure how to redirect servers/ports in the
application you are using, check the documentation.
* Make sure the local port you specify for the tunnel does not conflict with
anything already running on the client computer.This is why I specified port
5901 for the VNC connection, instead of the default 5900.
* Traffic is only encrypted between the CLIENT computer and the SERVER
computer. If the server and the target computer are not the same, the
forwarded traffic from the server to the target WILL NOT BE ENCRYPTED. (See
Figure 2.)
* If you have followed the above instructions and are still having
difficulty making an SSH connection, check the documentation for the
specific version of SSH you are running. There are small but important
differences in some of the configuration settings between Windows and Linux,
for example.
Resources
This is simply a list of links to specific software and information referred
to in the article:
* OpenSSH: A free SSH client/server package available for several different
operating systems. This is developed by the same crew who do OpenBSD.
* OpenSSH for Windows: This is the Windows port of the OpenSSH package.
* PuTTY: A Windows GUI-based SSH client. For Windows users, this is the best
freeware SSH client out there.
* VNC: Now called RealVNC, this site is a wealth of information for this
useful program.
* UltraVNC: This is a tweaked-out version of VNC that runs only on Windows
platforms. It has many useful additions not found in the standard VNC, such
as file transfer, realtime chat between host and client, and NT
Domain/Active Directory authentication.
* Freeshell.org: This is a very nice free shell provider that I have used
for a couple years now. Be aware that they run NetBSD, and don't consider
Linux to be a viable OS choice. However, YMMV.
- Next message: postings_at_alexshirley.com: "Re: Windows Server 2003 SBS Network / WINS / NetBIOS"
- Previous message: Mr. Smith: "Re: What is The SSH?"
- In reply to: Joe: "What is The SSH?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
