NUS Logo  
NUS Home | Search: in
 
SoC NOC Logo
Home
UserID: Password:

Site Navigation

NOC Home
+User Account
+My Computers
+Documentations
+Security
+Fault Mgmt
+Miscellaneous
 
+Ticket Tracker
+Registrar
+Network Ops
+Loan System
+Facility Mgmt
+Finance
+Archives
+IPTel
+Linux
+Engineering
+Videoconf
+Operations
+NOC API
+DRP

Other links

SoC Homepage
MySoC Intranet
Student Intranet
Staff Intranet
NUS Homepage

About NOC Web

SSH Tunneling HOW-TO

This information is now unsupported and unmaintained.

Or how to tunnel data securely through SSH

Introduction and Background

SSH is a program for logging into a remote machine over a secure encrypted communications channel. It is intended to be a replacement for the BSD r* suite of programs (rlogin, rsh, rcp, etc). It can be used as a secure replacement of the telnet program too. In addition, SSH allows you to forward X11 connections and arbitrary TCP/IP ports over the secure communications channel.

Security Concerns of Plaintext Password Protocols

Many application protocols transmit passwords in the clear or in cleartext equivalent. This means if you use these protocols directly over the network, your passwords could be easily picked up by other users. You might as well had pasted your password in a public place for everyone to see.

Some protocols appear to provide encryption but actually only do encoding. For example, the HTTP web protocol provide a Basic Authorization scheme that appears to send your password in a mangled form. This is not encryption, it is only encoding. Encryption and encoding are not the same thing; The latter process is easily reversed. Encoded text is pretty much cleartext equivalent.

SSH Tunneling

In networking terminology, a tunnel is a network connection used to carry or encapsulate another connection. In this case, SSH tunneling means to setup a SSH connection between two computers, and use this SSH connection to carry other application protocols. Even if the application protocols do not encrypt passwords, they are protected because their connection are encapsulated by SSH which provides the encryption. The actual mechanics involves the port forwarding feature in SSH.

In port forwarding, you configure your SSH client to forward connections to a local port over the SSH connection, and then onward to a port on a remote server. You'll also reconfigure the application to connect to this local port instead of directly to the remote server.

Port Forwarding Example

Example Diagram The example on the right shows pictorically how a news reader software, which does not support encryption, can still connect securely over a SSH tunnel to a remote news server. The user configures his SSH client to forward connections to port 119 on his own computer to the SSH server, and then onward to port 119 on the news server. The news reader software is configured to find the news server at localhost (or possibly using the loopback address of 127.0.0.1). When the news reader starts and tries to access the news server on localhost, its traffic actually gets carried over the SSH tunnel to the remote news server. The traffic between the SSH client and SSH server, which might traverse an insecure WAN, is encrypted by the SSH connection. Traffic between the SSH server and news server is not encrypted, but this might be lesser of a concern if they are part of a protected network.

What you need to know

To successfully setup port forwarding for any generic TCP service, there are a few things you need to know:

  1. The hostname or IP address of the SSH Server: Your SSH server will need to have a clear path to the actual server operating the service you want to access. Typically this means they should be on the same network without any firewall or router ACLs blocking traffic.

  2. The hostname or IP address of the server and port number of the remote service you want to access: The hostname or IP address should be obvious since you need to know it anyway even without SSH tunneling. The port number is also required even without SSH tunneling, but sometimes there are already defaults which are not known to SSH. If this is the case, you need to figure out the port number.

    Some common default port numbers: HTTP uses port 80, HTTPS uses port 443, MySQL uses port 3306.

  3. Decide on a port number to use on your local end: Often, you can just use the same port number as the above. You must tell your application to connect to "localhost", and optionally specify this port number if it is not a default that the application uses.

If you don't know the port number used by your remote service, you can try checking its documentation or protocol specification. Alternatively, if you are the administrator of the service, you can check your own configuration, or find out through OS provided tools what ports the service is listening on.

Using OpenSSH

Here is an example using OpenSSH. OpenSSH is for UNIX based operating systems. The command line for the above example would look like:

$ ssh -L 119:newshost.mydomain.com:119 sshhost.mydomain.com

The port forwarding setup is specified with the -L option. It takes 3 colon-separated parameters:

  1. the local port to listen to
  2. the remote server
  3. the port on the remote server to connect to

You can setup multiple port forwarding by specifying the -L option multiple times. Here is an example that forwards localhost:1110 to pop3host:110 and localhost:3306 to mysqlhost:3306 over an SSH connection to sshhost as user john:

$ ssh -L 1110:pop3host:110 -L 3306:mysqlhost:3306 john@sshhost

Using SSH Secure Shell

This section shows you how to setup tunneling using the Secure Shell client from SSH Communications. This is for Windows users. The configuration is based on the port forwarding example above.

  1. Start the Secure Shell client.
  2. Click on Edit -> Settings.
  3. Under Profile Settings, click on Tunneling.
  4. Click Add.
  5. Type a descriptive name for the Display Name field.
  6. At the Listen Port field, type the port number on the local machine you want to use. This is the port that your applications need to be configured to connect to.
  7. Type the remote server name and port on the remote server in the Destination Host and Destination Port fields respectively.
  8. Click OK.
  9. Click OK.
  10. Select File -> Save Settings.

SoC Network : NOC | MySoC.Net | Trouble Ticket | SoC Home | NUS Home
© Copyright 2001-2012 by National University of Singapore. All Rights Reserved.
Company Registration Number: 200604346E
Terms of Use | Privacy | Non-discrimination
Last modified on 6 Jul 2007 by School of Computing Network Team