SSH Tunnels How-to? 98
The_Spider asks: "I periodically browse the net and check web-mail at work, when I have the opportunity. I was wondering if anyone had a nice walkthrough on how to set-up an SSH tunnel. I'm not 100% newbish to Linux but I don't know where to start. (I have a Fedora Core box at home for NAT & DHCP) I'm hoping to combine this for use with portable Firefox. I'm not to worried about security, but I love the notion of taking a portable and encrypted browser with me from place to place. Can Slashdot help?" While this might be a bit FAQ, I figure Slashdot anecdotes on the use of SSH tunnels might be a bit more user-friendly than say, the several task-specific HOWTOs one can find via a Google search. ALso, I'm sure that there are a few of you out there who have discovered interesting ways of using SSH tunnels, not covered by said HOWTOs. So, how are you using SSH tunnels, and can you explain them to those who have not yet discovered the value of their use?
PuTTY (Score:2)
Java VNC over SSH (Score:3, Interesting)
Java VNC over SSH [blogspot.com]
Just what you are looking for... (Score:5, Informative)
Enjoy http://www.linuxlogin.com/linux/admin/sshtunnels.
Reading between the lines... (Score:2, Interesting)
I think we can all collectively say: Spider, go RFTM.
(Yes, the man page for ssh covers this in detail.)
-= End of thread =-
Re:Reading between the lines... (Score:2)
Try the HowTo... (Score:4, Informative)
It's nice and short, but covers the basics.
Gotta love SSH tunneling (Score:5, Interesting)
I use an SSH tunnel to forward port 8080 on my desktop machine here at work to port 8080 on my Unix workstation at home that's running an HTTP proxy. I set my Firefox/Mozilla at work to use localhost as its proxy, and I now happily bypass any and all logging and/or site restrictions on my work browsing habits.
I also remote-forward a pseudo-random high port on that remote workstation at home to port 22 on my work desktop machine, giving me the ability to SSH *back in* to work from home, and not monkey with the company's VPN solution that has a client for my home machine that's so buggy it's unreal. That remote SSH call-back also forwards the home machine's IMAP port to the company's Exchange Server so I can read my email over the tunnel, and I port-forward to our network monitoring and backup systems' web interfaces so I can actually do my job.
I guess I can say that my productivity from home would be pretty much zippo if I didn't have SSH tunnels at my disposal.
Re:Gotta love SSH tunneling (Score:5, Informative)
I also run two browser profiles with one being the proxied and one being normal, with different shortcuts to each. I separate the instances so my employer still sees a lot of traffic so they don't get suspicious. The work-related ones get me to lots of vendors sites, googling for solutions, etc.
I use a sh script to start my second one. It looks for an already open port just in case I killed the browser accidently and don't need to re-establish the tunnel. It re-establishes if it needs to.
You could also proxy your IM messages through these, though I haven't gone to that length yet. Here's my sh script:
#!/bin/sh
STAT=`netstat -an | grep 8888`;
if [ "$STAT" = "" ];
then
#friendshomemachine
# ssh -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mine
ssh -L 8888:127.0.0.1:8888 myhomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#friendshomemachine
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mward
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
fi
I've heard blowfish is slower, but it doesn't seem to be when you're just browsing. Feel free to experiment. Others with more knowledge as to what's faster, please let me know.
Re:Gotta love SSH tunneling (Score:2)
Re:Gotta love SSH tunneling (Score:2)
http://64.233.167.104/search?q=cache:cbVWVVwUth0J
Re:Gotta love SSH tunneling (Score:1)
Re:Gotta love SSH tunneling (Score:1)
Re:Gotta love SSH tunneling (Score:2, Informative)
There are reasons that the company deploys control mechanisms such as HTTP/SMTP proxies and approved VPN solutions - to protect the corporate infrastructure and information. Yes, you may have SSH access, but that doesn't mean that you should be using that to circumvent the security controls put in place by your employer. Your employer may well be partly to b
Re:Gotta love SSH tunneling (Score:1, Funny)
Re:Gotta love SSH tunneling (Score:3, Insightful)
1) pedantic reliance on security policy
2) Euro spelling of 'unauthorized'
3) excluded middle fallacy invoked to formally document and submit your request
4) ITIL-like flamage about change control procedures
5) assertion that its wrong de jure, instead of right, de facto
Ok, so now we know it's a troll. What to do?
1) hopefully metamod the positive mods that he received to correct the error
2) offer brief counterargument, demolishi
Re:Gotta love SSH tunneling (Score:2)
Which is why the GP is likely not a troll, but an InfoSec person (coming off like an know-it-all/asshole/troll is sometimes an occupational hazard when wearing that hat) as the usability vs security tradeoff swings all the way to the far right and legitimate users are criminalized for legitimately trying to get work done.
In all fairness, part of the problem is that "good manag
Re:Gotta love SSH tunneling (Score:2)
Re:Gotta love SSH tunneling (Score:4, Funny)
Yes, your employer does know your uid. He's pissed, and he's been logging your activity for some time. He suggests a new shell script:
#!/bin/sh
while (1) {
echo "Get to work, Slacker!";
}
Re:Gotta love SSH tunneling (Score:2, Funny)
#!/bin/sh
while (1) {
echo "Get to work, Slacker!";
}
that's definitely from his manager, since that while statement is completely C and won't run under bash at all!
PHB's cannot script (Score:1)
Re:Gotta love SSH tunneling (Score:1)
Re:Gotta love SSH tunneling (Score:2)
Why not use the built in SOCKS proxy in ssh? Run ssh -N -D 8080 <home-machine> then point your Firefox setup to localhost port 8080 as a SOCKS proxy. Then you can ditch the HTTP proxy on your home machine.
Re:Gotta love SSH tunneling (Score:1)
Because my SSH client doesn't appear to have it:
It's no biggie, my current setup works fine. But I have to admit that's a pretty cool feature. It's probably specific to OpenSSH. We aren't using OpenSSH here and I don't use it at home.
Not really. The company
Re:Gotta love SSH tunneling (Score:1)
Your company is absolutely at risk. You work there, and are apparently writing policies that concern some aspects of security.
I really hope someone in management knows your Slas
Re:Gotta love SSH tunneling (Score:2)
I'm trying to figure out who is most at fault. His employer for not taking IT seriously...him for violating good security practices...or the company they hired to "audit" him who passed him without an existing IT policy.
Re:Gotta love SSH tunneling (Score:2)
Tell you the truth, I actually don't know. I'd wager you're right, we're probably privately held.
All of the above. IT *isn't* taken seriously here, you're right. That will change soon, I can assure you. For lots
Re:Gotta love SSH tunneling (Score:2)
Re:Gotta love SSH tunneling (Score:2)
This sounds very similar to the feedback I got from a friend/ex-coworker who is now a paid security consultant. The way he explained it was (paraphrasing): "While you may have taken steps to mitigate the risk of use of the SSH tunnels as an attack vector, and while that mitigation may even be stronger than what's in place for the VPN/home user/travelling laptop attack vector, the fact that those responsible for securing the enterprise are unaware of the SSH
Re:Gotta love SSH tunneling (Score:2)
I have a reverse ssh tunnel setup from an office computer (also running Gentoo). I use autossh (which I highly recommend) which ensures that the reverse ssh tunnel is always up. Even if my machine is rebooted or
Re:Gotta love SSH tunneling (Score:2)
ssh -L <local port>:<internal address of remote computer to forward to>:<remote port> -p <local reverse tunnel port> localhost cat -
Re:Gotta love SSH tunneling (Score:1, Interesting)
Re:Gotta love SSH tunneling (Score:2)
Work-side
---------
proxy:
Host unix.machine.home
LocalForward 8080:unix.machine.home:8080
LocalForward 5900:windows.machine.home:5900
RemoteForward 127.0.0.1:45678:127.0.0.1:22
The 8080 LocalForward lets me hit the proxy running on unix.machine.home.
The 5900 LocalForward lets me use VNC on to access windows.machine.home.
The 45678 Remo
Re:Gotta love SSH tunneling (Score:1)
Here's one... (Score:3, Informative)
2. Go to Connection -> SSH -> Tunnels
3. Add new forwarded port. Source Port: 1080, Destination: [blank], DYNAMIC (this is important), Auto. Click on Add.
4. In Firefox or any other program that supports a SOCKS proxy, enter host 127.0.0.1 (localhost) with port 1080.
That's it. You'll then be using your SSH connection like a SOCKS proxy.
Re:Here's one... (Score:1)
5. ???
6. Profit!
SOCKS tunnel with Open SSH (Score:2)
ssh -N -f -D 1080
-D 1080 does the dynamic socks forwarding.
-N says don't run any command on the remote machine
-f says go into the background after asking for password
Works great for Yahoo IM; haven't tested others.
Re:Here's one... (Score:4, Informative)
127.0.0.1:1000 goes to www.google.com:80
127.0.0.1:1001 goes to www.porn.com:80
127.0.0.1:1002 goes to www.slashdot.org:80
what using a SOCKS-mimicing "proxy server" allows you to do is to make it so that the requesting application requests the destination, instead of you setting it up and then pointing your computer at a special address. The requesting socks-aware application is like "Hmm, to get to login.messenger.yahoo.com:3697, I must use this special protocol and send stuff really to a connection at 127.0.0.1:4280. I'll do that."
So it connects to that, PuTTY sends it down the wire to my friend, and my friend's computer sends it to login.messenger.yahoo.com, port 3697.
magically.
Ooh! Where To Begin. (Score:1, Informative)
ssh -CX user@host.your.domain
password:
user@host$ konqueror&
Or do you want to portforward your browsing?
After setting up a proxy server like squid on your home machine...
ssh -L 8080
This Ask Slashdot really should be answered with RTFM or Google!
ISC at sans (Score:2)
SSH tunnels in Windows (and one-liner for *nix) (Score:2, Informative)
This guide also describes how to setup an SSH tunnel in Linux.
SSL Explorer (Score:3, Informative)
Here's mine (Score:4, Informative)
Assuming a Linux machine at each end, here's the script for the machine that initiates the connection:
while true; do
pppd nodetach lcp-echo-failure 4 lcp-echo-interval 120 \
pty 'ssh receiver -T -l user'
sleep 10
done
Where receiver is the public IP address of your receiving machine and user is the username on that machine. The while loop automatically reconnects if you get disconnected.
Here's the script for the machine that receives the connection:
pids=`ps -e -opid,command | grep "pppd local:remote" | \
grep -v grep | awk '{print $1}'`
if [ "$pids" != "" ]; then
echo "Found pre-existing connection. Killing pids: $pids" >> ppp.log
kill -15 $pids
sleep 5
fi
pppd local:remote netmask 255.255.255.252 passive \
notty nodetach
Where local is the local end of your PPP link and remote is the remote end of your PPP link. You'll want to call this script from user's
My setup (Score:2, Informative)
To get the tunnel working, I forget the exact settings in putty but there's a section for tunnels, tell it to create tunnel from local port 8128 to remote machine's port 3128. Then set your browser to use "localhost:8128" as your proxy.
The way to setup a tunnel between two Unix boxes (for me) is ssh -L 8128:192.168.0.1:3128 remote-host.
Rewriting & Encrypted Proxy? (Score:3, Informative)
I'd like to run to a web-proxy at home that I can just point my browser to ala:
https://mycablemodem.cable.net:4567/ [cable.net]
that will then access any website and rewrite any internal links to go back through the proxy itself, so for example:
http://www.yahoo.com/ [yahoo.com] becomes https://mycablemodem.cable.net:4567/http://www.ya
Anyone got a good, robust re-writing proxy tool like that? Preferrably with at least some sort of minimal security to prevent joe-random from using it without a login/password.
Re:Rewriting & Encrypted Proxy? (Score:2)
Re:Rewriting & Encrypted Proxy? (Score:2)
Gotta run through the outgoing proxy at site. I'm presuming that an https proxy won't do generic ssh proxying.
Re:Rewriting & Encrypted Proxy? (Score:2)
Re:Rewriting & Encrypted Proxy? (Score:3, Informative)
Re:Rewriting & Encrypted Proxy? (Score:1)
Re:Rewriting & Encrypted Proxy? (Score:1)
> I'm just guessing, but wouldn't ssh tunnels be readily identifiable if a smart network admin wanted to look for them?
No, the port forwarding is done within the encrypted channel. Rather than thinking of ssh as terminal session protocol that uses encryption you really should be seeing it a protocol for creating an encrypted pipe between two arbitrary nodes. This protocol uses the terminal session authentication methods of the destination. The entire contents of an ssh session are hidden using good st
Re:Rewriting & Encrypted Proxy? (Score:1)
No, the port forwarding is done within the encrypted channel.
You said what I said.
I don't want to pin up a session for days or weeks, I want it to look like a normal https session - put it up, do a transfer, tear it down. Leaving it pinned up for long periods with sporadic traffic is bound to draw attention to it.
Once more (Score:2)
Second time I've posted my guide this week.
clicky [the-engine.org].
No tutorial, just usage (Score:2)
Really Good SSH Tunneling Tutorial (Score:4, Informative)
Really good for the beginner - includes information on accessing Samba shares over ssh.
The only way to do work (Score:3, Interesting)
I also have an ssh tunnel established from my work PC to my home connection, and I run pppd over that to create a VPN between my home network and the network at work. I realise that this is probably completely against company policy, but the "official" VPN solution only lets me hit the Exchange server, and doesn't let me actually do any work. Most of the company's "work" involves forwarding emails, so it's probably fine for them.
Unfortunately tcp over tcp is really quite nasty (http://sites.inka.de/sites/bigred/devel/tcp-tcp.
A howto that I found quite helpful is at http://www.tldp.org/HOWTO/ppp-ssh/ [tldp.org]
Anyway.. on to my anecdote (not required reading):
Part of my job involves working on a distributed monitoring system which is deployed in a star topography around the country. All the remote sites send & receive data from one central site (with one redundant central site) using a variety of protocols, like ssh, xmlrpc, dns, telnet, snmp, syslog, etc.
The network was designed by people who were given a set of instructions like "You will use these 2 vendor's systems" and "You must follow these corporate security policies which were written 10 years ago for phone networks", so it's terrible by today's standards (and for an ISP in general).
There are firewalls between all of my boxes, even though all my boxes are on the management lan, and they only allow a very small set of protocols through - not enough to let my software work. That wasn't the worst part. The worst was that the firewalls are also protecting the billing network so have very low tolerances for intrusion detection and flood protection and such. Basically I can only establish 5 connections per second *across the entire network*. This is clearly not enough for a busy monitoring system. So we decided to build a VPN between all of my boxes using ppp on ssh tunnels.
I now have a separate ppp interface from the central server to each of the remote datacenter servers, all on the 10.0.0.0/16 network. ip forwarding is enabled on the central site, so now remote datacenters can talk to each other (also blocked by the firewalls) and I can use all the connections I need to. I'm running quagga ( http://www.quagga.net/ [quagga.net] ) on every remote datacenter and the central servers (along with the redundant one) so I can distribute routes to remote datacenter devices and cope with the death of one of the central servers without major service interruption.
However it really is quite slow. I can only get around 200kb/s over each ppp interface even though the physical links are 100+mbit each. But I really don't need huge bandwidth, just some that isn't firewalled.
This "solution" has been in production for 6 months now, and I'm sure as soon as the corporate security people find out they will shut it down and I'll go back to not being able to do my job.
Re:The only way to do work (Score:2)
Linux Server Hacks (Score:2)
There are some cute tricks in O'reilly's "Linux Server Hacks" [oreilly.com] which, taken together, can leave you with a pretty sweet setup. #52,#53,#66-#71 are all worth checking out.
--MarkusQ
Use PuTTY's 'dynamic' tunneling mode (Score:3, Informative)
Here's how to do it, using the latest PuTTY and Firefox versions:
1. Configure PuTTY. Start PuTTY and put in the address of your host server to connect to on the first screen. In the menu on the left, pick 'Tunnels' from the tree. Under 'Add new forwarded port:' put in 1080 (this is pretty arbitrary, but 1080 is the "official" SOCKS port). Leave 'Destination' blank and choose the 'Dynamic' radio button. Feel free to go back to the 'Session' entry on the menu tree on the left if you wish to save a session so you don't have to do this every time.
2. Configure Firefox. Under Preferences, click the 'Connection Settings' button from the main 'General' options. Click 'Manual Proxy configuration:' and under 'SOCKS Host' put in localhost with port 1080. Click OK and try to surf. You should now be being routed through your Linux host. You can go to whatismyip.com to verify you're being routed through your host's IP address.
(I'm pasting this howto from one I wrote on another site [metafilter.com])
Re:Use PuTTY's 'dynamic' tunneling mode (Score:2)
SSH on port 443 (Score:2, Informative)
Since both SSH and HTTPS use SSL, it is very hard for a corporate firewall to tell the difference, so often you can punch through in this way if your employer does not allow you to SSH out on the normal port.
Of course, by doing so you may be violating your company policies and opening yourself up to being fired - so don't blame me if you are.
Also, if you want to keep the script kiddies from tryi
Re:SSH on port 443 (Score:2, Informative)
Re:SSH on port 443 (Score:2)
It would be trivial for a corporate firewall to distinguish between HTTPS connections and SSH connections on port 443 (SSH connections all start with the the identifier "SSH-") but in practice most don't.
Cygwin and x-forwarding (Score:1)
Re:Cygwin and x-forwarding (Score:1)
I basically do that on the occasions when I need to use firefox from my home machine at work or vice versa (except that it is GNU/Linux on both ends for me). The problem is that this is very very slow (DSL line at home). Some programs like emacs, jpilot, xv, and gaim are slow but usuable. Firefox however just hu
How about stunnel? (Score:3, Informative)
autossh for restoring ssh connections (Score:1)
What about DNS lookups? (Score:2)
Most corporations have internal DNS servers, that they could certainly log your suspicious requests (or even hijack and re-route) to various nefarious sites. Does Firefox (Mozilla) route the DNS requests through the tunnel as well somehow? I thought SSH could only do TCP forwarding, so I seem to be missing something. Unless somehow the SOCKS proxy is doin
Re:What about DNS lookups? (Score:1)
Re:What about DNS lookups? (Score:2)
Re:What about DNS lookups? (Score:1)
all the http traffic is sent through the proxy, but DNS requests aren't.
One solution is to use pppd over ssh to do a "poor-man's VPN", then
set your resolve.conf to use a DNS server over the "VPN" rather than
the local one.
This seems indirect, and there may be a better way, but it works.
Also SocksCap (Score:1)
I too have followed the putty-as-socks-proxy route described by others.
For enabling stuff like iTunes, which doesn't know from SOCKS, try SocksCap [nec.com].
Finally, I used to have a filter on my work machine's Outlook that would run a program when a message with a particular subject came in from me--the program would ssh-tunnel back to my home machine thus enabling me to log in to work from home, but also establishing the connection only when I wanted it.
Re:Also SocksCap (Score:2)
seems the only safe way to do it (for VNC anyway) might be to setup a static port forwarding and then use the VNC client to localhost:5900, etc.
small script for dynamic and resilient ssh tunnels (Score:1)
Using this script my tunnel stays up for days in a row and I don't have to do anything when I move my machine from our coporate wired network to my personal wireless home network.
I use this script in combination with privoxy [privoxy.org] to ensure that dns requests are also done over th
You can also run ppp over ssh (Score:2)
All you need are compatible pppd configs on each endpoint box (by this I mean they're setup that when they talk they authenticate and give IP addresses, etc), and tell pppd to use ssh as the serial link.
The magic line in your pppd configuration (/etc/ppp/peers/) is:
pty "/usr/bin/ssh -e n
What about local proxy firewalls? (Score:1)
How do you set up a secure tunnel from workstation through proxy to remote host and then onward to the outside world?
Re:What about local proxy firewalls? (Score:2)
Key Length (Score:2)
What length ssh keys should I use? 256? 512? 1024? 2048?
At what point is the line between secure, and paranoid crossed? How will key length impact performance?
Re:Key Length (Score:2)
Use any length you want because I promise you that nobody is going to bother trying to crack even 56bit DES key just to read your data.
If you are worried that they will, it's just because you are massively overestimating your own significance.
Honestly, nobody cares. You're just not interesting enough. Sorry to break it to you.
RDP over SSH (Score:2)
Re:RDP over SSH (Score:1)
SSH Tunnel (Score:2)
A few good pieces of software (Score:1)
http://www.bitvise.com/tunnelier.html [bitvise.com]
Also be sure to check out the SwitchProxy extension for Firefox:
http://mozmonkey.com/ [mozmonkey.com]
Re:A few good pieces of software (Score:1)
Okay, how about an actual answer? (Score:2)
Specifically for SSH tunnels (without dealing with SSL), you basically have two choices: Manually authenticated, or pre-shared RSA keys (which you should use even for manually authenticated connections, but I'll leave that to your discretion)...
In the simplest case (manual authentication with no preshared key, and between any platforms for which a build of the standard OpenSSH tools