Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SSH Tunnels How-to?

Cliff posted more than 8 years ago | from the what-encryption-worms-build dept.

98

The_Spider asks: "I periodically browse the net and check web-mail at work, when I have the opportunity. I was wondering if anyone had a nice walkthrough on how to set-up an SSH tunnel. I'm not 100% newbish to Linux but I don't know where to start. (I have a Fedora Core box at home for NAT & DHCP) I'm hoping to combine this for use with portable Firefox. I'm not to worried about security, but I love the notion of taking a portable and encrypted browser with me from place to place. Can Slashdot help?" While this might be a bit FAQ, I figure Slashdot anecdotes on the use of SSH tunnels might be a bit more user-friendly than say, the several task-specific HOWTOs one can find via a Google search. ALso, I'm sure that there are a few of you out there who have discovered interesting ways of using SSH tunnels, not covered by said HOWTOs. So, how are you using SSH tunnels, and can you explain them to those who have not yet discovered the value of their use?

cancel ×

98 comments

First, you gotta (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14514089)

go get youself a FRIST PROST!

Then, you can tunnel your FRIST PROST over the internets to get to teh intarweb.

How to.... (-1, Troll)

ForumTroll (900233) | more than 8 years ago | (#14514101)

RTFM ;)

Re:How to.... (1)

electrofreak (744993) | more than 8 years ago | (#14514906)

I second that. That's how I figured them out, and I do in fact find them very useful nearly every day.

I most often use them to tunnel ports from behind a firewall, such as tunneling 5900 for VNC to use VNC from school. Or, even X11 tunneling is very useful.

Really people, rtfm. It's not that hard.

Re:How to.... (1)

americamatrix (658742) | more than 8 years ago | (#14521184)

Use Hamachi. [www.hamachi.cc] It uses AES 256-Bit encryption, over the tunnel. The passwords for everythin are hashed and not stored locally. It is a zero-point configuration solution. It passes thru [most] any NAT/Firewall/VPN. It uses the UDP protocol to do so. I use it at work to remote into my computer. Works great. Cheers

PuTTY (1)

Eightyford (893696) | more than 8 years ago | (#14514112)

The PuTTY win32 client documentation can be found here [earth.li] . It has a good intro to SSH as well.

Java VNC over SSH (3, Interesting)

slthytove (771782) | more than 8 years ago | (#14514142)

This doesn't really address the author's original inquiry, but it is (what I would consider) an interesting use of SSH tunnels, in a readable tutorial. I set up something similar to "GoToMyPC" for my Dad, that allows web-based (over JavaVNC) secure remote access to his computers:

Java VNC over SSH [blogspot.com]

Reading between the lines... (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14514158)

Spider is an employer that wants to block SSH tunnel access for his employees, but he has no idea how to pull it off, so he concocted this excuse about wanting to use our beloved Firefox.

I think we can all collectively say: Spider, go RFTM. :-)
(Yes, the man page for ssh covers this in detail.)

-= End of thread =-

Re:Reading between the lines... (1)

sootman (158191) | more than 8 years ago | (#14515327)

Wrong. Spider works for a company that recently installed WebSense and he's sad 'cause he can't surf porn anymore. :-)

Gotta love SSH tunneling (5, Interesting)

The Blue Meanie (223473) | more than 8 years ago | (#14514175)

I *really* hope my employer doesn't recognize my Slashdot ID. :)

I use an SSH tunnel to forward port 8080 on my desktop machine here at work to port 8080 on my Unix workstation at home that's running an HTTP proxy. I set my Firefox/Mozilla at work to use localhost as its proxy, and I now happily bypass any and all logging and/or site restrictions on my work browsing habits.

I also remote-forward a pseudo-random high port on that remote workstation at home to port 22 on my work desktop machine, giving me the ability to SSH *back in* to work from home, and not monkey with the company's VPN solution that has a client for my home machine that's so buggy it's unreal. That remote SSH call-back also forwards the home machine's IMAP port to the company's Exchange Server so I can read my email over the tunnel, and I port-forward to our network monitoring and backup systems' web interfaces so I can actually do my job.

I guess I can say that my productivity from home would be pretty much zippo if I didn't have SSH tunnels at my disposal.

Re:Gotta love SSH tunneling (5, Informative)

fimbulvetr (598306) | more than 8 years ago | (#14514225)

This is exactly what I do, and let me tell you what: It's saved my ass a few times.

I also run two browser profiles with one being the proxied and one being normal, with different shortcuts to each. I separate the instances so my employer still sees a lot of traffic so they don't get suspicious. The work-related ones get me to lots of vendors sites, googling for solutions, etc.

I use a sh script to start my second one. It looks for an already open port just in case I killed the browser accidently and don't need to re-establish the tunnel. It re-establishes if it needs to.

You could also proxy your IM messages through these, though I haven't gone to that length yet. Here's my sh script:

#!/bin/sh

STAT=`netstat -an | grep 8888`;
if [ "$STAT" = "" ];
                then

#friendshomemachine
# ssh -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mine
                ssh -L 8888:127.0.0.1:8888 myhomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#friendshomemachine
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
#mward
# ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &

fi /usr/local/firefox/firefox -P encrypted

I've heard blowfish is slower, but it doesn't seem to be when you're just browsing. Feel free to experiment. Others with more knowledge as to what's faster, please let me know.

Re:Gotta love SSH tunneling (1)

Wolfrider (856) | more than 8 years ago | (#14514915)

On the contrary, IIRC blowfish is the *fastest* encryption for SSH; but see my .sig.

Re:Gotta love SSH tunneling (1)

fimbulvetr (598306) | more than 8 years ago | (#14519905)

My fault, I meant to write faster. Thx for the link though.

Re:Gotta love SSH tunneling (1)

negyvenot (582011) | more than 8 years ago | (#14517978)

"while date; do sleep 10; done" does a much less resource intensive job for the keepalive.

Re:Gotta love SSH tunneling (2, Informative)

Anonymous Coward | more than 8 years ago | (#14514493)

If I ever caught you pulling that kind of shit in the company where I work, your ass would be out the door so quick your feet wouldn't touch the ground.

There are reasons that the company deploys control mechanisms such as HTTP/SMTP proxies and approved VPN solutions - to protect the corporate infrastructure and information. Yes, you may have SSH access, but that doesn't mean that you should be using that to circumvent the security controls put in place by your employer. Your employer may well be partly to blame for not having made you read their Information Security Policy documents (and get you to sign up in agreement to an AUP). If their policy does not include coverage for things such as the situation you describe above, your security manager & auditors should be beaten heavily and then replaced.

It's this unauthorised, non-standard, "yeah but I can do it better my way for I am a genius" bullshit which ends up causing so many problems in organisations. Yet another glowing example of why the greatest threat to corporate confidentiality, integrity and availability is usually that lurking within.

If you feel that you would be more productive with a different system configuration, did it not occur to you to formally document your suggestion and present it for review under your organisation's change control procedures? It could mean the difference between having a collecting your payslip or clearing your desk.

Re:Gotta love SSH tunneling (0)

Anonymous Coward | more than 8 years ago | (#14514736)

I can do it my way because I am a genius.
I should do it my way because otherwise company forces me to use IE.
I will do it my way because I friggen can and there's no company policy against it.

Re:Gotta love SSH tunneling (1, Funny)

Anonymous Coward | more than 8 years ago | (#14517443)

We don't want to work for your kind of company so thats OK

Re:Gotta love SSH tunneling (2, Insightful)

Gothmolly (148874) | more than 8 years ago | (#14524902)

I know you shouldn't feed AC trolls, but I'll bite. First, we identify the troll:
1) pedantic reliance on security policy
2) Euro spelling of 'unauthorized'
3) excluded middle fallacy invoked to formally document and submit your request
4) ITIL-like flamage about change control procedures
5) assertion that its wrong de jure, instead of right, de facto

Ok, so now we know it's a troll. What to do?
1) hopefully metamod the positive mods that he received to correct the error
2) offer brief counterargument, demolishing the troll, thus:

You're job is to get work done, and act in the best interests of your employer. If you are doing both, no good manager will complain.

Done.

Re:Gotta love SSH tunneling (0)

Anonymous Coward | more than 8 years ago | (#14525454)

Your brief counterargument was poor at best and demonstrates that you have no idea what you're talking about.

"You're job is to get work done, and act in the best interests of your employer. If you are doing both, no good manager will complain."

Well, that is just fine and peachy until you have auditors come in. In the real world, policies, procedures and standards need to be defined, disseminated and understood. Without them, the business heads off in all sorts of different directions, with many individual teams re-inventing the wheel and deploying conflicting architectures and management systems. You end up with horrid code that few can maintain and even fewer understand, compartmentalised network segments providing both internal and public services because of poor patch cable management - the list goes on and on and on...

Have you ever been involved in a SOX review? Do you know that key controls include having documented business processes and providing evidence to show that such processes are actually being done? No, probably not seeing as you fail to grasp the basic concepts behind managing enterprise information systems and keeping them secure. No policies, no processes, no evidence - that's a serious deficiency and publicly reportable (and that includes change controls too). The UK FSA and US SEC also have similar requirements. Even in industries without regulatory issues, there is still a need for policies and change controls - What if you break a customer's application code? What if your unprotected Human Resources server gets compromised and a member of staff sues you for lack of care? With or without regulatory issues such as SOX, HIPPA etc there is still a need for control and approved process.

And in closing - I spelt unauthorised correctly. "Euro spelling" indeed! It's the British form of English, you ignorant fool - The rest of Europe speak languages other than English. You also might want to check your own spelling and grammar before pointing out the deficiencies of others.

Re:Gotta love SSH tunneling (1)

KMitchell (223623) | more than 8 years ago | (#14527156)

You're job is to get work done, and act in the best interests of your employer. If you are doing both, no good manager will complain.


Which is why the GP is likely not a troll, but an InfoSec person (coming off like an know-it-all/asshole/troll is sometimes an occupational hazard when wearing that hat) as the usability vs security tradeoff swings all the way to the far right and legitimate users are criminalized for legitimately trying to get work done.

In all fairness, part of the problem is that "good managers" typically swing to the far left ("just get work done") so there is some provocation for the attitude.

Bottom line is in a perfect world, you could formally document your suggestion and present it for review under your organisation's change control procedures and have something positive happpen, but I'd ask the GP to honestly consider what his (gender assumption) reaction would be if a request to use an alternative form of authentication/access control rather than the "approved" VPN solution landed on his desk. I'd expect it would be similar to some of the derisive quotes in the GP's post.

InfoSecurity has been evolving for a while and is struggling with the very difficult challenges of securing data on and access to insecure machines connected to an insure Internet. All you (as a mere "user") can do is to try and influence policy to try and balance security with your need to actually get work done.

Oh, and I'd agree with the GP's suggestion to read any AUP docs that you're asked to sign, and suggest that you note any ammendments that you feel are applicable for you to do your job.

Re:Gotta love SSH tunneling (1)

tigersha (151319) | more than 8 years ago | (#14578854)

I can and do this because I AM the IT staff! So there!!

Re:Gotta love SSH tunneling (3, Funny)

Dausha (546002) | more than 8 years ago | (#14514737)

"I *really* hope my employer doesn't recognize my Slashdot ID."

Yes, your employer does know your uid. He's pissed, and he's been logging your activity for some time. He suggests a new shell script:

#!/bin/sh

while (1) {
echo "Get to work, Slacker!";
}

Re:Gotta love SSH tunneling (2, Funny)

ddstreet (49825) | more than 8 years ago | (#14516743)

your employer...suggests a new shell script:

#!/bin/sh

while (1) {
echo "Get to work, Slacker!";
}

that's definitely from his manager, since that while statement is completely C and won't run under bash at all!

PHB's cannot script (1)

alexborges (313924) | more than 8 years ago | (#14520797)

Obviously, his PHB needs a good sh scripting howto!

Re:Gotta love SSH tunneling (1)

Xeleema (453073) | more than 8 years ago | (#14522343)

[codemonkey@pr0nb0x:/home/bigcheeze]{3}$ ./get_to_work_slacker.sh
./get_to_work_slacker.sh : line 3: syntax error near unexpected token `{'
./get_to_work_slacker.sh: line 3: `while (1) {'
[codemonkey@pr0nb0x:/home/bigcheeze]{4}$
Looks like someone forgot how to code once they caught the promotion I was passed over for...

Re:Gotta love SSH tunneling (1)

Matt Perry (793115) | more than 8 years ago | (#14514741)

I use an SSH tunnel to forward port 8080 on my desktop machine here at work to port 8080 on my Unix workstation at home that's running an HTTP proxy.
Why not use the built in SOCKS proxy in ssh? Run ssh -N -D 8080 <home-machine> then point your Firefox setup to localhost port 8080 as a SOCKS proxy. Then you can ditch the HTTP proxy on your home machine.
I also remote-forward a pseudo-random high port on that remote workstation at home to port 22 on my work desktop machine, giving me the ability to SSH *back in* to work from home
That's a really bad idea. You're just asking to get fired.

Re:Gotta love SSH tunneling (1)

The Blue Meanie (223473) | more than 8 years ago | (#14514993)

Why not use the built in SOCKS proxy in ssh? Run ssh -N -D 8080 <home-machine>
Because my SSH client doesn't appear to have it:
$ ssh -N -D 8080 my.home.machine
Usage: ssh [options] host [command]
Options:
... etc etc etc ...
It's no biggie, my current setup works fine. But I have to admit that's a pretty cool feature. It's probably specific to OpenSSH. We aren't using OpenSSH here and I don't use it at home.
That's a really bad idea. You're just asking to get fired.
Not really. The company hasn't had an Information Security Policy since I started. We're in the middle of drafting one right now. Guess who's writing it? Yep, ME. And as for our last audit, I was the one working with the auditors. We passed.

For everyone who thinks I'm putting the company at risk:
1) My machine at home is behind a firewall. A real, separate, dedicated, hardware firewall - not some wanna-be software filter running locally.
2) I know for a fact there are people running Kazaa on their desktop machines here at work. Yes, the new ISP will address that issue.

Re:Gotta love SSH tunneling (1)

SaDan (81097) | more than 8 years ago | (#14515984)

For everyone who thinks I'm putting the company at risk:
1) My machine at home is behind a firewall. A real, separate, dedicated, hardware firewall - not some wanna-be software filter running locally.
2) I know for a fact there are people running Kazaa on their desktop machines here at work. Yes, the new ISP will address that issue.


Your company is absolutely at risk. You work there, and are apparently writing policies that concern some aspects of security.

I really hope someone in management knows your Slashdot ID.

Re:Gotta love SSH tunneling (1)

nharmon (97591) | more than 8 years ago | (#14538600)

My first thought was that I hope my mutual funds don't own any stock in his company. Then I came to the conclusion that he probably doesn't work for a publicly-traded company. If he did, they would not have passed a sarbox audit.

I'm trying to figure out who is most at fault. His employer for not taking IT seriously...him for violating good security practices...or the company they hired to "audit" him who passed him without an existing IT policy.

Re:Gotta love SSH tunneling (1)

The Blue Meanie (223473) | more than 8 years ago | (#14545118)

Then I came to the conclusion that he probably doesn't work for a publicly-traded company.
Tell you the truth, I actually don't know. I'd wager you're right, we're probably privately held.
... who is most at fault. His employer for not taking IT seriously...him for violating good security practices...or the company they hired to "audit" him who passed him without an existing IT policy.
All of the above. IT *isn't* taken seriously here, you're right. That will change soon, I can assure you. For lots of reasons.

As for the audit, I/my division passed, but other divisions didn't fare so well. On the Windows side of the house, where the auditors discovered that the administrator password on a publicly exposed Citrix server was just the company name, and that there was a trust relationship between it and the internal systems... Well, hey, they didn't pass. Imagine that. Oh, and the password on all the external routers was the same. Yay.

I'm genuinely curious, though, and looking for a sane, reasoned response like this one was. Aside from the fact that my SSH usage doesn't use the "company-purchased-and-installed" VPN solution, how is the creation/use of an SSH-encrypted tunnel over the Internet between two identically hardened, identically firewalled UNIX systems a "bad security practice"? The VPN users ride the same public Internet that I do. They have to use the same passwords to authenticate that I do. And most of our VPN user connections originate from unsecured, unfirewalled Windows systems (think laptops/road warriors). What is the magic of a VPN that miraculously makes it perfect and infallible, while SSH is simultaneously security swiss cheese and 100% unacceptable? Is the sole objection to tunnelling the fact that is isn't sanctioned, or is there a genuine, TECHNICAL fallacy here that I'm overlooking? I admit my solution isn't sanctioned. That's a political battle for me to deal with when and if it becomes an issue. What's the technical objection, if there is any? I'm 100% serious - I admit I may be ignorant, so educate me. Oh, and saying "If you don't just KNOW the answer, you shouldn't have anything to do with security, you stupid git!" not only avoids the question, it's flamebait to boot.

Re:Gotta love SSH tunneling (1)

ReluctantBadger (550830) | more than 7 years ago | (#14547376)

... Aside from the fact that my SSH usage doesn't use the "company-purchased-and-installed" VPN solution, how is the creation/use of an SSH-encrypted tunnel over the Internet between two identically hardened, identically firewalled UNIX systems a "bad security practice"?

But the point is, this is from your personal box at home. What if that system gets compromised and an attacker comes in to your corporate network through your box and your ADSL connection's IP? Seriously, if it was me, I would never open myself up to such liability. Yes, users might get their officially assigned work laptops compromised and an attacker piggybacks on the approved VPN into your corporate network from their homes, but they will not be personally liable - any attempt to take civil/criminal action against an employee using the approved & sanctioned equipment would be thrown straight out of court (unless they have been grossly negligent or deliberately malicious).

The VPN users ride the same public Internet that I do. They have to use the same passwords to authenticate that I do. And most of our VPN user connections originate from unsecured, unfirewalled Windows systems (think laptops/road warriors). What is the magic of a VPN that miraculously makes it perfect and infallible, while SSH is simultaneously security swiss cheese and 100% unacceptable? Is the sole objection to tunnelling the fact that is isn't sanctioned, or is there a genuine, TECHNICAL fallacy here that I'm overlooking?

I do not know of any TECHNICAL reasons for not using OpenSSH in the way you describe at this time of writing. I use OpenBSD on most machines and nearly everything gets passed over OpenSSH at some point - I configure it with public key auth & protocol 2 only, no root logins, privsep & maxauthtries enabled and appropriate legal warning banners. My main concern is that you are burrowing through your corporate firewall (and bypassing the management approved remote access solution, regardless of how crap it might be) without permission to your home meachine leaving a backdoor into the corp net which you can use whenever you want.

I admit my solution isn't sanctioned. That's a political battle for me to deal with when and if it becomes an issue.

I've got no idea quite how senior you are, but I think it would more a battle for keeping your job rather than some internal pissing match.

Just bear in mind that it can be professionally embarassing and career hindering if one of your personal systems gets compromised, especially if you are the InfoSec officer in your company. And don't forget, you should lead by example - If you flout the rules then your staff will too and all those months spent writing policies, standards and procedures will have been for naught. You really should conduct a risk analysis so that you fully understand what your exposure is.

I am the OP for this [slashdot.org] and this [slashdot.org] (couldn't be arsed to login before) to put my reply into context.

Re:Gotta love SSH tunneling (1)

nharmon (97591) | more than 7 years ago | (#14550923)

I agree that your SSH tunnel is just as encrypted as the VPN that the others use. I also agree that the unsecured PCs that the VPN users access your company's network with pose a greater security risk. But what you are missing is that the measure of a system's security is in how it responds to misuse. Your SSH tunnel is insecure because misuse of that tunnel would not be easily spotted by others.

Re:Gotta love SSH tunneling (1)

The Blue Meanie (223473) | more than 7 years ago | (#14551216)

First, thank you for a reasoned and sane response.

This sounds very similar to the feedback I got from a friend/ex-coworker who is now a paid security consultant. The way he explained it was (paraphrasing): "While you may have taken steps to mitigate the risk of use of the SSH tunnels as an attack vector, and while that mitigation may even be stronger than what's in place for the VPN/home user/travelling laptop attack vector, the fact that those responsible for securing the enterprise are unaware of the SSH attack vector's existence tends to make it a higher risk factor because it is neither being monitored nor responded to if such an attack occurs."

So it looks like I'll be discussing my requirements with those responsible for the VPN yet again, and seeing if they'll either 1) fix the damn VPN client, or 2) acknowledge/approve my solution. But I remain firmly convinced that I'm far and away the most security-conscious person that works here. Period. Sigh.

Re:Gotta love SSH tunneling (1)

agm (467017) | more than 8 years ago | (#14514843)

I do the same. In my case it's to get around the firewall of a client of mine who changed from a PPTP VPN solution to a proprietary one that I just can't get working on Gentoo from home. They understand that if they want me to work from home (which is 200km away) then I need access to their network.

I have a reverse ssh tunnel setup from an office computer (also running Gentoo). I use autossh (which I highly recommend) which ensures that the reverse ssh tunnel is always up. Even if my machine is rebooted or my dynamic IP changes, the office computer still established the remote SSH tunnel (with the help of dyndns).

Through this tunnel I forward port 5900 (VNC) and 3389 (for rdesktop usage). Forwarding additional porta through the tunnel is a simple matter of doing a:

ssh -L :: -L -p localhost cat -

Works very well, is ultra reliable and fast. Also a darn site more secure (IMO) than the VPN solution. The VPN solution is still only as secure as the usernames and passwords. to hack my reverse ssh you'd have to somehow hack the dyndns entry to point my domain name to your machine, then somehow get my private/public ssh key pair AND know my username and password.

Re:Gotta love SSH tunneling (1)

agm (467017) | more than 8 years ago | (#14514865)

Slashdot didn't convert the "<" tags from the command. it should be:

ssh -L <local port>:<internal address of remote computer to forward to>:<remote port> -p <local reverse tunnel port> localhost cat -

Re:Gotta love SSH tunneling (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14516533)

How would you set up a remote-foward back to your home box so you can ssh back in?

Re:Gotta love SSH tunneling (1)

The Blue Meanie (223473) | more than 8 years ago | (#14525513)

Since this was supposed to be a How-To article, all pissing and moaning about security concerns aside, here's my two configs, obfuscated as is obviously necessary:

Work-side
---------
proxy:
Host unix.machine.home
LocalForward 8080:unix.machine.home:8080
LocalForward 5900:windows.machine.home:5900
RemoteForward 127.0.0.1:45678:127.0.0.1:22

The 8080 LocalForward lets me hit the proxy running on unix.machine.home.
The 5900 LocalForward lets me use VNC on to access windows.machine.home.
The 45678 RemoteForward lets me "call back" to the work machine on port 22 (ssh, of course).
LocalForward by default binds to 127.0.0.1. I also specifically use 127.0.0.1 bindings on the RemoteForward to restrict access to the tunnel to people who are already on the system. In a perfect world, that's just me.

Home-side
---------
callback:
Host localhost
Port 45678
LocalForward 1580:backup.server.work:1580
LocalForward 8080:nagios.server.work:80
LocalForward 143:exchange.server.work:143

This "calls back" using the outbound tunnel established from work.
The 1580 LocalForward lets me reach my backup server to operate the tape backup system.
The 8080 LocalForward lets me view my Nagios monitoring system.
The 143 LocalForward lets me get to my Exchange E-Mail (over IMAP).
As mentioned, LocalForward binds to 127.0.0.1 for listening, leaving these tunnels only accessible to people with shell-level access to the machines involved (again, that should just be me).

Clean, effective, and very useful. I can basically be just as productive sitting at home as sitting in front of the workstation at work.

Re:Gotta love SSH tunneling (1)

cellaboy (746571) | more than 8 years ago | (#14517679)

I mainly use SSH at work to establish a connection to my mailserver for Thunderbird and occasionally for some quick admin but I've never properly looked at web browsing. One of my colleagues has though and he gave up because he couldn't forward DNS queries, is this right or is there a workaround ?

Here's one... (3, Informative)

Anonymous Coward | more than 8 years ago | (#14514191)

1. Set up usual SSH session settings in Putty
2. Go to Connection -> SSH -> Tunnels
3. Add new forwarded port. Source Port: 1080, Destination: [blank], DYNAMIC (this is important), Auto. Click on Add.
4. In Firefox or any other program that supports a SOCKS proxy, enter host 127.0.0.1 (localhost) with port 1080.

That's it. You'll then be using your SSH connection like a SOCKS proxy.

Re:Here's one... (1)

Tanmi-Daiow (802793) | more than 8 years ago | (#14515597)

You forgot a step or two:

5. ???
6. Profit!

SOCKS tunnel with Open SSH (1)

Chris Pimlott (16212) | more than 8 years ago | (#14516257)

To do the same with the command line OpenSSH client:

ssh -N -f -D 1080

-D 1080 does the dynamic socks forwarding.
-N says don't run any command on the remote machine
-f says go into the background after asking for password

Works great for Yahoo IM; haven't tested others.

Re:Here's one... (0)

Anonymous Coward | more than 8 years ago | (#14516458)

I'm not much of a networking technie type but I have some idea what a SOCKS proxy does?

What does this accomplish though? All I can see, is that it just makes browsing safe from local computers hacking your connection and from trojans which may have infected your computer from snooping or controlling your browser sessions (though this is not necessarily a bad thing, I'd actually prefer this method).

Is there something else I'm missing on what this accomplishes?

Re:Here's one... (3, Informative)

spectral (158121) | more than 8 years ago | (#14516846)

normal ssh forwards are one-source, one-destination. There are options to allow the entrypoint to the tunnel to come from !localhost, (i.e. I set up an ssh connection from me to my friend, with a tunnel from me to google.com, and now anyone who can connect to me can use that same tunnel to connect to google.com), but normally it really is a one-off thing.

127.0.0.1:1000 goes to www.google.com:80
127.0.0.1:1001 goes to www.porn.com:80
127.0.0.1:1002 goes to www.slashdot.org:80

what using a SOCKS-mimicing "proxy server" allows you to do is to make it so that the requesting application requests the destination, instead of you setting it up and then pointing your computer at a special address. The requesting socks-aware application is like "Hmm, to get to login.messenger.yahoo.com:3697, I must use this special protocol and send stuff really to a connection at 127.0.0.1:4280. I'll do that."

So it connects to that, PuTTY sends it down the wire to my friend, and my friend's computer sends it to login.messenger.yahoo.com, port 3697.

magically. :)

Ooh! Where To Begin. (1, Informative)

Anonymous Coward | more than 8 years ago | (#14514223)

Here's how I do it.

ssh -CX user@host.your.domain
password:
user@host$ konqueror&


Or do you want to portforward your browsing?

After setting up a proxy server like squid on your home machine...

ssh -L 8080 :localhost:80 host.your.domain

This Ask Slashdot really should be answered with RTFM or Google!

ISC at sans (1)

QuantumRiff (120817) | more than 8 years ago | (#14514306)

the Internet Security Center at sans.org had an interesting article [sans.org] about getting ready for defcon.. (in order to protect your privacy) While it does not go into very detailed how-to's, it does give a hell of a parnoid BOFH type mindset for defcon. There are some basic guidlines for secure connections using tunneling over SSL in that discussion..

SSH tunnels in Windows (and one-liner for *nix) (2, Informative)

thomasdn (800430) | more than 8 years ago | (#14514332)

Some time ago I wrote a little guide on SSH tunnels with PuTTY [thomasdamgaard.dk] .
This guide also describes how to setup an SSH tunnel in Linux.

SSL Explorer (2, Informative)

beernutz (16190) | more than 8 years ago | (#14514369)

Check out SSL Explorer [sourceforge.net] . It has a windows and linux installer, is easy to use, and is java based, so the client runs pretty much everywhere.

Here's mine (4, Informative)

Dadoo (899435) | more than 8 years ago | (#14514378)

We use this actual script (plus a few things I had to edit out for anonymity's sake).

Assuming a Linux machine at each end, here's the script for the machine that initiates the connection:

        while true; do
                pppd nodetach lcp-echo-failure 4 lcp-echo-interval 120 \
                        pty 'ssh receiver -T -l user'
                sleep 10
        done

Where receiver is the public IP address of your receiving machine and user is the username on that machine. The while loop automatically reconnects if you get disconnected.

Here's the script for the machine that receives the connection:

        pids=`ps -e -opid,command | grep "pppd local:remote" | \
                grep -v grep | awk '{print $1}'`

        if [ "$pids" != "" ]; then
                echo "Found pre-existing connection. Killing pids: $pids" >> ppp.log
                kill -15 $pids
                sleep 5
        fi

        pppd local:remote netmask 255.255.255.252 passive \
                notty nodetach

Where local is the local end of your PPP link and remote is the remote end of your PPP link. You'll want to call this script from user's .profile. Remember, this is a private link, so you'll probably want local and remote to be internal addresses, i.e. 192.168.x.x.

My setup (2, Informative)

Evro (18923) | more than 8 years ago | (#14514382)

Setup squid on your linux box, listening e.g. on port 3128. Verify that this is working by setting your browser to use it.

To get the tunnel working, I forget the exact settings in putty but there's a section for tunnels, tell it to create tunnel from local port 8128 to remote machine's port 3128. Then set your browser to use "localhost:8128" as your proxy.

The way to setup a tunnel between two Unix boxes (for me) is ssh -L 8128:192.168.0.1:3128 remote-host.

Rewriting & Encrypted Proxy? (2, Informative)

Jherek Carnelian (831679) | more than 8 years ago | (#14514432)

I'm just guessing, but wouldn't ssh tunnels be readily identifiable if a smart network admin wanted to look for them?

I'd like to run to a web-proxy at home that I can just point my browser to ala:

https://mycablemodem.cable.net:4567/ [cable.net]

that will then access any website and rewrite any internal links to go back through the proxy itself, so for example:

http://www.yahoo.com/ [yahoo.com] becomes https://mycablemodem.cable.net:4567/http://www.yah oo.com/ [cable.net]

Anyone got a good, robust re-writing proxy tool like that? Preferrably with at least some sort of minimal security to prevent joe-random from using it without a login/password.

Re:Rewriting & Encrypted Proxy? (1)

ceoyoyo (59147) | more than 8 years ago | (#14514585)

Why not just tell SSH to run on port 80 on your home machine? If your sysadmin is looking closely he's still going to wonder what's so good on mycablemodem.cable.net:4569 that you're constantly browsing it anyway.

Re:Rewriting & Encrypted Proxy? (1)

Jherek Carnelian (831679) | more than 8 years ago | (#14514733)

Why not just tell SSH to run on port 80 on your home machine?

Gotta run through the outgoing proxy at site. I'm presuming that an https proxy won't do generic ssh proxying.

Re:Rewriting & Encrypted Proxy? (1)

nocomment (239368) | more than 8 years ago | (#14514892)

Not only that, but the state of a typical browser request doesn't last for 9 weeks. ;)

Re:Rewriting & Encrypted Proxy? (2, Informative)

Daniel Boisvert (143499) | more than 8 years ago | (#14515197)

Running it on port 443 is a better idea, because corporate proxies & things like Microsoft's ISA Server expect to see SSL-encrypted traffic on that port. They often disallow encrypted traffic on port 80.

Re:Rewriting & Encrypted Proxy? (1)

mikek3332002 (912228) | more than 8 years ago | (#14517657)

Try apache and mod_proxy perhaps?

Re:Rewriting & Encrypted Proxy? (1)

Ecks (52930) | more than 8 years ago | (#14528566)

> I'm just guessing, but wouldn't ssh tunnels be readily identifiable if a smart network admin wanted to look for them?

No, the port forwarding is done within the encrypted channel. Rather than thinking of ssh as terminal session protocol that uses encryption you really should be seeing it a protocol for creating an encrypted pipe between two arbitrary nodes. This protocol uses the terminal session authentication methods of the destination. The entire contents of an ssh session are hidden using good strong encryption. A terminal session is just one defined use of the encrypted pipe.

Many security admins don't like ssh because of the port forwarding but realize that they have to take some bad, port forwarding, with the good, secure connectivity for external administration with strong encryption.

--Ecks

Re:Rewriting & Encrypted Proxy? (1)

Jherek Carnelian (831679) | more than 7 years ago | (#14551268)

> I'm just guessing, but wouldn't ssh tunnels be readily identifiable if a smart network admin wanted to look for them?

No, the port forwarding is done within the encrypted channel.

You said what I said.

I don't want to pin up a session for days or weeks, I want it to look like a normal https session - put it up, do a transfer, tear it down. Leaving it pinned up for long periods with sporadic traffic is bound to draw attention to it.

Once more (1)

SocialEngineer (673690) | more than 8 years ago | (#14514433)

Second time I've posted my guide this week.

clicky [the-engine.org] .

No tutorial, just usage (1)

Roadkills-R-Us (122219) | more than 8 years ago | (#14514454)

We're almost all linux at work, but have a handful of Windows systems, including a server. At home, I'm all Linux. I don't want to run VNC at work, because I don't really need all my desktop stuff at home, I just need to monitor a handful of web pages that monitor the network or access web interfaces that control things. So I tunnel several ports locally at home to those web servers. That way at home I just use a URL like "http://localhost:6809/nagios/" to access the bagios server at work running on whatever port it's on.

I also tunnel a port to port 3389 on the Windows server. That way something like "rdesktop localhost:23389" gives me a remote desktop to the server at work so I can maintain that server frmo home as easily as I do the *nix servers via the command line.

Really Good SSH Tunneling Tutorial (3, Informative)

cyranoVR (518628) | more than 8 years ago | (#14514581)

http://souptonuts.sourceforge.net/sshtips.htm [sourceforge.net]

Really good for the beginner - includes information on accessing Samba shares over ssh.

The only way to do work (3, Interesting)

Fred Nerk (128328) | more than 8 years ago | (#14514654)

I work in a large telco who's security policy is to restrict everything unless explicitly allowed, and the process to get anything allowed is a 3 month long waste of time.

I also have an ssh tunnel established from my work PC to my home connection, and I run pppd over that to create a VPN between my home network and the network at work. I realise that this is probably completely against company policy, but the "official" VPN solution only lets me hit the Exchange server, and doesn't let me actually do any work. Most of the company's "work" involves forwarding emails, so it's probably fine for them.

Unfortunately tcp over tcp is really quite nasty (http://sites.inka.de/sites/bigred/devel/tcp-tcp.h tml [sites.inka.de] ) but as nothing else but ssh is allowed out of the firewall at work, I don't have a lot of choice.

A howto that I found quite helpful is at http://www.tldp.org/HOWTO/ppp-ssh/ [tldp.org]

Anyway.. on to my anecdote (not required reading):

Part of my job involves working on a distributed monitoring system which is deployed in a star topography around the country. All the remote sites send & receive data from one central site (with one redundant central site) using a variety of protocols, like ssh, xmlrpc, dns, telnet, snmp, syslog, etc.

The network was designed by people who were given a set of instructions like "You will use these 2 vendor's systems" and "You must follow these corporate security policies which were written 10 years ago for phone networks", so it's terrible by today's standards (and for an ISP in general).

There are firewalls between all of my boxes, even though all my boxes are on the management lan, and they only allow a very small set of protocols through - not enough to let my software work. That wasn't the worst part. The worst was that the firewalls are also protecting the billing network so have very low tolerances for intrusion detection and flood protection and such. Basically I can only establish 5 connections per second *across the entire network*. This is clearly not enough for a busy monitoring system. So we decided to build a VPN between all of my boxes using ppp on ssh tunnels.

I now have a separate ppp interface from the central server to each of the remote datacenter servers, all on the 10.0.0.0/16 network. ip forwarding is enabled on the central site, so now remote datacenters can talk to each other (also blocked by the firewalls) and I can use all the connections I need to. I'm running quagga ( http://www.quagga.net/ [quagga.net] ) on every remote datacenter and the central servers (along with the redundant one) so I can distribute routes to remote datacenter devices and cope with the death of one of the central servers without major service interruption.

However it really is quite slow. I can only get around 200kb/s over each ppp interface even though the physical links are 100+mbit each. But I really don't need huge bandwidth, just some that isn't firewalled.

This "solution" has been in production for 6 months now, and I'm sure as soon as the corporate security people find out they will shut it down and I'll go back to not being able to do my job.

Re:The only way to do work (1)

nharmon (97591) | more than 8 years ago | (#14538632)

Your employer only allows things that are formally requested, yet you were able to get them to allow SSH to your home PC?

Linux Server Hacks (1)

MarkusQ (450076) | more than 8 years ago | (#14514662)


There are some cute tricks in O'reilly's "Linux Server Hacks" [oreilly.com] which, taken together, can leave you with a pretty sweet setup. #52,#53,#66-#71 are all worth checking out.

--MarkusQ

Use PuTTY's 'dynamic' tunneling mode (2, Informative)

zsazsa (141679) | more than 8 years ago | (#14514778)

I'm assuming you're on a Windows box. PuTTY's dynamic tunneling mode is the absolute easiest way to tunnel your traffic: it doesn't require setting up a proxy server on the remote system! All you need is an sshd on a server somewhere that allows tunnels. When using dynamic tunneling, PuTTY acts as a local SOCKS proxy. So, just set your browser and other net apps to use a SOCKS proxy on localhost on the port you specify in PuTTY, and you're good to go.

Here's how to do it, using the latest PuTTY and Firefox versions:
1. Configure PuTTY. Start PuTTY and put in the address of your host server to connect to on the first screen. In the menu on the left, pick 'Tunnels' from the tree. Under 'Add new forwarded port:' put in 1080 (this is pretty arbitrary, but 1080 is the "official" SOCKS port). Leave 'Destination' blank and choose the 'Dynamic' radio button. Feel free to go back to the 'Session' entry on the menu tree on the left if you wish to save a session so you don't have to do this every time.

2. Configure Firefox. Under Preferences, click the 'Connection Settings' button from the main 'General' options. Click 'Manual Proxy configuration:' and under 'SOCKS Host' put in localhost with port 1080. Click OK and try to surf. You should now be being routed through your Linux host. You can go to whatismyip.com to verify you're being routed through your host's IP address.

(I'm pasting this howto from one I wrote on another site [metafilter.com] )

Re:Use PuTTY's 'dynamic' tunneling mode (0)

Anonymous Coward | more than 8 years ago | (#14521475)

This works with OpenSSH as well...
From the manual page:

          -D port
                          Specifies a local ``dynamic'' application-level port forwarding.
                          This works by allocating a socket to listen to port on the local
                          side, and whenever a connection is made to this port, the connec-
                          tion is forwarded over the secure channel, and the application
                          protocol is then used to determine where to connect to from the
                          remote machine. Currently the SOCKS4 and SOCKS5 protocols are
                          supported, and ssh will act as a SOCKS server. Only root can
                          forward privileged ports. Dynamic port forwardings can also be
                          specified in the configuration file.

Re:Use PuTTY's 'dynamic' tunneling mode (1)

petermgreen (876956) | more than 8 years ago | (#14523022)

just to let you know openssh has had that feature a LOT longer than putty has (nice feature too).

SSH on port 443 (2, Informative)

Anonymous Coward | more than 8 years ago | (#14514830)

Another trick to get through corporate firewalls is to place your SSH server at home on port 443 - the HTTPS port.

Since both SSH and HTTPS use SSL, it is very hard for a corporate firewall to tell the difference, so often you can punch through in this way if your employer does not allow you to SSH out on the normal port.

Of course, by doing so you may be violating your company policies and opening yourself up to being fired - so don't blame me if you are.

Also, if you want to keep the script kiddies from trying to brute force your SSH server, run it on a non-standard port (to protect it from scripts) and turn OFF password authentication - force the use of a keypair to log in.

That last bit is important, so I will repeat it:

Turn OFF password authentication - force the use of a keypair to log in.

I'd've made that ALL CAPS if the lame filter (err, lameNESS filter) had let me.

Using a non-standard port is no subsitute for actually SECURING the server, but it does play a role in keeping the RiffRaff out - and after what Riff did to Frankie I don't want him in here.

(Posted anon since several people at work read Slashdot.)

Re:SSH on port 443 (2, Informative)

mmogilvi (685746) | more than 8 years ago | (#14516174)

And the easy way to do put ssh on port 443 is to put multiple "Port" lines in your /etc/sshd_config file on your server:
Port 22
Port 443
Then you can still access it on the standard port (22) when it isn't blocked by a firewall.

Re:SSH on port 443 (0)

Anonymous Coward | more than 8 years ago | (#14516378)

(Posted anon since several people at work read Slashdot.)

I still know who you are without the AC. Dammit, boy, get back to work!

Re:SSH on port 443 (1)

Tuck (41529) | more than 8 years ago | (#14543359)

Since both SSH and HTTPS use SSL, it is very hard for a corporate firewall to tell the difference
SSH (the protocol) doesn't use SSL (the protocol). One common SSH implementation (OpenSSH) uses the crypto libraries of one common SSL implmentation (OpenSSL).

It would be trivial for a corporate firewall to distinguish between HTTPS connections and SSH connections on port 443 (SSH connections all start with the the identifier "SSH-") but in practice most don't.

Cygwin and x-forwarding (1)

tscheez (71929) | more than 8 years ago | (#14515005)

Install cygwin with the X server. log in to your box at home with ssh -X user@host and use the firefox version you have on the box there. you could pretty much work off any box with that setup.

Re:Cygwin and x-forwarding (1)

UtucXul (658400) | more than 8 years ago | (#14521158)

Install cygwin with the X server. log in to your box at home with ssh -X user@host and use the firefox version you have on the box there. you could pretty much work off any box with that setup.
I basically do that on the occasions when I need to use firefox from my home machine at work or vice versa (except that it is GNU/Linux on both ends for me). The problem is that this is very very slow (DSL line at home). Some programs like emacs, jpilot, xv, and gaim are slow but usuable. Firefox however just hurts to use.

How about stunnel? (2, Informative)

syntax (2932) | more than 8 years ago | (#14515398)

You might also look into stunnel [stunnel.org] . It acts more like a traditional daemon with conf file, and also has the neat feature of being able to turn any service into its standard ssl equivilent, if that exists, which is useful for things like imap/pop/http.

autossh for restoring ssh connections (1)

thechuckbenz (526254) | more than 8 years ago | (#14516153)

And if you have occasional problems with ssh sessions being interrupted, use autossh (which requires keys to work properly - and that's a good thing).

What about DNS lookups? (1)

Goyuix (698012) | more than 8 years ago | (#14516227)

One question that has always been in the back of my mind, but I have never bothered to actually hook up a packet sniffer and watch, what about DNS queries?

Most corporations have internal DNS servers, that they could certainly log your suspicious requests (or even hijack and re-route) to various nefarious sites. Does Firefox (Mozilla) route the DNS requests through the tunnel as well somehow? I thought SSH could only do TCP forwarding, so I seem to be missing something. Unless somehow the SOCKS proxy is doing the requests on the other end of the tunnel and brining them back.

Anyone actually sniffed the traffic to see if DNS is still vulnerable to corporate annoyances?

Re:What about DNS lookups? (1)

Mage Powers (607708) | more than 8 years ago | (#14516413)

HTTP proxying requests like GET http://slashdot.org/ [slashdot.org] HTTP/1.1 and DNS *can* be done with TCP requests.

Re:What about DNS lookups? (1)

PGillingwater (72739) | more than 8 years ago | (#14518508)

Oh, you mean this. [freshmeat.net]

DNS happens at the proxy (0)

Anonymous Coward | more than 8 years ago | (#14525918)

If you're using SOCKS, DNS lookups are done by the proxy, not the client.

Re:What about DNS lookups? (1)

isham (91025) | more than 8 years ago | (#14600582)

From the little bit of poking around that I have done - NO!
all the http traffic is sent through the proxy, but DNS requests aren't.

One solution is to use pppd over ssh to do a "poor-man's VPN", then
set your resolve.conf to use a DNS server over the "VPN" rather than
the local one.

This seems indirect, and there may be a better way, but it works.

Also SocksCap (1)

ljnelson (143073) | more than 8 years ago | (#14516338)

I too have followed the putty-as-socks-proxy route described by others.

For enabling stuff like iTunes, which doesn't know from SOCKS, try SocksCap [nec.com] .

Finally, I used to have a filter on my work machine's Outlook that would run a program when a message with a particular subject came in from me--the program would ssh-tunnel back to my home machine thus enabling me to log in to work from home, but also establishing the connection only when I wanted it.

Re:Also SocksCap (1)

aberson (461047) | more than 8 years ago | (#14519225)

need to watch out for trying to use VNC over sockscap. Whether it's the Java or the Windows client, both seem to open up connections outside of the tunnel - I think I was able to see them using netstat.

seems the only safe way to do it (for VNC anyway) might be to setup a static port forwarding and then use the VNC client to localhost:5900, etc.

Re:Also SocksCap (0)

Anonymous Coward | more than 8 years ago | (#14565961)

Just in case someone's still interested in SocksCap, it's moved to a new URL (I suspect the company was spun off Nec): http://socks.permeo.com/cgi-bin/download.pl [permeo.com]

small script for dynamic and resilient ssh tunnels (1)

chrisvdb (149510) | more than 8 years ago | (#14516977)

Below a small script that makes a dynamic (SOCKS) tunnel that automagically reconnects when your connection goes down for whatever reason... when you re-invoke the script while the tunnel is already up, then it gets killed and re-created.

Using this script my tunnel stays up for days in a row and I don't have to do anything when I move my machine from our coporate wired network to my personal wireless home network.

I use this script in combination with privoxy [privoxy.org] to ensure that dns requests are also done over the tunnel (as most browsers would otherwise leak dns requests).

Finally, the speed of the solution is about 50% of what I have with the proxy off... in my case my server is not the bottle neck, but it seems that connections are less parallelized when using this solution.

Cheers,
Chris.

My homepage [vandenberghe.org] .

---
#!/bin/sh
if ps aux | grep -q autossh;
                then sudo -u me killall autossh
fi
if !(sudo -u me ssh-add -l | grep 82:54:1b:9e:47:b6:96:5f:52:e7:a9:fd:18:0a:c2:3b); # fingerprint
                then sudo -u me ssh-add
fi
sudo -u me autossh -f -D 10000 -CN me@myserver.org

You can also run ppp over ssh (1)

riflemann (190895) | more than 8 years ago | (#14517444)

For the ultimate SSH tunnel (not limited by TCP ports and the like), it's actually possible to run a full PPP session over an SSH tunnel. As ssh can act as a pseudo-tty to the other end, ppp will happily communicate over it.

All you need are compatible pppd configs on each endpoint box (by this I mean they're setup that when they talk they authenticate and give IP addresses, etc), and tell pppd to use ssh as the serial link.

The magic line in your pppd configuration (/etc/ppp/peers/) is:

pty "/usr/bin/ssh -e none -c blowfish -t -X -l /usr/sbin/pppd passive"

You might want to run this from a terminal or use key based ssh authentication as you may have to deal with entering passwords, but overall it's quite impressive.

No need to screw around with IPSec and other crap - as it runs over ssh, it's encrypted anyway.

I've now got a full IP tunnel back to my home network (suitably protected with iptables), and can run stuff that's normally impossible behind a 'tcp only' work firewall. My SIP clients even connect and I'm able to take and make calls with my home Asterisk box.

Drop me a mail if you want more details. I should probably write a proper howto on this because it's so useful.

What about local proxy firewalls? (1)

Butterspoon (892614) | more than 8 years ago | (#14517660)

Suppose at the work location, you must route through a local proxy like Squid to get anywhere. (So the browser has to be configured to use the proxy to connect to anything and, amongst other things, putty.exe from the Windoze command line won't work.)

How do you set up a secure tunnel from workstation through proxy to remote host and then onward to the outside world?

Re:What about local proxy firewalls? (0)

Anonymous Coward | more than 8 years ago | (#14519506)

google for proxytunnel or connect.c

Re:What about local proxy firewalls? (1)

petermgreen (876956) | more than 8 years ago | (#14523066)

afaict the best way is to use the https port (443). its very hard to get away with disallowing it and very hard to do any meaningfull filtering of what flows over it. The vast majority of http proxyies seem to allow http connects to this port.

Key Length (1)

ObsessiveMathsFreak (773371) | more than 8 years ago | (#14517947)

I've posted such a story to Slashdot twice with no success, so I'll take this oppertunity to beg.

What length ssh keys should I use? 256? 512? 1024? 2048?

At what point is the line between secure, and paranoid crossed? How will key length impact performance?

public key encryption (0)

Anonymous Coward | more than 8 years ago | (#14524887)

Key length doesn't affect performance, since one of the first things the programs do is share a secret key so that they can use symmetrical encryption, which is much faster. As for safety, 512 bits is crackable with a lot of effort. 1024 bits should be safe today, but will be vulnerable in a few years if past hardware performance trends continue.

Re:Key Length (1)

Slashcrap (869349) | more than 8 years ago | (#14537694)

What length ssh keys should I use? 256? 512? 1024? 2048?

Use any length you want because I promise you that nobody is going to bother trying to crack even 56bit DES key just to read your data.

If you are worried that they will, it's just because you are massively overestimating your own significance.

Honestly, nobody cares. You're just not interesting enough. Sorry to break it to you.

RDP over SSH (1)

timbck2 (233967) | more than 8 years ago | (#14518521)

I'm using SSH in a fairly mundane way, but one I haven't seen anyone else mention here. I telecommute, and my ISP (DirecWay, unfortunately the only thing besides dial-up available to me where I live) blocks PPTP VPN. So instead to do remote administration, I run RDP over a PuTTY/SSH tunnel.

Re:RDP over SSH (1)

LeonardsLiver (885268) | more than 8 years ago | (#14523645)

Equally mundane, at work we use SSH to access production servers over the internet. We also use SSH tunnels to transmit EDI files.

SSH Tunnel (1)

aberson (461047) | more than 8 years ago | (#14519123)

http://www.rs4u.com/SSHTunnel/ [rs4u.com] - great ssh tunnel program for a windows client, alternative to having to setup and manually run putty. Sets up a tunnel, socks5 proxy, lives in your systray, totally clean.

A few good pieces of software (1)

michaelas (588213) | more than 8 years ago | (#14519358)

Tunnelier is about the best tunneling program out there:
http://www.bitvise.com/tunnelier.html [bitvise.com]

Also be sure to check out the SwitchProxy extension for Firefox:
http://mozmonkey.com/ [mozmonkey.com]

...Michael...

Re:A few good pieces of software (1)

stanleywinters (753484) | more than 8 years ago | (#14520271)

I'll second the use of Tunnelier. It makes tunneling from windows to linux a snap, gives me a shell, and an SFTP client. It even can let you use your own local FTP client and create a tunnel to a SFTP server.

Okay, how about an actual answer? (1)

pla (258480) | more than 8 years ago | (#14523141)

Since no one else bothered to give you, y'know, an answer, just endless links to tools that might or might not help you...

Specifically for SSH tunnels (without dealing with SSL), you basically have two choices: Manually authenticated, or pre-shared RSA keys (which you should use even for manually authenticated connections, but I'll leave that to your discretion)...

In the simplest case (manual authentication with no preshared key, and between any platforms for which a build of the standard OpenSSH tools exists), you just run:

ssh username@remotehost.foo.com -L localport:destination.bar.com:destinationport

And it works like magic... So for example, "ssh myname@mymailserver.org -L 110:mymailserver.org:110" will let "myname" check his email via a plain vanilla POP connection to localhost, which actually connects to "mymailserver.org" over a nice-n'-secure SSH tunnel. I use exactly that method to securely check my email on a BSD machine on which I have SSH access to but no shell account (it has a menu-driven UI).

For pre-shared keys, you just need to run "ssh-keygen" to create two files, "identity" and "identity.pub". It will ask you for a password... If you hit return without typing a password, you'll have a passwordless key pair (suitable for automatic tunnelling - note that as long as you have absolute control the "identity" file, this still gives you as much or arguably more (since it acts like a password no human would ever guess) security than using a password via an interactive session). You then add the identity.pub file to the authorized_keys file (usually in ".ssh" off your home directory) on any machine you want to connect to, and put the "identity" file on your USB keychain drive or what-have-you. Then, you can tell almost any SSH client to just use your "identity" file to authenticate the connection. Piece of cake.


The biggest difficulty arises if you don't have a standard suite of SSH tools available. For Windows, you have basically two (free) choices (for SSH2) - PuTTY (which doesn't have a sshd, so limits you to client-only) or the CygWin build of the OpenSSH tools. Those both have their shortcomings (I personally consider PuTTY about as friendly as a colonoscopy, and will still take it over anything CygWin).


That leaves just one part of your question unanswered - tunneled web browsing. All of the above works great to establish connections to fixed destinations, but not so well if you want to dynamically specify an endpoint (which unless you just want to keep reloading Slashdot over and over, web browsing will require varying destinations).

Short answer - Make your fixed endpoint go to a proxy server, and tell FireFox to use localhost (and whatever port you pick) as its proxy.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...