Forgot your password?
typodupeerror

SSH Tunnels How-to? 98

Posted by Cliff
from the what-encryption-worms-build dept.
The_Spider asks: "I periodically browse the net and check web-mail at work, when I have the opportunity. I was wondering if anyone had a nice walkthrough on how to set-up an SSH tunnel. I'm not 100% newbish to Linux but I don't know where to start. (I have a Fedora Core box at home for NAT & DHCP) I'm hoping to combine this for use with portable Firefox. I'm not to worried about security, but I love the notion of taking a portable and encrypted browser with me from place to place. Can Slashdot help?" While this might be a bit FAQ, I figure Slashdot anecdotes on the use of SSH tunnels might be a bit more user-friendly than say, the several task-specific HOWTOs one can find via a Google search. ALso, I'm sure that there are a few of you out there who have discovered interesting ways of using SSH tunnels, not covered by said HOWTOs. So, how are you using SSH tunnels, and can you explain them to those who have not yet discovered the value of their use?
This discussion has been archived. No new comments can be posted.

SSH Tunnels How-to?

Comments Filter:
  • by linuxkrn (635044) <(moc.nigolxunil) (ta) (nostawg)> on Thursday January 19, 2006 @07:16PM (#14514146)
    Got one of those on my website.

    Enjoy http://www.linuxlogin.com/linux/admin/sshtunnels.p hp [linuxlogin.com]
  • Try the HowTo... (Score:4, Informative)

    by Anonymous Cumshot (859434) on Thursday January 19, 2006 @07:20PM (#14514174)
    here: http://www.revsys.com/writings/quicktips/ssh-tunne l.html [revsys.com]

    It's nice and short, but covers the basics.

  • Here's one... (Score:3, Informative)

    by Anonymous Coward on Thursday January 19, 2006 @07:23PM (#14514191)
    1. Set up usual SSH session settings in Putty
    2. Go to Connection -> SSH -> Tunnels
    3. Add new forwarded port. Source Port: 1080, Destination: [blank], DYNAMIC (this is important), Auto. Click on Add.
    4. In Firefox or any other program that supports a SOCKS proxy, enter host 127.0.0.1 (localhost) with port 1080.

    That's it. You'll then be using your SSH connection like a SOCKS proxy.
  • Ooh! Where To Begin. (Score:1, Informative)

    by Anonymous Coward on Thursday January 19, 2006 @07:27PM (#14514223)
    Here's how I do it.

    ssh -CX user@host.your.domain
    password:
    user@host$ konqueror&


    Or do you want to portforward your browsing?

    After setting up a proxy server like squid on your home machine...

    ssh -L 8080 :localhost:80 host.your.domain

    This Ask Slashdot really should be answered with RTFM or Google!
  • by fimbulvetr (598306) on Thursday January 19, 2006 @07:27PM (#14514225)
    This is exactly what I do, and let me tell you what: It's saved my ass a few times.

    I also run two browser profiles with one being the proxied and one being normal, with different shortcuts to each. I separate the instances so my employer still sees a lot of traffic so they don't get suspicious. The work-related ones get me to lots of vendors sites, googling for solutions, etc.

    I use a sh script to start my second one. It looks for an already open port just in case I killed the browser accidently and don't need to re-establish the tunnel. It re-establishes if it needs to.

    You could also proxy your IM messages through these, though I haven't gone to that length yet. Here's my sh script:

    #!/bin/sh

    STAT=`netstat -an | grep 8888`;
    if [ "$STAT" = "" ];
                    then

    #friendshomemachine
    # ssh -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
    #mine
                    ssh -L 8888:127.0.0.1:8888 myhomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
    #friendshomemachine
    # ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &
    #mward
    # ssh -c blowfish-cbc -C -f -N -L 8888:127.0.0.1:8888 friendshomemachine "perl -e 'while (1) { print localtime."\n";sleep 10;}'" &

    fi /usr/local/firefox/firefox -P encrypted

    I've heard blowfish is slower, but it doesn't seem to be when you're just browsing. Feel free to experiment. Others with more knowledge as to what's faster, please let me know.
  • by thomasdn (800430) on Thursday January 19, 2006 @07:39PM (#14514332) Homepage Journal
    Some time ago I wrote a little guide on SSH tunnels with PuTTY [thomasdamgaard.dk].
    This guide also describes how to setup an SSH tunnel in Linux.
  • SSL Explorer (Score:3, Informative)

    by beernutz (16190) on Thursday January 19, 2006 @07:45PM (#14514369) Homepage Journal
    Check out SSL Explorer [sourceforge.net]. It has a windows and linux installer, is easy to use, and is java based, so the client runs pretty much everywhere.
  • Here's mine (Score:4, Informative)

    by Dadoo (899435) on Thursday January 19, 2006 @07:45PM (#14514378) Journal
    We use this actual script (plus a few things I had to edit out for anonymity's sake).

    Assuming a Linux machine at each end, here's the script for the machine that initiates the connection:

            while true; do
                    pppd nodetach lcp-echo-failure 4 lcp-echo-interval 120 \
                            pty 'ssh receiver -T -l user'
                    sleep 10
            done

    Where receiver is the public IP address of your receiving machine and user is the username on that machine. The while loop automatically reconnects if you get disconnected.

    Here's the script for the machine that receives the connection:

            pids=`ps -e -opid,command | grep "pppd local:remote" | \
                    grep -v grep | awk '{print $1}'`

            if [ "$pids" != "" ]; then
                    echo "Found pre-existing connection. Killing pids: $pids" >> ppp.log
                    kill -15 $pids
                    sleep 5
            fi

            pppd local:remote netmask 255.255.255.252 passive \
                    notty nodetach

    Where local is the local end of your PPP link and remote is the remote end of your PPP link. You'll want to call this script from user's .profile. Remember, this is a private link, so you'll probably want local and remote to be internal addresses, i.e. 192.168.x.x.
  • My setup (Score:2, Informative)

    by Evro (18923) <evandhoffman@gma ... m minus language> on Thursday January 19, 2006 @07:46PM (#14514382) Homepage Journal
    Setup squid on your linux box, listening e.g. on port 3128. Verify that this is working by setting your browser to use it.

    To get the tunnel working, I forget the exact settings in putty but there's a section for tunnels, tell it to create tunnel from local port 8128 to remote machine's port 3128. Then set your browser to use "localhost:8128" as your proxy.

    The way to setup a tunnel between two Unix boxes (for me) is ssh -L 8128:192.168.0.1:3128 remote-host.
  • by Jherek Carnelian (831679) on Thursday January 19, 2006 @07:53PM (#14514432)
    I'm just guessing, but wouldn't ssh tunnels be readily identifiable if a smart network admin wanted to look for them?

    I'd like to run to a web-proxy at home that I can just point my browser to ala:

    https://mycablemodem.cable.net:4567/ [cable.net]

    that will then access any website and rewrite any internal links to go back through the proxy itself, so for example:

    http://www.yahoo.com/ [yahoo.com] becomes https://mycablemodem.cable.net:4567/http://www.yah oo.com/ [cable.net]

    Anyone got a good, robust re-writing proxy tool like that? Preferrably with at least some sort of minimal security to prevent joe-random from using it without a login/password.
  • by Anonymous Coward on Thursday January 19, 2006 @08:05PM (#14514493)
    If I ever caught you pulling that kind of shit in the company where I work, your ass would be out the door so quick your feet wouldn't touch the ground.

    There are reasons that the company deploys control mechanisms such as HTTP/SMTP proxies and approved VPN solutions - to protect the corporate infrastructure and information. Yes, you may have SSH access, but that doesn't mean that you should be using that to circumvent the security controls put in place by your employer. Your employer may well be partly to blame for not having made you read their Information Security Policy documents (and get you to sign up in agreement to an AUP). If their policy does not include coverage for things such as the situation you describe above, your security manager & auditors should be beaten heavily and then replaced.

    It's this unauthorised, non-standard, "yeah but I can do it better my way for I am a genius" bullshit which ends up causing so many problems in organisations. Yet another glowing example of why the greatest threat to corporate confidentiality, integrity and availability is usually that lurking within.

    If you feel that you would be more productive with a different system configuration, did it not occur to you to formally document your suggestion and present it for review under your organisation's change control procedures? It could mean the difference between having a collecting your payslip or clearing your desk.
  • by cyranoVR (518628) * <cyranoVR@@@gmail...com> on Thursday January 19, 2006 @08:18PM (#14514581) Homepage Journal
    http://souptonuts.sourceforge.net/sshtips.htm [sourceforge.net]

    Really good for the beginner - includes information on accessing Samba shares over ssh.
  • by zsazsa (141679) on Thursday January 19, 2006 @08:51PM (#14514778) Homepage
    I'm assuming you're on a Windows box. PuTTY's dynamic tunneling mode is the absolute easiest way to tunnel your traffic: it doesn't require setting up a proxy server on the remote system! All you need is an sshd on a server somewhere that allows tunnels. When using dynamic tunneling, PuTTY acts as a local SOCKS proxy. So, just set your browser and other net apps to use a SOCKS proxy on localhost on the port you specify in PuTTY, and you're good to go.

    Here's how to do it, using the latest PuTTY and Firefox versions:
    1. Configure PuTTY. Start PuTTY and put in the address of your host server to connect to on the first screen. In the menu on the left, pick 'Tunnels' from the tree. Under 'Add new forwarded port:' put in 1080 (this is pretty arbitrary, but 1080 is the "official" SOCKS port). Leave 'Destination' blank and choose the 'Dynamic' radio button. Feel free to go back to the 'Session' entry on the menu tree on the left if you wish to save a session so you don't have to do this every time.

    2. Configure Firefox. Under Preferences, click the 'Connection Settings' button from the main 'General' options. Click 'Manual Proxy configuration:' and under 'SOCKS Host' put in localhost with port 1080. Click OK and try to surf. You should now be being routed through your Linux host. You can go to whatismyip.com to verify you're being routed through your host's IP address.

    (I'm pasting this howto from one I wrote on another site [metafilter.com])
  • SSH on port 443 (Score:2, Informative)

    by Anonymous Coward on Thursday January 19, 2006 @08:59PM (#14514830)
    Another trick to get through corporate firewalls is to place your SSH server at home on port 443 - the HTTPS port.

    Since both SSH and HTTPS use SSL, it is very hard for a corporate firewall to tell the difference, so often you can punch through in this way if your employer does not allow you to SSH out on the normal port.

    Of course, by doing so you may be violating your company policies and opening yourself up to being fired - so don't blame me if you are.

    Also, if you want to keep the script kiddies from trying to brute force your SSH server, run it on a non-standard port (to protect it from scripts) and turn OFF password authentication - force the use of a keypair to log in.

    That last bit is important, so I will repeat it:

    Turn OFF password authentication - force the use of a keypair to log in.

    I'd've made that ALL CAPS if the lame filter (err, lameNESS filter) had let me.

    Using a non-standard port is no subsitute for actually SECURING the server, but it does play a role in keeping the RiffRaff out - and after what Riff did to Frankie I don't want him in here.

    (Posted anon since several people at work read Slashdot.)
  • by Daniel Boisvert (143499) on Thursday January 19, 2006 @09:52PM (#14515197)
    Running it on port 443 is a better idea, because corporate proxies & things like Microsoft's ISA Server expect to see SSL-encrypted traffic on that port. They often disallow encrypted traffic on port 80.
  • How about stunnel? (Score:3, Informative)

    by syntax (2932) on Thursday January 19, 2006 @10:21PM (#14515398) Homepage
    You might also look into stunnel [stunnel.org]. It acts more like a traditional daemon with conf file, and also has the neat feature of being able to turn any service into its standard ssl equivilent, if that exists, which is useful for things like imap/pop/http.
  • Re:SSH on port 443 (Score:2, Informative)

    by mmogilvi (685746) on Friday January 20, 2006 @12:14AM (#14516174) Homepage
    And the easy way to do put ssh on port 443 is to put multiple "Port" lines in your /etc/sshd_config file on your server:
    Port 22
    Port 443
    Then you can still access it on the standard port (22) when it isn't blocked by a firewall.
  • Re:Here's one... (Score:4, Informative)

    by spectral (158121) on Friday January 20, 2006 @02:22AM (#14516846)
    normal ssh forwards are one-source, one-destination. There are options to allow the entrypoint to the tunnel to come from !localhost, (i.e. I set up an ssh connection from me to my friend, with a tunnel from me to google.com, and now anyone who can connect to me can use that same tunnel to connect to google.com), but normally it really is a one-off thing.

    127.0.0.1:1000 goes to www.google.com:80
    127.0.0.1:1001 goes to www.porn.com:80
    127.0.0.1:1002 goes to www.slashdot.org:80

    what using a SOCKS-mimicing "proxy server" allows you to do is to make it so that the requesting application requests the destination, instead of you setting it up and then pointing your computer at a special address. The requesting socks-aware application is like "Hmm, to get to login.messenger.yahoo.com:3697, I must use this special protocol and send stuff really to a connection at 127.0.0.1:4280. I'll do that."

    So it connects to that, PuTTY sends it down the wire to my friend, and my friend's computer sends it to login.messenger.yahoo.com, port 3697.

    magically. :)

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...