Home arrow Site Administration arrow Page 5 - Secure Tunnelling with SSH

No Forwarding Address - Administration

You probably already know how to use SSH to securely log in toremote hosts over the Web. In this article, take things a little further byusing SSH to encrypt connections to other ports as well. Scenarios coveredinclude securing your mail server connection so that your mail password isalways protected and creating secure pathways through firewalls for trustedhosts.

  1. Secure Tunnelling with SSH
  2. Kicking The Tyres
  3. Test Drive
  4. Et Tu, Brute?
  5. No Forwarding Address
  6. Any Port In A Storm
  7. Remote Control
  8. In And Out
  9. Log Out
By: icarus, (c) Melonfire
Rating: starstarstarstarstar / 29
April 02, 2003

print this article


Now that you have your two hosts talking to each other over an encrypted connection, the next step is to set up a secure channel between them for non-telnet type activities - for example, setting up a secure tunnel for mail transfer.

In order to do this, you need to use the port forwarding support built into OpenSSH. Port forwarding essentially means that connections made to a port on one host are automatically and transparently forwarded to another port on another host. Since SSH is taking care of the forwarding for you, the connection also gets encrypted - a nice (and very useful) bonus.

The best way to demonstrate how this works is with an example. Let's suppose that I would like to read my mail on "brutus", the network's POP3 mail server, from my personal Linux box, "olympus". Normally, I would configure my mail client to connect to port 110 on "brutus" to retrieve my mail - this would involve sending my username and mail password to "brutus" in cleartext across the network, a technique that we have determined to be unsuitable for purposes of this tutorial.

With port forwarding, I have an alternative. I can have SSH forward a port (say, 9000) on my local host, "olympus", to port 110 on "brutus", and protect all traffic passing between the two (including my mail password) by creating a secure tunnel between the two hosts and ports. Once the tunnel is established, my mail client would no longer connect to port 110 on "brutus" to get my mail; rather, I would configure it to use port 9000 on my local host, "olympus", instead, and SSH would take care of automatically passing the data to post 110 on "brutus" via the tunnel.

Here's how to go about doing this:
[me@olympus] $ /usr/local/ssh/bin/ssh -L 9000:localhost:110 brutus
Translated into English, the above command merely says "listen for connections to port 9000 on this local host, and use the remote host named brutus to forward all those connections to port 110 on the host named localhost".

SSH will now connect and log in to "brutus", and simultaneously begin forwarding port 9000.
[me@olympus] $ /usr/local/ssh/bin/ssh -L 9000:localhost:110 brutus Last
login: Fri Mar 28 10:18:59 2003 from olympus.localdomain.com [me@brutus] $ 
You can now verify that the port is indeed being forwarded by switching to another terminal on "olympus" and opening up a telnet connection to port 9000.
[me@olympus] $ telnet localhost 9000
Trying to localhostEscape character is '^]'.+OK POP3 brutus v7.64 server ready
As you can see, connections to port 9000 on your local host are being transmitted to port 110 (the POP3 server port) on the host named "brutus". All data transmitted in this session will be encrypted and decrypted by the SSH daemons running at the two ends of the connection.

Note that this connection remains available for the duration of your SSH session - the moment you log out of "brutus", the port forwarding will also stop.

If this is not what you want, you can add the "-N" command-line argument to tell SSH *not* to execute any command on the remote side once the connection has been established. Background the task, and you'll have port forwarding without a login on the remote host!
[me@olympus] $ /usr/local/ssh/bin/ssh -L 9000:localhost:110 brutus -N &
Note that if you do this, you will need to manually kill the process when you want to stop forwarding the specified ports.

You can also forward more than one port at a time by specifying them all on the same command line:
[me@olympus] $ /usr/local/ssh/bin/ssh -L 9000:localhost:110 -L
9001:localhost:25 brutus

>>> More Site Administration Articles          >>> More By icarus, (c) Melonfire

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: