Using SSH: Secure Tunnels for the Common Man: Part II
In my last article, I described SSH, tunnels and why you would want to use them. Below, in the second part, we will configure actual tunnels to get some real (encrypted) work done.
Configuring the Tunnel
SSH tunnels work by forwarding a port. For example, normally access http://www.google.com at port 80, which is the default port for web sites. If your network is insecure or port 80 is blocked, you could forward port 5580 on your local machine to port 80 on google.com. Once this is set up, any connection in your browser to http://localhost:5580 would connect you to http://www.google.com:80 through the SSH tunnel. Anyone monitoring your local network would see it as an encrypted SSH connection to Machine S on port 22, securing your data and actual final destination.
To re-cap from last week, in order to set up an SSH tunnel, you will need the following:
- Two machines with SSH installed. Mac OS X comes with SSH, as do most variants of Unix and Linux.
- At least one of which has ‘Remote Login’ enabled (or SSH server configured for non-Mac machines). This can be done through the ‘Sharing’ preference under ‘System Preferences’.
- An Internet available Internet Protocol (IP) address for the server machine. Most broadband connections provide a unique IP for your home, though it may change frequently. You can find your global IP under the ‘Network’ section of ‘System Preferences’ if you are directly connected to your cable/DSL modem. If you are connected through a wireless router, you can find your IP in the administration interface for that device. An IP is a unique address for a machine that is accessible from anywhere on the Internet and is of the form w.x.y.z (where w, x, y and z are numbers between 0 and 255).
Before you enable SSH on your Macintosh computer, make sure your password is robust. Your password will be your only line of defense against an intruder, if SSH is left in its default configuration. To enable SSH on your Mac, go to the 'Sharing' preferences under your 'System Preferences' and enable the 'Remote Login' feature. Once you click 'Start', the SSH server will listen for incoming connections to your computer. You may configure SSH through the files located at /Users/<yourusername>/.ssh/config and /etc/ssh_config,but this should not be necessary for most situations. If you use a wireless or wired router, then you may need to forward SSH (port 22) to your server Machine S using the router administration interface.
In addition to the IP for your server Machine S, you need the following information:
- The site or IP that serves the service you wish to access (e.g. pop.gmail.com).
- The port on that server for the service (e.g. 80 for HTTP).
- An unused port on your client Machine C.
The tunnel will be set up with a single command in Terminal.app:
ssh -L localport:remoteserver:remoteport -l serverUserName -N serverIPorHost
Here serverUserName is the your user name on the server Machine S and serverIPorHost is the IP or host name for Machine S.
For example, if you would like to secure all of your Google searches, you could run:
ssh -L 1300:google.com:80 -l serverUserName -N serverIPorHost
Keep in mind that forwarding ports under 1024 requires root privileges. Any SSH port forwarding to these ports would be run with the 'sudo' command, which will prompt you for your administrator password.
sudo ssh -L 995:pop.gmail.com:995 -l serverUserName -N serverIPorHost
The above command would forward localhost:995 to the POP email service for GMail. In order to get your GMail in an application like Apple's Mail, you would have to set your POP mail server to be 'localhost'. GMail uses port 995, which is POP email over SSL. Normally POP email is accessed using port 110. So, in order to securely download your POP email from another service, you would forward a local port to port 110 on your mail server.
ssh -L 30110:pop.mailserver.com:110 -l serverUserName -N serverIPorHost
Here pop.mailserver.com is the name of your POP email server. Now, in order to get your email in Apple's Mail, similar to the GMail setting, you would set the POP server as 'localhost' and under the 'Advanced' settings, set the port to 30110. Once this is configured, your email will be downloaded to your computer without being monitored on your local network.
You can similarly secure the email you send using SMTP by forwarding port 25.
ssh -L 3025:pop.mailserver.com:25 -l serverUserName -N serverIPorHost
Of course, the important thing to remember is that this only secures your email between Machine C and Machine S, not between Machine S and the Internet.
Once you are comfortable with the theory behind setting up an SSH tunnel, you can try the GUI application SSH Tunnel Manager to configure and set up multiple tunnels simultaneously. It makes it very easy to manage multiple tunnels.
A final word of caution: Do not assume you have complete privacy or security until you have a deep understanding of what you are doing. For example, if you are tunneling web traffic through SSH, you may still be sending DNS requests unencrypted. This means that even though your web traffic is secure, someone can find out which web sites you have visited if the network is being monitored.