How-To: SSH tunnels for secure network access
Have you ever avoided checking your email over that free wireless access point for fear of someone snarfing your password? Secure, trusted networks aren't always available, so today we'll show you how to use SSH to keep those unencrypted POP3 or IMAP passwords and data safe.
SSH (secure shell) is normally used to allow secure encrypted command line connections to a server. It can also be used to create encrypted network tunnels to transport unencrypted data, such as email sessions. And you don't even have to be a Unix geek to do it. We'll show you how to do it from the command line and then using an easy tool for OS X (if that's your thing).
Secure email services exist, but the majority of web host / email providers don't bother to provide them. When email is in transit from your mail server to the recipients mail server it is not secure by design, so many providers don't see the point in offering secured email services. After begging your provider for secure email fails, you may not be out of luck. If your ISP provides SSH (secure shell) access but only supports unsecured POP3 or IMAP email access, you can securely fetch your email with SSH.
Here's our example network setup. The laptop is connected to the Internet through an untrusted wireless access point. If we don't own it, we don't trust it. More importantly, we shouldn't trust any of the other wireless network users.
For our how-to, we're assuming that the email and SSH accounts are on a single server. The example email connection uses POP on standard port 110 to retrieve email from the server and SMTP on port 25 to send email to the server.
We'll use SSH to create a pair of secured network tunnels that we can use to send and receive our unencrypted email. You might be able to create just one tunnel for retrieving email, but some providers won't let you send via SMTP unless you recently checked your email from the same machine. To keep them from thinking we're spammers, we'll create tunnels for both connections.
Creating the tunnels
The SSH tunnel will virtually connect port 2110 on our local machine to the POP3 port (110) on the remote server. Remember, for our example the SSH and email server are the same machine.
Here's a breakdown of the command:
- ssh - the actual SSH command
- -N tells SSH we don't want to execute a remote command. Not terribly necessary, but makes it safer.
- will@fakemachine.org - account and SSH host info. user name will at server fakemachine.org
- -L 2110/localhost/110 This one creates the tunnel. It tells SSH to forward traffic from
port 2110 on the local machine to port 110 on the remote machine.
The second tunnel will virtually connect port 2025 on our local machine to the SMTP port (25) on the remote server.
To simplify things, we can combine the two tunnels into one command. If you haven't set up SSH keys already, you'll be asked for your password every time you create the tunnel. You can easily generate a set of SSH keys if you want to get away from entering your password over and over again. There's a simple SSH key creation guide in Linux Server Hacks
Configuring the email client
Instead of port 25 for SMTP access, we now use port 2025. The SSH tunnels will carry the traffic to the normal ports on the server at the other end of the tunnel.
The easy way
OK, so we said you don't have to be a Unix geek to pull this one off. If you use OS X on a Mac, check out SSH Tunnel Manager. It's a free utility built to create SSH tunnels on demand. Download and install it in the usual fashion. Above you can see the setup from our example.
Creating the tunnel on demand is as easy as hitting the friendly looking play button.
Reader Comments (Page 1 of 1)
JJ @ Mar 21st 2006 6:46PM
That was one hell of a long post but very clear.
Serge Baranov @ Mar 21st 2006 7:01PM
This one is the best free application for maintaining SSH tunnels for Windows: http://www.bitvise.com/tunnelier.html .
I've been using it for 2 years to make tunnels from my notebook and home machine to my work (sometimes you can't use VPN).
kerok @ Mar 21st 2006 7:22PM
I have had better luck with AlmostVPN(), than with SSH Tunnel Manager. Installs as a preference pane and includes a menubar application as well as a Widget to control host connections. Just a satisfied user. Here is their blub:
AlmostVPN is an ssh tunnel management application with a twist. This is what makes AlmostVPN different:
it packaged as Preference Panel, so you do not have to use yet another application to configure your tunnels
it employs launchd to control tunnels, so you do not have to have yet another application running while tunneling
it uses creative network configuration techniques to provide almost VPN like access to remote services, so you can keep using real IP addresses and port numbers while accessing service on the other side of your tunnels.
it provides simple way to mount remote volumes via SSH tunnel
it can import tunnel definitions from SSH Tunnel Manager and SSHKeychain applications
kerok @ Mar 21st 2006 7:26PM
parser stole my link to AlmostVPN!
found at: http://www.leapingbytes.com/almostvpn (or at your favorite update site)
Patrick Haney @ Mar 21st 2006 7:26PM
There's an article by Douglas Bowman that was written a little while back that is a little more in depth that also talks about using SSHTM on your Mac.
http://www.stopdesign.com/log/2005/02/07/secure-email.html
Sorry Windows users.
TheChaz @ Mar 21st 2006 8:59PM
Of course, if you have the cash, there's always an ssl vpn. Then you don't even need internet-facing servers and ports, or, for that matter, your own host. You can use any machine with a browser (ex: airport kiosk) to access backend resources.
BLATANT PLUG!!!
http://www.vegabiztech.com/products/sslvpn/product.html
Krandun @ Mar 21st 2006 9:43PM
SSH Windows (Linked from the hackaday article) hasn’t been updated since July of 2004, and it’s using OpenSSH v3.81. OpenSSH is currently at v4.3 from February 2006. I don’t know if this matters to anyone.
If you don’t want the hassle of completely setting up your own Cygwin environment and OpenSSH, you might look at copSSH. It is actively maintained and up to date as of this post.
You can find it from ITeF!x consulting:
http://www.itefix.no/copssh/
One note, I never successfully posted a message to their help forum. Again, I don’t know how important that is to anyone.
I used copSSH on my home computer for a while, but decided that I needed a full Cygwin install. It wasn’t very hard to get it setup by hand, though I did hit a few snags because I didn’t know anything about Cygwin when I started. copSSH will configure everything almost automatically, pulling users from Windows and using their passwords. Key encryption is not hard to set up, though.
I’ve been using the combination of Cygwin, openSSH, Privoxy, and Tor to tunnel all my internet use from an open computer at school to my PC in my apartment for about a month now. It slows the connection down a bit (Especially Tor, of course) but it’s been very stable.
John @ Mar 21st 2006 9:55PM
Why bother making millions of tunnels when you could just as easily use "ssh -D 1080 user@host" and establish a SOCKS connection? Saves a lot of trouble if your client supports proxies. (also applies to putty: "putty -D 1080 user@host")
Matt @ Mar 21st 2006 10:01PM
Or, you could just use VPN. Windows XP includes a relatively easy to set up VPN server, for one.
Network connections, set up an advanced connection, accept incoming connections, (you can skip over the modems), allow virtual private connections. Then just set up "connection to the network at my workplace" using the same wizard.
tom @ Mar 21st 2006 10:07PM
Well, thanks for the indirect link, I guess -- but it's pretty clearly not a hackaday how-to. I wrote it, and hackaday just linked to it.
Harsey @ Mar 21st 2006 10:25PM
Has anyone had any luck doing this with AIM? I can get the tunnel to work great with MSN and Jabber but AOL just eats it. It's quite disappointing really. This is using oscar. Haven't tried the other.. whatsit.. toc? or something.
russ @ Mar 21st 2006 10:51PM
u can also set-up OpenSSH on your home PC - and access it from work with putty. putty even supports going thru an SSL proxy - so this works behind even the most restrictive firewalls: http://www.damn.be/weblog/index.php/2005/09/28/connections-through-firewall-via-ssh-tunnel/
then when u want to get really secure, set-up public/private key auth:
http://bmonday.com/articles/653.aspx
David Smoot @ Mar 21st 2006 11:25PM
Ok funny you posted this, I just went up the learning curve on this one a few weeks ago on my mac when VPN was driving me nuts. A few pointers I learned for those that care:
AlmostVPN is good, very good. But it has one fatal flaw: It forces you to use hostnames and not IP addresses. Very irritating. Correct me if I am wrong.
To those that say "just use VPN", you miss the point. This is to have secure connections to a remote network that may not provide a VPN server (like your ISP). Also some networks (like my cellular data service) do not provide you with the real IP necessary for VPN.
For windows users, Putty includes the ability to set up tunnels as well.
I use a tool called "sshKeyChain" on my mac that both manages my ssh keys and establishes tunnels in the background for me.
Engadget missed (or skipped for simplicity) a key use for this tool: Accessing a resource on a remote LAN without a world visible IP. Let me give you my example with IP addresses changed to protect the innocent.
My company operates a CVS server that on the local LAN at the California office. This CVS server has a local IP not visible to the outside world. They also have an ssh server with a world visible IP. I work in Houston. With a ssh tunnel I can tunnel into the California office LAN and forward port 2401 on localhost to port 2401 on the CVS server. Voila, near VPN functionality without the hassle of VPN servers and clients.
David
jp @ Mar 21st 2006 11:25PM
Steve Gibson and Leo Laporte talk about this problem extensively on their Security Now podcasts - several weeks dedicated to VPN (and related) solutions.
Also there's a mistake in the diagram - it should read "TEH INTERNETS" not "THE INTERNETS"! :P
Moosejaw @ Mar 22nd 2006 12:23AM
Can you use this for Hotmail and Gmail accounts, and the like?
Matt @ Mar 22nd 2006 3:50AM
Forward your squid proxy to get around all corporate firewalls! (tunnel putty through http, or your corporate http proxy)....
Also you can forward any remote machine on the remote network to a local port....
my tunnelling ability's pwn jo0. /me searches for page where engadget's computer failures stole this from.
Robin @ Mar 22nd 2006 9:20AM
Excellent How to post. It'd be nice to see more of these.
havanahjoe @ Mar 22nd 2006 10:04AM
I've been using this for secure RDP to my home computer for a long time. Works great and its simple.
ZipperSeven @ Mar 22nd 2006 12:41PM
+1 on Tunnellier...supports reconnect and 'keep-alive' which is one major thing lacking from Putty. It's easy to use and has remote desktop forwarding built in.
Currently, I'm tunelling Firefox 1.5 (with DNS look up through the proxy), Trillian (for AIM, MSN, etc etc.), and remote desktop to two machines on the remote-side LAN. I have a Linksys NSLU2 with the UnSlung firmware running 4.3p2 OpenSSH on it...before that I was running OpenSSH for Windows on a Win2K server. Both have been flawless.
A security tip: If you can, change the default port that OpenSSH responds to. If you don't, you'll notice all kinds of nefarious Chinese hackers trying to break in. If you're up to it, you can also move to full private/public key-based authentication.
Keith Berard @ Mar 22nd 2006 3:40PM
I've never tried this on my mac, but I was able to make an IP "vpn" between my linux box in Seattle and my friend's box in Boston using an SSH tunnel.
There were a few prerequisites (pppd, etc) that I don't remember offhand, but after a couple of years, the script still works fine.
For this, you need to create a certificate and add it to your ~/.ssh/authorized_keys so that you won't need a password.
In this example, one internal network was 192.168.1.X and the other was 192.168.9.X. I also replaced my remote server's name with my.host.org, so that will need to be changed as well.
#!/bin/bash
/usr/bin/pty-redir /usr/bin/ssh -t -e none -o 'Batchmode yes' my.host.org /usr/sbin/pppd 192.168.9.1:192.168.1.1 > /tmp/vpn-device
sleep 5
/usr/sbin/pppd `cat /tmp/vpn-device`
sleep 5
/sbin/route add -net 192.168.9.0 gw 192.168.9.1 netmask 255.255.255.0
KrisL @ Mar 22nd 2006 4:30PM
I have a similar page describing how to set up a home proxy server on your Windows machine:
http://www.linquist.net/geek/proxy
Anders Andersen @ Mar 22nd 2006 5:44PM
See my approach using launchd and ssh:
http://aa.cs.uit.no/blog/20050528-email
(aa)
bc @ Mar 24th 2006 1:23PM
I used to use this method until I started using the -D switch for my SSH tunnels which creates a dynamic port that forwards all traffic. So now I can have Firefox setup to use port 1134 as a SOCKS 5 proxy and all my web traffic goes over a tunnel.
Here's what my command looks like in terminal for OS X.
# killall ssh; ssh -c blowfish -D 1134 user@server.com -Nf
First I kill my previous tunnel since I don't want there to be any issues with ports being bound to previous connections. Then I use the Blowfish algorithm instead. My dynamic port is 1134 so I can send my web/im/mail traffic over this port. -Nf forks the tunnel into the background and doesn't allow you to issue any remote commands. This method may not work for POP3 since I haven't really tried because I am only using webmail these days. In any case, it's a very easy method to encrypt all your other traffic without having to determine remote/local ports.
D @ Apr 2nd 2006 5:31PM
I see you have VNC Home as a SSH tunnel set up. Would you do a tutorial showing how you set that up. Preferably using SSH Tunnel Manager as above and perhaps Chicken of the VNC.
Thanks,
robertw @ Apr 4th 2006 5:35AM
D -- for VNC, you'll want to tunnel port 5900 + VNC display number. The VNC display numbers start at 0, so the default is usually 5900. Run the command:
ssh -N -p 22 <SSH login>@<SSH/VNC server> -L 5900/localhost/5900
Or in SSH Tunnel Manager:
Name: VNC example
Login: <SSH login, e.g. will>
Host: <SSH/VNC server, e.g. fakemachine.org>
Port: 22
Local redirections:
Port: 5900 | LAN Host: localhost | Port: 5900
Then fire up Chicken of the VNC and add a connection:
Host: localhost
Display: 0
Password: <your VNC password>
The article mentions you can redirect traffic via a separate SSH server if the application server (e.g. VNC server, mail server) isn't running SSH. Say you want to VNC to an OS9 or Windows box sitting behind an SSH-enabled gateway, as in: http://sdtcon.sourceforge.net/images/sdt3.png
Run the command:
ssh -N -p 22 <SSH login>@<SSH server> -L 5900/<VNC server>/5900
Or in SSH Tunnel Manager:
Name: VNC via gateway
Login: <SSH login>
Host: <SSH server>
Port: 22
Local redirections:
Port: 5900 | LAN Host: <VNC server> | Port: 5900
Then VNC in as above.
-DC- @ Jun 19th 2006 5:19PM
My favorite HOWTO on this subject:
http://pigtail.net/LRP/printsrv/cygwin-sshd.html
CaRnI @ Aug 16th 2006 8:40PM
i have no idea what you guys are talking about, but i heard u can simulate xbox live using a tuneler. Any one can please show me how to do this....please???
i would appreciate it!!!thanks....
my email is
carni_026@hotmail.com
JSK @ Mar 4th 2007 6:44PM
I have a tutorial which helps a little more and fills in some blanks that the engadget tutorial did not help with.
http://www.jklinephd.com/vnc_through_ssh/index.html
Jeff
opbarnes @ Nov 2nd 2007 1:21PM
Here is how you can create the tunnel on a Windows client:
Download Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Replace the "-p" with "-P"
Replace "ssh" with "plink"
Replace the "2025/localhost/25" with "2025:localhost:25"