How-To: SSH tunnels for secure network access

Have you ever avoided checking your email over that free wireless access point for fear of someone snarfing your password? Secure, trusted networks aren't always available, so today we'll show you how to use SSH to keep those unencrypted POP3 or IMAP passwords and data safe.

SSH (secure shell) is normally used to allow secure encrypted command line connections to a server. It can also be used to create encrypted network tunnels to transport unencrypted data, such as email sessions. And you don't even have to be a Unix geek to do it. We'll show you how to do it from the command line and then using an easy tool for OS X (if that's your thing).

Secure email services exist, but the majority of web host / email providers don't bother to provide them. When email is in transit from your mail server to the recipients mail server it is not secure by design, so many providers don't see the point in offering secured email services. After begging your provider for secure email fails, you may not be out of luck. If your ISP provides SSH (secure shell) access but only supports unsecured POP3 or IMAP email access, you can securely fetch your email with SSH.

Here's our example network setup. The laptop is connected to the Internet through an untrusted wireless access point. If we don't own it, we don't trust it. More importantly, we shouldn't trust any of the other wireless network users.

For our how-to, we're assuming that the email and SSH accounts are on a single server. The example email connection uses POP on standard port 110 to retrieve email from the server and SMTP on port 25 to send email to the server.

We'll use SSH to create a pair of secured network tunnels that we can use to send and receive our unencrypted email. You might be able to create just one tunnel for retrieving email, but some providers won't let you send via SMTP unless you recently checked your email from the same machine. To keep them from thinking we're spammers, we'll create tunnels for both connections.

Creating the tunnels

The SSH tunnel will virtually connect port 2110 on our local machine to the POP3 port (110) on the remote server. Remember, for our example the SSH and email server are the same machine.

Here's a breakdown of the command:

  • ssh - the actual SSH command

  • -N tells SSH we don't want to execute a remote command. Not terribly necessary, but makes it safer.

  • - account and SSH host info. user name will at server

  • -L 2110/localhost/110 This one creates the tunnel. It tells SSH to forward traffic from port 2110 on the local machine to port 110 on the remote machine.

The second tunnel will virtually connect port 2025 on our local machine to the SMTP port (25) on the remote server.

To simplify things, we can combine the two tunnels into one command. If you haven't set up SSH keys already, you'll be asked for your password every time you create the tunnel. You can easily generate a set of SSH keys if you want to get away from entering your password over and over again. There's a simple SSH key creation guide in Linux Server Hacks

Configuring the email client

To make our email client connect to the server using the new tunnel, we have to make a few changes to our email account settings in our email client. In place of the server name, we now use localhost. Instead of port 110 for POP3 access, we now use 2110.

Instead of port 25 for SMTP access, we now use port 2025. The SSH tunnels will carry the traffic to the normal ports on the server at the other end of the tunnel.

The easy way

OK, so we said you don't have to be a Unix geek to pull this one off. If you use OS X on a Mac, check out SSH Tunnel Manager. It's a free utility built to create SSH tunnels on demand. Download and install it in the usual fashion. Above you can see the setup from our example.

Creating the tunnel on demand is as easy as hitting the friendly looking play button.

Tunnels for all

SSH tunnels aren't just for email. They can be used to transport just about any sort of traffic. If you paid attention, you'd notice that we use them for IRC and VNC as well. Hack-A-Day has a guide for sending all of your web traffic through a tunnel using PuTTY for Windows. For our example, we kept SSH and email services on the same box, but you can also remotely redirect traffic to another machine if email and SSH are on separate servers.