Thursday, December 23, 2004

IT: How to setup SSH tunneling (File Transfer, Email, Windows XP Remote Desktop, X Window).

Client Software:

SSH Secure Shell for Workstations 3.2
PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/


The SSH2 protocol is designed to provide secure network communications. SSH tunneling (SSH port forwarding) is a technique to forward insecure TCP traffic through encrypted SSH tunnel. When you want to access internal resources behind the firewall occasionally, SSH tunneling can be used as a temporary replacement of VPN. For example, like other schools and companies, our Ryerson University's campus network is protected by a firewall. If you want to access the internal hosts from outside, you have to SSH-logon to our PASCAL host first for authentication. From there, you can use the terminal to establish further connections to access the internal hosts. Imagine a situation like this, during your vacation, you may want to use Outlook Express to check your emails at home, or download a large file from an internal host. How can you do that? For these cases, SSH tunneling is the solution. Generally speaking, to access the firewall-protected internal resources from outside, you have to logon an authentication host (let's call it SSHd server). All further TCP traffic goes through the SSHd server no matter which internal host you use later on. To use SSH tunneling, we need to setup a tunnel first. The tunnel needs to be established between the local host and the remote SSHd server. Usually the application server in the internal network is not the same as SSHd server; therefore, we also need to specify the destination host and port. When the tunnel is established (The SSH connection needs to be kept active during tunneling), we can logon to local host, and all the TCP traffic is forwarded to the destination host in secure SSH channels.


Detailed configuration is described as follows:


1. Download free SSH secure file transfer client software from campus network. And then download PuTTY from the link at the beginning of this article.


2. Start putty.exe and configure SSH port forwarding.


2.1. Choose "Session" from the left panel, and configure "host name" and "port", for example, in my case I have to use "pascal.ee.ryerson.ca" and "22" which is the configuration of my campus's SSHd server, and then specify the profile name in "Saved Sessions", and then click the "Save" button to save the settings.

2.2. Choose "SSH->Tunnels", and then specify a port number for tunneling in "Source port". Any number that is larger than 5000 should be OK. Next, specify the application server and port number in "Destination" field. For example, if I want to download a large file from my lab file server, I have to use "cserv.ee.ryerson.ca:22" as my destination configuration.


2.3. Click "Add" button to add the above configuration and then go back to the session setting part and "Save" the settings. Note that all the above forwarded port settings are for "Local".


2.4. Restart PuTTY, load the profile and click "Open" to setup the SSH connection. You will be prompted to type your password.


2.5. Keep the above SSH connection alive during tunneling.


3. Start SSH Secure File Transfer client software, and add a new profile.


3.1. Configure Host Name: 127.0.0.1


3.2. Configure your user name.


3.3. Configure your port number. Recall that you have chosen a local port number for tunneling. Type that port number here. This port number must be consistent with the "Source Port" in your PuTTY settings.


3.4. Configure Encryption Algorithm: AES, 128. That one works for me.


3.5. Configure MAC Algorithm: HMAC-MD5.


3.6. Compression: use default.


3.7. Terminal answerback: use default.


3.8. Keep default values for all other settings.


4. Use the above settings to connect to the local host. It looks like you are trying to SSH log-on to local host, but you actually logon to the destination host inside the remote firewall. Now you can do your file transfer safely.



Troubleshooting:

1. Port Number: To find out which port numbers have been used by your local system, you can check out this file (Windows XP):
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\SERVICES

2. Port Number: To find out which port number might be used by your current running program, you can check out this link:http://www.chebucto.ns.ca/~rakerman/port-table.html.Note that you can still use some of those port numbers as long as the applications are not running.


The above settings are for secure file transfer. To setup secure incoming and outgoing email at home, the idea is almost the same. You may need to forward the following port numbers: 25 for outgoing mail (SMTP), and 993 for incoming mail (SSL IMAP). For example, my department mail server is "imap.ee.ryerson.ca". So, the local port 25 on my home computer needs to be forwarded to the destination "imap.ee.ryerson.ca:25", and the local port 993 should be forwarded to "imap.ee.ryerson.ca:993". After the SSH tunneling is setup, Outlook Express on my local machine needs to be configured to connect to "localhost" to send and retrieve emails. Note that during that process, the PuTTY SSH connection has to be alive.


Microsoft Remote Desktop is previously known as Terminal Service. Now the Remote Desktop Connection client software is already a built-in tool in my Windows XP professional edition. It can be found in "All Programs -> Accessories -> Communications -> Remote Desktop Connection". To remotely logon to my office Windows XP computer (That computer was bought in 2003 and has 2G memory. I really should make good use of it.), SSL tunneling still works. Microsoft Remote Desktop service uses port 3389. And since the XP machine already listens to port 3389, we cannot configure PuTTY to listen/forward port 3389, otherwise, there is a conflict. Forwarding another port won't work either, since users are not allowed to remotely logon to 127.0.0.1. This is true if you haven't upgraded to SP2. However, there is a workaround for this problem. The trick is that we can configure PuTTY to listen to the host 127.0.0.2. During the configuring, we can type "127.0.0.2:3389" in the "Source port" field, and forward the requests to the destination such as "caspal8:3389". When we use Remote Desktop Connection, we just need to connect to 127.0.0.2, which is also a local host by default. By doing this, we avoid the port conflict in 127.0.0.1.


To use X over SSH tunneling is also possible on Windows XP. The first step is to install X window server software on your Windows XP. You can use Exceed or Cygwin but don't forget Exceed is not free. I use Cygwin in my Windows XP machine. After finishing the installation of Cygwin, we need to run "startx" to start X Window Server program in the local machine. Next, we have to configure SSH client software to enable "Tunnel X11 connections". For example, I reconfigure my tunneling to CSERV and enable the X11 tunneling. Then I can logon to localhost: 5050, which is the tunnel of my "cserv.ee.ryerson.ca". After I logon, I can test whether the X11 tunneling works or not by using the command "printenv DISPLAY". If everything works fine, I may get a response something like "localhost: 10.0". To use window-based software in the remote computer, for example, a GUI-based Matlab, I can just type "Matlab", and a popup window is created in my local machine, and the graphic version of Matlab is started.

posted by jameszhou2000 @ 10:31 PM

0 Comments:

Post a Comment

<< Home