You need an SSH tunnel. There are many reasons to use it, if you’re trying to create a tunnel you’ll definitely have in mind (at least) one. I am often confronted with the HTTP proxy which prevents the connection to a lot of stuff, IRC for example. Fortunately, SSH works very well by this proxy, and for good reason, SSH, like HTTPS uses SSL to transport data securely. Most of the proxies do not the difference. Most of the access network are well protected, beginning with those of a company. The closure of some ports not needed is a common thing, and software firewalls can be very restrictive without it there can be nothing.
But it may have to access external resources unfortunately blocked by a router too permissive. In these cases an SSH tunnel is its usefulness. Also, you can use SSH to encrypt its shipments of information in plain text (eg when using SMTP, VNC or rsync. SSL is in effect a secure communication protocol. It is standardized under the name TLS [Read our article of 19/07/2005], but SSL is the most common name. An SSH tunnel is a secure access via TCP connection between two network points. The tunnel allows the encryption of all data it transports. In practice, an SSH tunnel supports all data sent by a specific TCP port of the sending machine, encrypts and sends them to a remote machine. It decrypts the data and makes it accessible to one of these ports, or another machine, and returns the port redesign.
What is a Tunnel :
You want to connect to a remote server (It will take the example of an IRC server), but a proxy is blocking the IRC protocol. You will then create a link, a “tunnel” between you and your SSH server (found in your example) that passes through the proxy. The SSH client will connect to the SSH server of the laboratory itself is accessible from the outside. At the same time it will create an SSH tunnel that will achieve the target required in the configuration or command line on Unix or OSX or in the menus Windows, Proxy lab. It remains only to configure the application (in our case the browser) the Customer (the machine located outside the school) to tell him to go through this tunnel all requests (HTTP) required.
PuTTY is the recommended utility to connect to SSH server. On Windows, PuTTY is available as an executable. If the default installation path does not suit you, you can install it anywhere you if you want to have administrator privileges on the target system or if not install it in your personal space. For Linux systems installed from the standard image of the SAI, the software is pre-installed from the Debian package. It is accessible through the standard menu: Debian / Applications / Network. (Note: Applications / Debian Menu / Applications / Network Gnome). It can develop an agent that stores keys. No one claps when the password once per login session. It is a line utility (run in a command prompt window so) for the ssh connection itself. When PuTTY is installed, you just have to choose between the authentication system to single password or system to exchange public keys. Then by this you can create keys, you can create the file on the machine and tell PuTTY to use the key you just created.
Implementation of PuTTY
It is one of the most famous implementations of SSH is OpenSSH . On Windows, PuTTY is the norm: it combines in a single tool free implementation of Telnet and SSH. PuTTY is designed to simply and quickly set up an SSH tunnel from a Windows machine to a third party machine. Putty is an SSH client for Windows that LPG offers very advanced functionalities, which get the possibility to create tunnels through SSH. The advantage is that you can also pass the filters of the proxy, but also have a fully encrypted connection between your computer and the remote ssh server.
I have always been looking for a SSH client for Windows with various features necessary for me:
- URL hyperlinking (move your mouse over a URL to pressing the left mouse button I want to visit that URL)
- Auto reconnect (if disconnected)
- Support login via RSA keys
- Open up Putty, you come across a fairly extensive configuration window: left, a list sorted into categories and subcategories, right, the options by category.
- By default, it falls on the first category: Session. Fill in the Host Name (or IP address) and possibly the Port field if the SSH server is not listening on port 22 (default).
- Configure Putty to go through the proxy (optional)
- If like me you use SSH tunnels to pass a proxy, you’ll need to configure Putty to go through this proxy. Go in the sub-category of category Proxy Connection.
- Three fields are to inform, Proxy type that matches the type of proxy, for my part, HTTP. Proxy hostname, proxy address, port and the proxy port (usually 8080).
Creating tunnels Putty
See you in class Tunnels subcategory SSH. Two fields are identifiable Source and Destination Port. To understand what to put in these fields, a little explanation is necessary.
There are several Internet protocols to connect to a remote computer: telnet , r-commands ( rlogin , rsh or rcp ), ssh (Secure Shell). While telnet and r-commands are circulating the information unencrypted over the network (see our documentation on the dangers of telnet ), ssh is much safer. Another method uses what is called a public key, that is to say a code that identifies you. If you follow the steps below, you can connect through ssh on a remote machine without having to type a password. SSH has become the standard for interactive session open on the servers and equipment assets. It encrypts connections with a key (symmetric) session, exchanged via asymmetric keys. Attention to security reasons (a glance at the screen of his neighbor is a way of hacking basic but effective) that will not appear on the screen, you have to type blind. If you think you made a mistake in your password, do Ctrl+u and retype the whole. If you typed your password correctly, you will have access to a shell on the remote machine. Otherwise, you will see “Permission denied.” And it will again.
There are different versions of SSH. Depending on the version used on the remote machine, the type of key to generate different. This information is given for example when you first login ssh on this machine (see above ). If you do not remember it, be aware that SSH1 RSA1 keys, SSH2 and DSA keys. To find the version of SSH used on the remote machine, type ssh -v on the remote machine. SSH clients offer the possibilities of creating SSH tunnels. Through a menu or options on the command line (used by the client) can specify the server and port (service) of this server to be the target of the tunnel. Note that this server is generally different from the SSH server on which the client is logged on interactively. The SSH client software will then open the same port on the SSH client machine (it is possible to open a different port, but this is rarely used in practice). When an application connects to this port, open the SSH client The SSH software on the SSH client and SSH server cooperate to ensure that data transmitted on this port reaches the target server of the tunnel, and vice versa, data sent by the server to manage the application connected to the source port tunnel.
The possibilities offered by SSH tunnels are particularly valuable in the project DIODE. Indeed, unless they are declared as recognized server (open) network machine at EPFL are accessible from the outside (Internet) and on port 22 (SSH), 80 and 443 (HTTP ). To access other services using other port than those, a good solution is to connect to an SSH server at EPFL and open an SSH tunnel to the required server on port’s choice.
- In the PuTTY utility, we must create a profile. Alons-y step by step.
- Open PuTTY
- In Saved Sessions, enter ssh
- In Host Name, enter ssh
- In Protocol, select SSH The port should now show 22
- Save now by clicking Save
First SSH connection with PuTTY
In PuTTY, select the session ssh, and click Open. At the first login, a window type will tell you that the key server is not known to your PC. Click Accept and you save on your client. If subsequently, the window reappears, is that the key to the server has changed. This is fishy prevent the administration of the site as the footprint of ssh should be: 5a: 80:3 c: 21:61:5 a: 9d: 2a: 00:6 d: c1: 94:0 a: 5d: c8 99. PuTTY will ask you to authenticate your login. Internally, you use your email account. You are now logged on the server. If you want to use a single password, you simply add the suffix: skey to your login:
Creating keys: PuTTYgen
- Select the tab of SSH2 RSA
- Move the mouse to generate random events.
- The keys are created. We must change the field Key how to put an understandable REMARKS allowing you to recognize the key. Then fill in the Key passphrase and confirmation to initialize the string secret to decrypt and use the key.
- The passphrase is very important. It is she who protects your private key.
- Save your private key in a file. This file must be local to your desktop or notebook. The file name can be explicit because the key is virtually indecipherable without thepassphrase.
- You can save your public key but not an obligation because it is calculated using the private key.
Remove the keys
- To operate the machine ssh will need your public key. You’ll get your public key with the utility PuTTYgen.exe. You need to log in from an internal mail server ssh using youremail account or use a connection to unique password. The copy is complete, you can validate it by entering a carriage return (enter) then the key combination: Ctrl + D
- Log in using the key exchange
- Putty requires that you specify the path to your key:
- Run PuTTY
- Select the session ssh, and click Load
- Select the tab for SSH Auth
- Add the path to your file created from PuTTYgen (/ home / user / mykey.ppk in the example below)
- Back in session and save your session
If you followed point to point this page, you can now connect from outside using your key. To do this:
- Run PuTTY
- Select the session ssh, and then click OPEN load.
- Sign in with your login of your account email
- Putty now ask not your email password but one that can read your public key and you entered during the process of generating your key using PuTTYgen
Advanced use of putty
- Pageant cannot type the passphrase each time you connect SSH. Using it, you enter your passphrase once, and that’s all.
- Run pageant
- It is then placed in the Windows taskbar (bottom right).
- Click the right mouse button above, and select Add Key.
- Select your private key file
- Enter the passphrase
- Your next SSH connections, you will not be asked anything more
- You can check that your key is registered with the pageant using Keys View
- It is possible to direct connections to the ssh encrypted connections such as VNC, HTTP, POP and IMAP based on port numbers and localhost. We will focus, initially, onthe VNC protocol that allows you to access a special session on a UNIX server internal SAI. The operation will be to redirect VNC connections to localhost, then its localconnection to it to access the remote server.
What you will need :
- PC-based Windows (remote workstation, conditionally CLIENT);
- e-mail server (not that important, whether Kerio MailServer, MDaemon, or other conventionally SERVER_POCHTY LAN – well, suppose you have to work with him, but simply because the local mail server in the world not connected);
- gateway (proxy server) in the Internet server running SSH (for example, FreeBSD or Linux, which many organizations are as firewalls, conditionally FIREWALL).
To implement a secure (encrypted) connection from a client to SERVERU_POCHTY protocol POP3 (receive mail, usually port 110). Well, let us have it is not permanent, and sometimes (otherwise must still configure a normal VPN-server). Since By default, traffic on the POP3 protocol is transmitted in clear text, and we extend a very secret password from the mailbox, the e-mail traffic should be encrypted:) What we will encrypt it. Raising a special VPN-server, redirect ports, configure certificates and more – often not an option, because it is difficult even for most system administrators, moreover, as stated just above, we all need for periodic sessions of work, perhaps just for us .
- Take a free ssh client for Windows – Putty – and install it on the client (the default folder C: Program FilesPutty).
- Next, install an encrypted connection between client and firewall to work for the Client with e-mail within the local network would be exactly the same as if he (the client) would be in his office.
- At the client starts the console: Start > Run > cmd
In the console type commands:
cd C: Program FilesPutty
putty.exe-v-ssh -2-P 22-C-l user-pw password-L 8110:192.168.1.10:110
- Here the -v – so-called verbose mode, with extensive commentary, -ssh -2 – to use the ssh protocol version 2, -P 22 – the port open on the firewall to connect to ssh, -C – to use compression, -l user – the user who has the right to enter the ssh server on the firewall, -pw password – password for that user.
- After typing the last command (putty.exe-v-ssh -2-P 22-C-l user-pw password-L 8110:192.168.1.10:110 184.108.40.206) opens a communication session protocol ssh. All the window turned off (do not close!), And set up our e-mail program to receive mail from the address localhost and port 8110 and not 110, which is the default.
- Like all. During the receipt of mail e-mail program will connect to port 8110, which will be forwarded to a remote mail server in the office, with all the traffic connections will beencrypted. End session connection can simply close the session window putty. After that, the local port 8110 will no longer be available.
- In general, ssh and putty, there is so much all the different amenities that are not mentioned.
How to create a dynamic SSH tunnel with PuTTY
I have a Linux server with ssh access and enable SSH tunneling (Ubuntu and most other distributions with openssh-server by default allows).
- Open PuTTY and start:
- Enter your host server as illustrated
- Navigate tab Connection > SSH > Tunnels
- In the Destination field, set Dynamic
- Choose a TCP port that you know to be free on your local machine (number> = 1024 would be fine) and enter the number in the Source port
- Press Add
- Now press Open, connect to your ssh server by specifying username and password and leave the session open
At this point the tunnel is created on the localhost on TCP port you specified source port: Open the program you want to use the tunnel just created and set to use a SOCKS5 proxy with localhost address and port as the source port of your choice. For example, we use Firefox to use the tunnel just created:
- Open Firefox
- Check on What Is My IP Address – Shows Your IP Address what your IP address and write it down
- Go to Tools -> Preferences
- Go to Advanced and then the Network tab, then click Connections and then click Settings
- Click on “Manual proxy configuration” and enter the SOCKS Host field: the IP address of local computer (127.0.0.1) and port as the source port you chose in PuTTY (in my case, 17222)
- Click OK and close all the options you have open
Easy Create of New Session
Run PuTTY and create a new session, let’s call 123_abc . There are several parameters to adjust. First, the Session tab:
- Host Name:
- Port: 22
- Saved Session: 123_abc
In the Connection tab / SSH encryption algorithms indicate in the following order :
- AES (SSH -2 only) and verify that it is version 2 of the protocol that is selected.
- Regardless of the outcome, we have authorized the use of Blowfish and AES only.
The authentication tab Connection / SSH / Auth:
- Optionally select Enable agent forwarding (not useful here)
- If you use an SSH key is the time to indicate this: Private key file for authentication: (Browse and navigate to your private key file.ppk ), see Generating and Managing SSH keys for details.
- In the Connection tab / SSH / X11, check Enable X11 forwarding (useful only for a remote display X windows).
- Finally, in the Connection tab / SSH / Tunnels remit the tunnel:
- Source Port: 10000 (any free port number should be, above 1024 )
- Now Validate the same by clicking on Add.
- Setting the PuTTY is complete, return the Sessions tab and then register by Save:
- By clicking on Open, the connection that you just created starts.
- At next start, simply select the connection you just set (named 123_abc in our example) then click Open.
Putty Browser Configuration
- Click the Tools and then click on Options.
- Click on Connection Settings
- Check the boxes Manual proxy configuration and Use the proxy for all protocols Sami
- Type in HTTP Proxy: 127.0.0.1 and Port: 8080. Give OK and done.
- Click on Tools > Internet Options and then click the tab Connections
- Click on LAN Settings
- Uncheck the box Automatically detect settings
- Then select the Proxy Server and type in Address:127.0.0.1 and Port:8080
- Click on Advanced and check Use the same proxy for all protocols. Click OK.
- Click on Proxies
- Check the boxes for FTP Proxy, Web Proxy (HTTP) and Proxy Secure Web (HTTPS)
- Put in Secure Web Proxy Server 127.0.0.1 and 8080
- You are now connected via the Proxy LAL and you have access to the journals server lines.
Start by choosing the port of your machine with PuTTY will listen for connections (preferably above 1000 or 3000 to avoid conflict) or 127.0.0.1 (loopback address). Then in the submenu Connection / SSH / Tunnels, enter the port selected in the Source Port. Also enter the address of the remote machine and port of the machine you are targeting, separated by a colon (for example, 255.254.253.252:21). Click Add to add the port to the list. The tunnel is configured.
Now click the Open button at the bottom of the interface of PuTTY. Log: interface when you request, enter your username and password. These correspond to your access to the remote machine. Once done, you’re connected. Any transmission of data through the port that you specified on your machine will go through the tunnel to be handled through the port of the remote machine. And if you already have an FTP or email access via SSH on the remote machine, you can now access it via SSH, if you specify the correct port. The remote ports allow you to accurately manage your access protected. Choose the port 80, and you can surf the Web using the remote machine as a proxy. Use port 22, you will work with SSH tools for this machine. The port 110, you may reach the mail server. A you know what you have access to this remote machine. I will use SSH because its characteristic is that it encrypts the connection between the two machines. You will have a tunnel, more importantly, will be encrypted!! It exists and it goes fast, so why go private. SSH clients are fortunate to be this easy on most systems.