Monday, December 20, 2004

Secure Shell Tunneling (On Linux)

SSH tunneling is a bit of knowledge that any security professional should have under their belt. Here I will explain some rudimentary elements to SSH tunneling. The purpose of SSH tunneling is to provide a secure means of transporting data over a non-secure channel. In essence, SSH tunneling is creating a VPN (Virtual Private Network).

SSH tunneling can be used to route any traffic from one computer to another, as long as there is an SSH server on one end and an SSH client on the other end. It is a requirement that there be an account with shell access used to create the tunnel. One common use of SSH tunneling is to secure email transfers when the email server has no secure transport protocol in place. This is a problem at my place of work, which is a large university that does not provide a secure means to check email. In order to prevent my username and password from passing between my machine and the mailserver in the clear, I use SSH tunneling to encrypt all traffic. I will explain how I did this in the following steps:

1. First, setup the SSH tunnel between the local machine and the mailserver for pop3 and smtp transport, note the use of high-end port numbers to allow the tunnels to be established by a non-privileged user:

ssh -L 52110:localhost:110 -L 52025:localhost:25 -l -N mailserver

This command will be answered with a password prompt, which is the password for the SSH account you are using to connect to the mailserver. To verify the tunnels have been established, open another shell and use netstat to see if your machine is now listening on those two ports:

netstat -l --inet

2. Next, configure your mail client to check for mail on localhost:52110 and to send mail on localhost:52025 host/port configurations.

1 comment:

James Stephens said...

Josh,

I've become somewhat numbed to the fact that many organisations run pop3 instead of secure pop3, imap instead of secure imap etc., but I am amazed that you have ssh access to the system actually running the pop3 and smtp services.

James

http://www.sns.ias.edu/~jns/wp/