SSH Tunnelling
The following tutorial was written by Walter Dnes, who has given us permission to copy it. It is mostly Unix oriented, but the same techniques can be used with Windows machines also (see notes below). Walter is on Vex.Net, so you can be sure this works with our system.
Accessing POP/SMTP/NNTP etc, via SSH from another ISP
Software Requirements:- The destination ISP needs to have an SSH server running on the machine that the enduser wishes to access. It may be possible to get around that requirement by using port-forwarding at the ISP's end. I have no experience running servers, so I can't say for sure.
- The enduser/client requires SSH core and client software that can communicate with the version the destination ISP is using.
- Under Unix/Linux/etc, the enduser/client requires POP/SMTP/NNTP, etc software that can connect at non-standard ports. The standard ports for these services are in the "privileged" range (i.e. 0..1023). Only root can forward these ports over SSH, and running as root for day-to-day stuff "is not a good thing". Windows 9X users effectively run as root anyways, so they may not have to worry about this.
And now a word from your friendly local host...
***LOCALHOST*** ***LOCALHOST*** ***LOCALHOST***
***LOCALHOST*** ***LOCALHOST*** ***LOCALHOST***
***LOCALHOST*** ***LOCALHOST*** ***LOCALHOST***
Now that we have your attention... your POP/SMTP/NNTP/etc software's config files must be changed in two ways...
- The software will log on to localhost (yes, I said ***LOCALHOST***), or 127.0.0.1, not to your ISP's machine. SSH forwarding will then take the connection over an encrypted channel to the destination ISP.
- Use a non-standard port, higher than 1023
Some examples. RTFM doesn't help very much if the writer doesn't WTFM (Write TFM) very well. My main complaint about man pages is lack of relevant examples. Here are a few. Assume you're userid@example.com (the destination ISP). There's nothing magic about adding 10,000 to the real port-number to get the forwarded port. It's simply easier for me to remember. I use SMTP/POP/NNTP as examples here. The algorithm is very generic, and can also be used for encapsulating X-Window sessions, ftp, nfs, http, whatever, over a secure connection. The main limit is that you be able to know in advance which portnumber will be forwarded.
- SMTP (outbound email)
I have the kmail app open in X. It is ready to send out some email. I've configured it to log on to localhost (not example.com) and use port 10025. In an Xterm window, I run a 1-line script that executes the line
ssh -P -f -L 10025:example.com:25 userid@example.com sleep 25
Note that if you do not use RSA authentication or other such goodies, you will have to manually type in your password when prompted by SSH. If this is necessary, the 25-second window doesn't begin until after the SSH connection has been authenticated.
The parameters are...
-P do not use local privileged ports (i.e. in the range 0..1023). Only root has permission to do this. And you're not root. -f Fork to the background before executing the command at the end. -L 10025:example.com:25 forward local port 10025 to port 25 on the machine at example.com. userid@example.com is your user and ISP name sleep 25 This command says to do nothing, and terminate after 25 seconds. SSH will exit once the command finishes AND ALL PORTS FORWARDED OVER THE SSH CONNECTION HAVE BEEN CLOSED. The last condition is important. The "sleep 25" command opens a 25-second window. If another process establishes a connection over a forwarded port, SSH will stay active until all connections are closed. In this case, I click the "send" button on kmail, and it does its thing, and it can take over 25 seconds if need be. SSH may send a message to the console indicating that it's waiting for forwarded port connections to be closed. This is NOT an error message. It is a status message. Don't let it scare you.
- POP (inbound email)
ssh -P -f -L 10110:example.com:110 userid@example.com sleep 25
[note: while your browser may split the above ssh command, it should be all one line.]
muttI use mutt for downloading, reading, and composing my email. The two-line script above opens SSH for 25 seconds and fires up mutt. I have to hit {SHIFT-G} in mutt to start the POPmail download within the 25-second window. Once the download finishes (or 25 seconds if you have a very short download) SSH will terminate automatically. Note that my muttrc config file includes the two lines...
set pop_host="localhost"
set pop_port=10110...telling mutt to connect to port 10110 on my local machine. SSH redirects it to the appropriate location.
- NNTP (usenet news)
ssh -P -f -L 10119:example.com:119 userid@example.com sleep 25
[note: while your browser may split the above ssh command, it should be all one line as should the following slrnpull command.]
slrnpull -d /home/waltdnes/spool/slrnpull -h localhost:10119I use slrnpull to download usenet news to a spoolfile in my home directory, which I then read with slrn. The 2-line script above opens SSH and forwards a connection from slrnpull. Notice again, that slrnpull connects to host (-h) ***LOCALHOST*** on port 10119, and SSH does the appropriate fowarding.
Advantages of this algorithm
- Password or RSA key required. This means that you can allow in remote users as required, without running a wide-open relay. This also allows password-protected HTTP, etc.
- UserID and password are sent over an encrypted connection, rather than in plaintext over the net. Packet sniffers aren't enough to grab the logon sequence. I suppose that the NSA could probably crack it if they felt like it.
- Because everything gets forwarded over the SSH connection (usually port 22), port 25 blocking by an ISP will NOT block outbound SMTP to a remote ISP.
Walter Dnes <waltdnes@waltdnes.org>
For Windows SSH clients that support SSH Tunnelling see the Win32 SSH topic.
Shell moved to new server
