From [1]


The Joys of SSH

I’ve been using openSSH (Secure Shell) a lot lately – it’s definitely my Tool Of The Year this year.

Of course, SSH provides a commandline interface to your machine just like telnet, but with certificate-based security. That in itself would be great, but SSH’s ability to do secure tunneling, port and X11 forwarding and secure copying make it a veritable swiss-army-knife in your utility toolkit.

My home network is connected to the net via cable modem. I have a perl script that monitors my external ip address and notifies Zoneedit‘s DNS servers if it changes, providing me with dynamic dns. This allows me to get into my network. I don’t want to provide open access to my network though, so I firewall off everything except one obscure port. On that port I expose the sshd secure shell daemon running on my linux box.

Wherever I am on the net, I can connect to my linux box with ssh (usually with the Windows ssh client, PuTTY) and get a shell prompt. (I keep downloadable copies of PuTTY.exe and vncviewer.exe available to me on my public server for quick access – they’re pretty small downloads with no installation or dependencies).

If I want to connect to any of my home machines via VNC or HTTP or whatever, all I have to do is specify a port on the workstation I’m on and have PuTTY forward that port through the ssh tunnel and out to a port at the other end, either on the terminating linux box, or forwarded to any machine it can reach. I fire up VNC, point it to localhost with the right port number, and PuTTY and sshd take care of the rest.

If I like, I can keep this static PuTTY/sshd tunnel going, and then go to another machine on this remote network, connect to the local port on the PuTTY machine and have it forwarded securely through the tunnel and out to a different remote machine on my home network. The mind boggles.

Say I’m running KDE under Mandrake Linux on my laptop and shelling around on my linux box via ssh – if I run Konqueror, it starts up on the home linux box as a kde program, and throws its X11 display to my laptop across the tunnel. On my laptop, the konqueror window opens, but I’m browsing the home machine remotely!

If I want to connect to my the hosting company that hosts blogchat and send a bunch of files back and forth in a secure manner (as opposed to FTP for instance), I can use SCP (secure copy) or WinSCP, both of which talk to sshd on the remote end to do entirely secure copying between machines.

Tim was consulting at a client a couple of weeks ago and found he couldn’t access some things at nonstandard ports. So, he SSH’d to an intermediate point out on the net where he had permissions, and set up a tunnel via there to the services he wanted to consume.

I have a client whose two computers I can only reach from my home due to a firewall rule. From elsewhere, I ssh to my home, and then from that commandline, ssh into the client. I can actually set up doubly-redirected ports through the mess of tunnels if I want. Powerful stuff.

I was at a client last week where we were inside their network but needing to test their application from the outside to test PIX and RADIUS authentication. I grabbed PuTTY and vncviewer.exe, shelled home and started two vnc sessions, one on my linux box and one on the Win2k box, ran 4 different browser versions and used tcpdump and windump to sniff the traffic – all through the one ssh tunnel.

It’s been a long time since I’ve run across something so indispensable.