Linux & SSH Tunneling: What It Is, How to Do It


Chrome's Secure Shell is a winner.. days of st...

Secure Shell (SSH) access is granted for our GridPRO and GridMAX hosting packages. Let’s look at what it is and why it might be useful. It really is a nifty tool – for port forwarding to get around firewall restrictions and send email remotely via your own server.

We will focus specifically on using SSH methods within a Linux hosting environment – however, I’ll briefly note below how to access Windows clients for similar purposes. Be aware that the latest version of SSH is SSH-2, but SSH protocol is typically referred to simply as SSH regardless of version.

For this article, I looked at several pieces around the web for multiple perspectives on the topic: “What is SSH?” from the University of Pennsylvania, “Secure Shell” from Wikipedia, “X11 definition” from The Linux Information Project (LINFO), “Secure Shell (SSH)” from Tech Target, “Quick-Tip: SSH Tunneling Made Easy” from Revolution Systems, “Accessing the Linux Terminals Remotely with SSH” from the University of Illinois, and “5 Basic Linux SSH Client Commands” from The Geek Stuff.

Below we will get a sense of what SSH is, how to use it, why to use it, and a few basic SSH commands. In other words, this article is all about usability and helping you understand the basics of implementing SSH tunneling for your network. Additionally, we will explore how SSH tunneling can be used to dig your way out of federal prison.

How to dig your way out of prison using SSH #1: A prison break isn’t easy these days, but soon we will all be sent there for tax evasion, provided everyone else is as loosey-goosey with federal forms as I am. That’s why SSH has become so critically important for lifer federal inmates if they ever again want to see the light of day. The prison version of SSH or Secure Shell tunneling is not an IT term. Rather, it refers to wall-digging with a smuggled conch shell that you have hidden away securely in your cell.

SSH – What it Be?

SSH (aka Secure Shell or Secure Socket Shell) is a protocol that encrypts information, similarly to an SSL certificate, allowing data to transfer securely. This data could be shell commands, other network administration, file transfer, etc. The connection is typically between two devices, a server and a client, on an unsecured network. The server runs a program specific to SSH server application, and the client runs one applicable to an SSH client.

Typically SSH is used to access shell accounts on UNIX-like OSs. It is also sometimes used for Windows accounts. It is the successor to Telnet, rsh, and rexec – none of which are cryptographic. Whereas similar methods are susceptible to packet analysis, SSH both protects the data and keeps it from unwanted manipulation.

SSH tunneling also sets itself apart from other ways to remotely log in to a network by encrypting your login credentials so that malicious parties can’t see them as they’re typed. Additionally, SSH establishes X11 connections. Because SSH establishes X11 connections, DISPLAY does not have to refer to remote devices. A few words on X11:

What is X11? X11 is the newest version of the X Window System, also known simply as X. X is the most commonly used management system for GUIs on UNIX and similar OSs. The first version of X by the Massachusetts Institute of Technology (MIT) was the original OS that was completely free of any crucial ties to either hardware or vendor specifications.

By version X10, X had become increasingly popular, but its lack of hardware neutrality effectively hindered its growth – hence the development of X11, which required outside assistance from MIT via the tech firm DEC. DEC provided X11 as free open-source software. According to the Linux Information Project (LINFO), “X … represents one of the first large scale open source software projects, and it set a precedent for the development of Linux, which began just a few years later.”

SSH is just one type of program to login remotely and securely transfer files. SCP is an example of an alternate protocol for conducting the same task.

How to dig your way out of prison using SSH #2: All right, it’s 2 a.m. Grab your shell, and let’s get to work. See that weak point in the wall right behind Roscoe’s bunk? That’s the place. You saw Shawshank Redemption, right? Good, because I didn’t. Apparently digging a tunnel can get you out of prison … makes sense I guess. It’s a little uncomfortable, not for the claustrophobic. As far as that goes, if you want to protect your mind, err on the side of wider and taller. Really make that tunnel spacious. With prison-break SSH tunneling, it’s all about process, not end result. Make it beautiful. Put some pictures of your family on the walls. Get inspired.

Basics on SSH Use: 3 Commands

Per The Geek Stuff, here are 3 basic commands for SSH tunneling.

1.)    Identify the client

You may need to identify the version of SSH client you are using. (Note that Linux standardly includes OpenSSH.) Here’s how you can achieve that:

$ ssh –V

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

2.)    Login to your remote host

Use the following command to log in to the remote device:

localhost$ ssh -l jsmith

When you initially log in, you may get an error message stating that the host key is not found. Click Yes to proceed. You can add the host key within the directory .ssh2/hostkeys.

To get a public key’s fingerprint, use this command:

% ssh-keygen -F

Log in again. Now it will only ask for your password. The host key is recognized.

Note that occasionally the host key will not be recognized, and you will receive another error message. This message could be due to malware or just because the software or remote host credentials have been updated. The wisest thing to do is contact the sysadmin to determine why the host key doesn’t work.

3.)    Transfer files between local and remote devices

This process is conducted with a simple one-line command. To copy a file from the remote host over to the local one, use this script:

localhost$scp remotehostcupcakerecipe.txt

To copy from the local one to the remote one, use this:

localhost$scp localhostcupcakerecipe.txt

How to dig your way out of prison using SSH #3: Hey what’s Roscoe doing back there? Roscoe, get out of here. No, Roscoe, make your own tunnel. Two people in one tunnel is too many. Am I trying to escape? Sort of. I also just like digging. I’m a digger by nature. The entire family on my father’s side was badgers. Yeah, my mom’s weird. Yep, badgers dig. You didn’t know that? They love digging. Anyway, so do I. If I do eventually burrow through to open air outside of the prison, it’s going to be a bittersweet moment.

Example: Use of SSH – Port Forwarding When Travelling

The author of the Revolution Systems piece uses SSH tunneling on his Linux/Unix PC to transfer data between his local account and a remote account – specifically for port forwarding to allow email to send through his own server and allow capabilities otherwise not possible in firewalled, excessively tight environments. Let’s look at these two scenarios.

Emailing from Restaurant or Hotel WiFi:

Any e-mails he sends go from his computer to his server, where they are then transmitted to external parties. This route allows not having to change Simple Mail Transfer Protocol (SMTP) servers or use specialized software when operating within firewalled public environments such as WiFi hotspots. Here is how you can use SSH tunneling for that.

1.)    First, you need to use an SSH client such as OpenSSH. Here is the portable version. (Note that for Windows and Mac, you can check out this page for the former and this one for the latter.)

2.)    Within OpenSSH or another similar program, type the following into the command prompt:

ssh -f -L -N

What does all this mean?

  • ssh – Instructs your PC and the server that you’re using secure shell protocol
  • -f – Instructs SSH to retreat to the background
  • – Designates your username and server, specifying the appropriate account/location
  • -L – This designates the local port, host, and remote port, specifying the channel for transmission of data
  • -N – Tells the SSH client not to execute any commands on the server.
  • Bottom Line @ This Point: Your local port 2000 (PC) is now sending everything over to remote port 25 (server). Plus, it is completely encrypted.

3.)    Go into your email settings, and use localhost:2000 as your SMTP server.

4.)    Celebrate. Send a spam email to all your relatives letting them know you’re living in an encrypted wonderland they may never know.

Accessing Restricted Functionalities:

You can also use port forwarding as a workaround when a firewall won’t allow you to communicate in certain ways on the web. The example used on Revolution Systems is inability to use Jabber to interact with Google Talk. The following technique can be used to get around that particular scenario.

1.)    Again, enter OpenSSH or similar.

2.)    Enter the following command:

ssh -f -L home –N

What does all this mean?

  • – the Google Talk server.
  • home – SSH alias for his personal server

3.)    Go into Jabber client settings and configure it to use localhost and port 3000. (The traffic doesn’t send from those, though, but forwarded via the server.)

4.)    Call your mistress and tell her you can do the thing on the thing now.

How to dig your way out of prison using SSH #4: Roscoe, are you with the warden? There are three of us in here now? This is nuts! Why have I created a hookah café within the walls of the prison? Well, that’s a reasonable question, warden. Would you like to use the hookah? I’m not hogging it. It just keeps me calm when Roscoe and the warden find me in my SSH tunnel, and similar situations. Have a seat, warden. You’re making me nervous.

Summary & Conclusion

Those are a few basic techniques for SSH tunneling. You should now know how to log in securely and transfer files between two devices on an unsecured network. Additionally, you should be able to get around some of the firewall restrictions you experience while travelling – via an enhanced ability to use your server’s parameters rather than those of a WiFi network.

Finally, you will be able to enjoy a cup of Turkish coffee and berry-flavored hookah inside the walls of a minimum-security prison. Put that conch shell down, Federal Inmate #38475-99873. It’s time to party.

by Kent Roberts and Richard Norwood