SSH Tips Part One
Updated 21 June 2002
SSH is a secure version of telnet with quite a few tricks up its sleeves. With SSH you can securely and easily administer your server and create a VPN to administer and test other services.
You can enable an SSH server on your machine by going to the System Preferences and selecting “Allow remote login” on the Sharing pane. This will start an SSH server on port 22 on your machine. This will allow incoming SSH connections. If you only want to use an SSH client, you don’t need to do anything this is already enabled by default.
To create an SSH connection go to the command line.
ssh your.server.com
This will attempt to make an SSH connection using your username on the server you specify. You will then be prompted to accept the server’s public key. Type “yes” and you will then be prompted for a password.
If you want to login as a different user you use the -l flag.
ssh -l otheruser your.server.com
You can also use the format below:
ssh otheruser@your.server.com
After a successful connection has been made you will have a terminal session that allows you do to everything you could do if you were sitting in front of the server using the terminal.
Once an SSH server has been set up you can use applications like RBrowser to securely copy and move files on the server without having to use the command line. A very handy capability.
Another incredibly powerful use of SSH is to port-forward services from the server to a client machine. For instance you want to keep your server as secure as possible but still administer it easily. Being a smart admin you have blocked all of the server’s ports on your firewall except SSH, port 22. However this prevents you from using Server Admin, or at least it does until you port forward with SSH. Go to the command line and create an SSH connection.
ssh your.server.com -L 10660:127.0.0.1:660
The -L flag is the important piece here. It makes a tunnel from port 10660 on your local machine to port 660 on the server through SSH. Now go to Server Admin and use “localhost:10660” for the Address and a valid admin username and password for the server. You now have an encrypted Server Admin connection without needing to open up a hole on your firewall.
In Mac OS X 10.1.5, you can use this method to create an AppleShare VPN. For example:
ssh your.server.com -L 10548:127.0.0.1:548
This command will forward port 548, AppleShare over TCP/IP, from the server to your local port 10548 through SSH. Now go to the “Connect to Server” dialog box in the Finder. Use afp://127.0.0.1:10548 as the address of the other server, and then supply the username and password. This method will be a little slower than just AppleShare because of the encryption, but it will be very secure.
To get even sneakier you can use SSH to connect through your server to other devices on your network. For instance you have a firewall on your network, at the IP address of 10.0.1.1, that has a web interface. Since you are a smart and secure system admin you have set up the web interface to only be accessible from the LAN. However, what happens when you need to add a hole to allow your boss to fileshare to his desktop machine.
ssh your.server.com -L 10080:10.0.1.1:80
With this command you are forwarding the http port, 80, on your firewall through your server to port 10080 on your local machine. Now go to your favorite web browser and use either http://localhost:10080 or http://127.0.0.1:10080 and you will have a secure connection to your firewall without having to compromise any security.
You can combine port forwarding into the same command if you don’t want to type as much. For example:
ssh your.server.com -L 10080:10.0.1.1:80 -L 10548:127.0.0.1:548
Will perform the same connections as the two previous examples, but in one command instead of two.
Now, to get really dastardly. First of all: we deny any responsibility for the use of the following information. If it gets you fired because you get caught, that is your problem.
Having said that, here is a great way to get around a firewall that your firm has put into action. For instance: you work at Jan’s Widgets, which has an internal-use only intranet web portal at intra.janeswidgets.com. You need to use this for your job, but the company’s pointy-haired types that run the server room won’t allow any outside access, even through SSH—except for PPTP Microsoft VPN users. No matter how hard you tell them that PPTP really isn’t all that, the IT department doesn’t budge. Don’t blame them for their ignorance? just be smarter.
SSH has the capacity to handle this situation. Essentially, you are going to do a port forward, as explained above, but in reverse. Instead of forwarding from your machine to a remote server, you are going to forward from a remote server to another remote server. You know the IP address of your home machine, host233.cableco.com. It changes every so often, since you are on a cable modem, but you wrote the current one down before you left your house this morning. Before you leave work for the 2 o'clock tee time run this command on your Mac OS X machine at the office:
ssh -l username host233.cableco.com -R 10680:intra.janeswidgets.com:80 sleep 900000
After a relaxing 18 holes, go home and open up your web browser and connect to http://127.0.0.1:10680. You should now have a valid connection to your company’s intranet. This works because the initial connection was started from within the firewall, not outside. In addition to doing this for web connections, you should be able to get away with anything that works with the -L flag.
If you don’t need to relay through your office machine to another server, but just want to connect to your office machine—for example, over AppleShare (port 548)—you can substitute 127.0.0.1 for intra.janeswidgets.com and 548 for the 80 to get
ssh -l username host233.cableco.com -R 10548:127.0.0.1:548 sleep 900000
Make sure you keep that sleep number high. This is a value in seconds for how long the connection will be open before it is closed because of lack of activity. You need to give yourself at least enough time to get home. If you want to make a Web connection, or another non-persistent connection, you should also keep this number very high.