Problem: Since many programs use services that send clear-text data over the network, it is desirable to find something that can be used to encrypt the network traffic for these services while minimizing any change to end users. SSH provides this functionality with port forwarding.
Port forwarding allows a user to create an encrypted session from a client to a remote server for any TCP-based service by tunneling the service through SSH. Of course, this requires that the user have an account on the remote server and that the OpenSSH daemon is running on the server.
OpenSSH allows you to configure port forwarding from the command line using the “L option as shown below:
$ ssh -L local_port:remote_host:remote_port hostname
The local port can be any port on the local machine that does not already have a listening service. If you wish to utilize a reserved port (below 1024), you must have root privileges on your local machine.
As long as the service you wish to forward through the SSH tunnel uses TCP to communicate, such as HTTP, FTP, POP3 or SMTP, you should be able to use port forwarding to encrypt the service. The following example will demonstrate how to use SSH port forwarding to check your email on a remote UNIX server from a local UNIX machine. This example will use SMTP for sending email and POP3 for retrieving email. These services listen on TCP ports 25 and 110, respectively.
The machine which becomes the terminating point for your port forwarding tunnel does not have to be the machine to which you create an SSH tunnel. For example, you could SSH to server1.example.com and create an SSH port forwarding tunnel to server2.example.com with the following command:
$ ssh -L 25:server2.example.com:25 server1.example.com
This will work as long as server1.example.com can contact server2.example.com .
Make sure you realize that if you do this, your traffic will only be SSH-encrypted from your local machine to server1.example.com - it will be in clear-text from server1.example.com to server2.example.com .
We first need to connect to the remote machine server.example.com and set up port forwarding by running the following command:
$ ssh --L 1125:server.example.com:25 -L 1230:server.example.com:110 -l sshuser server.example.com
This command tells OpenSSH to open an SSH session to remote host server.example.com as user sshuser and to set up port forwarding so anything connecting on local port 1125 will be forwarded to remote port 25 and anything connecting on local port 1230 will be forwarded to remote port 110. The local ports could have been any that do not already have a listening service.
If we had wanted to use any of the reserved ports below 1024, we would have had to be root in order to set up the SSH port forwarding. If your mail client cannot be set up to talk on non-standard ports, you may be required to set up port forwarding as root.
If OpenSSH succeeds in making a connection to the remote host, you will be prompted for authentication to the remote host. After successfully authenticating to the remote host, you will be presented with a shell prompt. Port forwarding will be active until this session is closed.
We know we have a shell session opened to the remote host, but how can we verify that port forwarding is active? This can be done using the netstat command. Using the “an options with netstat displays information about all services, including listening services, on the local machine. With this information, we can verify that port forwarding is configured properly.
$ netstat -an more
(Piping the command through more will prevent the information from scrolling off the screen.) The following information should be displayed:
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:1125 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:1230 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:22 220.127.116.11:1189 ESTABLISHED
The amount of information displayed will vary depending on your operating system, but you should see ports 1125 and 1230 on the local host listening, as shown above.
One of the most common UNIX mail client programs is Pine. Pine is a command line program maintained by the University of Washington and can be downloaded from http://www.washington.edu/pine. The following are the steps required to configure Pine to exchange mail via an SSH tunnel:
and press Enter . This will tell Pine to use port 1125 on the local host to send email.
and press Enter . Pop3_user is the name of the POP3 user account from which you will be retrieving email. This will tell Pine to use the local host to check for POP3 email. Note: There is no space between the close curly bracket and inbox .
SECTION I - Obtaining, Compiling and Installing OpenSSH
SECTION II - How to Use OpenSSH Clients for Unix-to-Unix Connectivity
SECTION III - How To Use PuTTY/WinSCP For PC-To-Unix Connectivity
SECTION IV - Using Public Key Authentication
SECTION V - Troubleshooting SSH Connections
SECTION VI - Advanced SSH Topics
Appendix - Sample sshd_config File