ssh-tunneling-explained.pdf -

Please enable JavaScript to view the full PDF

SSH Tunneling Explained for Linux and Windows Table of Contents Chapter 1 – Introduction Freedom of Privacy What is SSH Tunneling? When is a SSH Tunnel Appropriate? Essential Tools 1. PuTTY 2. The Tube 3. Freecap Alternative Tools 1. Tor 2. Privoxy Customer Connectivity Notes Creating a SSH Tunnel 1. Using “PuTTY” 2. Using “The Tube” 3. Using the Linux/Unix Console SSH Key Authentication Creating a SSH Tunnel Chain What is the level of my privacy? Chapter 2 – Browsing the web Why do I need to browse securely? Browser configuration guidelines 1. Internet Explorer 2. Mozilla 3. Firefox 4. Opera Chapter 3 – Sending E-Mail Why do I need to secure my e-mail traffic? Setting up an email purpose SSH tunnel SSH Secure Shell for workstations configuration Client configuration guidelines 1. Mozilla Mail 2. Outlook 3. Outlook Express 4. Thunderbird Chapter 4 – Instant Messaging and VoIP Why do I need to secure my IM traffic? Configuration guidelines 1. mIRC 2. Xchat 3. Yahoo Messenger 4. MSN Messenger 5. ICQ 6. Skype 7. VoIPBuster 8. Trilian 9. Gaim Chapter 5 – Security Ethics Why do we need security ethics? Top 10 ways to protect your privacy online Chapter 1 – Introduction Freedom of Privacy In our society, technology often forces us to choose between privacy and freedom. The pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms. Corporations and the police are both using this new trove of surveillance data. We as a society need to understand the technological trends and discuss their implications. If we ignore the problem and leave it to the "market," we'll all find that we have almost no privacy left. Most people think of surveillance in terms of police procedure: Follow that car, watch that person, listen in on his phone conversations. This kind of surveillance still occurs. But today's surveillance is more like the NSA's model, recently turned against Americans: Eavesdrop on every phone call, listening for certain keywords. It's still surveillance, but it's wholesale surveillance. Wholesale surveillance is a whole new world. It's not "follow that car," it's "follow every car." The National Security Agency can eavesdrop on every phone call, looking for patterns of communication or keywords that might indicate a conversation between terrorists. Many airports collect the license plates of every car in their parking lots, and can use that database to locate suspicious or abandoned cars. Several cities have stationary or car-mounted license-plate scanners that keep records of every car that passes, and save that data for later analysis. More and more, we leave a trail of electronic footprints as we go through our daily lives. We used to walk into a bookstore, browse, and buy a book with cash. Now we visit Amazon, and all of our browsing and purchases are recorded. We used to throw a quarter in a toll booth; now EZ Pass records the date and time our car passed through the booth. Data about us are collected when we make a phone call, send an e-mail message, make a purchase with our credit card, or visit a website. Much has been written about RFID chips and how they can be used to track people. People can also be tracked by their cell phones, their Bluetooth devices, and their WiFi-enabled computers. In some cities, video cameras capture our image hundreds of times a day. The common thread here is computers. Computers are involved more and more in our transactions, and data are byproducts of these transactions. As computer memory becomes cheaper, more and more of these electronic footprints are being saved. As processing becomes cheaper more and more of it is being cross-indexed and correlated, used for secondary purposes. Information about us has value. It has value to the police, but it also has value to corporations. The Justice Department wants details of Google searches, so they can look for patterns that might help find child pornographers. Google uses that same data so it can deliver context-sensitive advertising messages. The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations. A national lawn-care company uses the same data to better market its services. The phone company keeps detailed call records for billing purposes; the police use them to catch bad guys. In the dot-com bust, the customer database was often the only salable asset a company had. Companies like Experian and Acxiom are in the business of buying and reselling this sort of data, and their customers are both corporate and government. Computers are getting smaller and cheaper every year, and these trends will continue. Here's just one example of the digital footprints we leave: It would take about 100 megabytes of storage to record everything the fastest typist input to his computer in a year. That's a single flash memory chip today, and one could imagine computer manufacturers offering this as a reliability feature. Recording everything the average user does on the Internet requires more memory: 4 to 8 gigabytes a year. That's a lot, but "record everything" is GMail's model, and it's probably only a few years before ISPs offer this service. The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. When that happens, will not wearing a life recorder be used as evidence that someone is up to no good, just as prosecutors today use the fact that someone left his cell phone at home as evidence that he didn't want to be tracked? In a sense, we're living in a unique time in history. Identification checks are common, but they still require us to whip out our ID. Soon it'll happen automatically, either through an RFID chip in our wallet or face-recognition from cameras. And those cameras, now visible, will shrink to the point where we won't even see them. We're never going to stop the march of technology, but we can enact legislation to protect our privacy: comprehensive laws regulating what can be done with personal information about us, and more privacy protection from the police. Today, personal information about you is not yours; it's owned by the collector. There are laws protecting specific pieces of personal data -- videotape rental records, health care information -- but nothing like the broad privacy protection laws you find in European countries. That's really the only solution; leaving the market to sort this out will result in even more invasive wholesale surveillance. Most of us are happy to give out personal information in exchange for specific services. What we object to is the surreptitious collection of personal information, and the secondary use of information once it's collected: the buying and selling of our information behind our back. In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it is to pass laws regulating its generation, use and eventual disposal. Basic Internet security measures including ISP online filters, firewall, and virus, Trojan, worm, spyware and spam protection are only the beginning. For families, software to protect kids is needed. If you keep sensitive personal information and/or documents on your computer, they should be password protected or encrypted. If you dislike the idea of companies tracking your surfing habits, you need software to erase your browser tracks and manage cookies. In this guide you will learn how you can securely browse the web, send email, chat and have VoIP traffic without the fear or worry of identity theft or privacy loss, all by the benefits of encrypted communication channels guaranteed by SSH a tunnel. What is SSH Tunneling? SSH Tunneling, or port forwarding, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell for Workstations. You can secure for example POP3 and SMTP (email traffic) and HTTP connections (web traffic) that would otherwise be insecure. These are just a few basic examples as you will see later in our guide how you can use the benefit of SSH Tunneling for many other purposes. The tunneling capability of SSH Secure Shell for Workstations is a feature that allows, for example, company employees to access their email, company intra-web pages and shared files securely by even when working from home or on the road. Tunneling makes it possible to access email from any type of Internet service (whether accessed via modem, a DSL line or a cable connection, or a hotel Internet service). As long as the user has an IP connection to the Internet she can get her mail and access other resources from anywhere in the world securely. This often is not the case with more traditional IPSec based VPN technologies because of issues with traversing networks that are implementing Network Address Translation (NAT) - this is especially the case in hotels. NAT breaks an IPSec connection unless special protocols such as NAT-Traversal are implemented on the client and gateway. The client-server applications using the tunnel will carry out their own authentication procedures, if any, the same way they would without the encrypted tunnel. The protocol/application might only be able to connect to a fixed port number ( e.g. IMAP 143). Otherwise any available port can be chosen for port forwarding. When is a SSH Tunnel Appropriate? Tunnels are a lot easier to understand if you think about when a tunnel is appropriate: Tunneling to ensure privacy - many people use Outlook Express to connect to their SMTP and IMAP (or POP) mail server. They should know that when they connect to the mail server they supply a userid and password in the clear that others might snoop from the net. This isn’t a terrible problem if the data path between the client and the server is over a switched local area network. It is a problem if the network path cannot be trusted -- e.g., when traveling or when using an insecure network (wireless networks are awfully insecure). In cases like this SSH tunnels can be used to secure a reliable and private data connection. Note that you can surf anonymously through the available servers with their pre- installed proxies so your real IP is anonymous. All the available proxies on the servers are set to High Anonymity which means they cannot be detected as a proxy but actually look like a normal legitimate IP. This is a great feature that allows you have both security and natural Internet traffic and flow control without triggering any filtering as happens with normal proxy configurations. Tunneling to get past a firewall - many organizations erect campus firewalls to block certain protocols. If you have a "home network" you probably have a "router" (actually it’s a NAT device) to protect your systems from outside attacks. SSH tunnels can be used to carry data that might otherwise be blocked. X11 tunneling is the classic example. The advice that you should take for tunneling on Windows: X-Win32 and SSH Tunneling to maintain locality - often times services that we provide are constrained depending on where you are. A campus service only exposes local newsgroups to the world at large. If you’re off campus you can only see the <extension>.* newsgroups. With an SSH tunnel you can connect as a local user even though you’re off campus - tunnel the NNTP protocol and you can read all newsgroups. Essential Tools In this section we find it necessary to explain the basic usage of the most popular tools that are used for creating first a SSH connection and then extending usability to SSH tunnel connections. Following the descriptions and screenshots provided will get you started in the shortest time possible with a minimum of effort, having said that no initial networking knowledge is required to initiate your usage of these tools. Beyond the options and methods provided there are many other custom features that you may want to learn about by reading each of the described software’s manuals if you are interested in better understanding and extended use. 1. PuTTY PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. This tool can be downloaded for free from the official website located at: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Visit the “Download” page and get PuTTY for the operating system and computer architecture that you are using. As most of the common Internet users you will probably have to download PuTTY For Windows 95, 98, ME, NT, 2000 and XP on Intel x86. If by any chance this is not the case, the PuTTY project providers binaries for other architectures, on the same page. It is important to make sure that you always use the latest software versions. The latest version for PuTTY is beta 0.58. Right after downloading PuTTY and opening it you will be presented with the default GUI (Graphical User Interface), as shown in Image1. Image1 - Default PuTTY GUI  The server “example.server.com” should be replaced by the server you receive with your account details Important: Throughout the guide we will presume that while you have the SSH Tunnel configured and customized for your account default surfing port, you will replace port 4111 with the correct one. The other surfing ports like Privoxy, Tor and so on are all the same on all servers. As an initial reference, here is a description of the most important options and configurations that you have to use in order to establish a SSH connection using PuTTY with no effort: Host Name (or IP address): Type your server address (i.e. server.example.com) Protocol: Choose “SSH” Saved Sessions: If you want to save your settings for later use, type a name for this connection (i.e. Example-Server) and then click “Save”, so that you will later be able to “Load” the target host/protocol settings by just selecting it from the list Clicking on the “Open” button will spawn a SSH connection to the server with the login prompt (user/password pair). At this point you can login successfully but this is not the point of our service as we have to first create the SSH Tunnel configurations in order to enjoy the provided benefits. See the later section “Creating a SSH Tunnel” for reference. If you have followed these simple steps you will be able to see now the following PuTTY GUI, as described in Image2, below. Image2 – PuTTY configured to store the session configuration for the given host “server.example.com” 2. The Tube The Tube is a free working tool designed for all SSH Tunneling needs, developed with ease of use in mind. Extra Benefits: - Works on Windows 2000 / XP / Vista - Allows you to automatically configure the next applications for the tunnel you want to assign to them: * FireFox * Mozilla * Thunderbird * Opera * Internet Explorer * Outlook Express * Microsoft Outlook - pop3/smtp/imap - no annoying popups/scumware You will receive a free copy of The Tube when you sign up to our service. The latest version is 1.0 and this software’s development and maintenance is powered by donations. After downloading and running The Tube you will be presented with the following default GUI, as in Image3. Image3 – The Tube default GUI 3. Freecap You should be aware of the fact that there are certain applications that are not able to proxify their traffic by their default features. This is where Freecap comes into the scene and helps us to secure out traffic even for the case of such virtually incompatible applications. FreeCap is a program widely used for transparency redirect connections from different software applications through a given SOCKS server. In fact, some programs do not have native SOCKS support (i.e. Internet Explorer or Opera browsers), in this case FreeCap will be helpful, transparently redirecting all connection requests through a preconfigured SOCKS server. As noted on the official FreeCap webpage (http://www.freecap.ru), the main program features are:  Functionality of SOCKSCap program!  Functionality of SOCKS Chain program!  Support SOCKS protocols version4 and version5  Support authorization for SOCKS v5  Support chain of SOCKS-servers.  Support tunneling through HTTP proxy (via connect method)  Run with system startup  Working on Windows 95/98/ME/NT/2000/XP  Supporting many popular programs, such as: Microsoft Internet Explorer, Netscape, Mozilla, Trillian, Opera, Microsoft Outlook Express In order to download FreeCap you will have to visit the official website: http://www.freecap.ru The Download page offers direct links for FreeCap v 3.18 (latest version) and after installing it you will be able to see the main GUI of FreeCap as in Image4, below. Image4 – Freecap default GUI Alternative Tools The above mentioned tools are required for most users that wish to secure their traffic but then again there are some other methods available that are able to provide high anonymous traffic solutions. In this guide we are going to learn about Tor and Privoxy and how they can be used in various circumstances to better secure our work environment. 1. Tor Tor as widely known is an anonymous Internet communication system. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications traffic. As the Tor user number grows the more its security is improved because the system is based on a set of clients and servers that are running all around the world ensuring high anonymous traffic relays. Tor can be obtained for free from the following web address: http://tor.eff.org/ At this same web address you can find a lot more information and guidelines for using Tor as well as some important tutorials that have been written to help common users to torify their favorite applications. Note that Tor also makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Regarding version control of the current time, Tor registers the latest stable release as 0.1.1.24, and the latest development release as 0.1.2.2-alpha. Please keep in mind that using Tor directly requires your tools/apps to be SOCKS enabled. For further documentation about Tor check http://tor.eff.org As you will see further in this guide, we are going to secure our traffic that is generated by various common use applications. To be noted is the fact that all these methods and applications can be also secured with the help of Tor on either its default port 8119 which is Privoxy relaying to Tor or one can connect directly to Tor on localhost port 10003 which is SOCKS. 2. Privoxy As we learn from Privoxy official webpage (http://www.privoxy.org), this tool is a web proxy with advanced filtering capabilities for protecting privacy, modifying web page data, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has also very flexible configuration and can be customized to suit individual needs and tastes. Privoxy is free and can be downloaded from its official website located at the following address: http://www.privoxy.org/ The latest version of Privoxy is 3.0.5 (BETA) and is based on Internet Junkbuster™. We have associated both Tor and Privoxy to this section entitled because Tor can't solve all anonymity problems. Tor focuses only on protecting the transport of data. You need to use protocol-specific support software if you don't want the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy while web browsing to block cookies and withhold information about your browser type. Note that besides downloading Privoxy and Tor these services are already installed on our servers and ready for you to use them, as noted in the following guidelines. Customer Connectivity Notes Once you have understood how to handle PuTTY and connect to our service you can read the message displayed in the console, representing the “message of the day” as known for Linux/Unix users. The details that you are provided when logging in can be seen in the console if you are using PuTTY but in the case of your choice is going with The Tube (recommended) you should be aware of the following anonymous traffic purpose ports:  Surfing anonymously the web can be achieved through proxy on port 4111.  Surfing anonymously and protected by Privoxy can be configured through Privoxy, on port 8118.  Surfing extremely anonymously and protected by Privoxy cam be done through Privoxy, with the help of Tor on port 8119 Important! Using Tor directly requires SOCKS version 4 or version 5 enabled tools! Tor can be used as follows:  Through port 10003 (more documentation available at http://tor.eff.org ) Using applications which need SOCKS version 4 or version 5 can be configured:  Through socks 4/5: Dante proxy on port 1080 In the above last mentioned case we kindly ask our customers to not abuse our bandwidth for P2P activity. Vital Note: All above ports are accessed through a SSH tunnel. In order to properly understand how SSH tunnels are created and managed see the following section of this guide entitled “Creating a SSH Tunnel” Quick Example: To surf anonymously through Privoxy relaying to a squid proxy from a Linux/Unix console you have to run the following command: ssh -c blowfish -C -l your-username server.example.com -L 33333:localhost:8118 sleep 999999 Creating a SSH Tunnel To use an SSH tunnel you must first establish the tunnel using an SSH client, and then connect to it using the application which you want to access the remote machine. The next section shows you how to set up the tunnel. Each of the following sections will explain how to connect and establish a SSH Tunnel with a specific SSH client or tunneling application to access the privately addressed server. If you have reached this far with reading this guide then you should already have downloaded and setup the essential tools required to manipulate SSH Tunneling. Then again, we will also go into creating a SSH Tunnel using the Linux/Unix Console for those that are not using Windows™. The host “localhost” will be used instead of “127.0.0.1” and it is recommended to use “localhost” since some servers don't use the default numeric IP for “localhost” Important: Throughout the guide we will presume that while you have the SSH Tunnel configured and customized for your account default surfing port, you will replace port 4111 with the correct one. The other surfing ports like Privoxy, Tor and so on are all the same on all servers. 1. Using “PuTTY” In order to use PuTTY for SSH Tunneling purposes:  Open Putty.  In the Category pane of the application window, select the "Tunnels" option found under Connection->SSH.  In the main pane, in the "Port Forwarding" section, do this: - Add the port that you would like to use for SSH Tunnel access (we chose 10001 as a first example but you can use any port as long as it is not already in use). Also note that for every tunnel type you need to use a different local port! - Type the IP “localhost” and use the default surfing port “4111” (or the default surfing port that you receive with your account). It should look like this: “localhost:4111” - With SSH tunneling you can tunnel to any service directly running on any port, we have only used as example the default surfing port that should be replaced with the one provided with your account.  Click “Add” to list the new SSH Tunnel setup. In order to check if you have followed all steps correctly to this point see Image5 of how the settings should look. Image5 – PuTTY SSH Tunnel Configuration In the Category panel, click on Session and:  Enter the hostname of the machine with a public IP address through which you want to establish your tunnel (we use server.example.com).  Select SSH as your protocol. This should set the port number to 22. You should now be able to see the GUI of PuTTY as in Image6: Image6 – PuTTY Session Management  Click Open. If Putty warns you about keys, you can now click okay.  Enter your username and password when prompted. Do not underestimate the fact that SSH tunneling allows you to connect to any service that has an open port. Please refer to the surfing ports that you receive with your account details. 2. Using “The Tube” SSH tunneling tool The Tube is meant for creation of encrypted tunnels to transmit the data between client application (for example your WEB browser or mail client) and the remote server (for example proxy-server) using SSH protocol. The Tube allows to setup SSH connections for a certain client, to create tunnels between local user applications and remote server. In the main window of The Tube, on the SSH tab, the following information is presented:  Indicator of SSH connection status (On/Off)  SSH hostname  SSH port number  Remote user name  Cipher algorithm If SSH connection is established the SSH connection status indicator will be green, otherwise it will be grey. Creating a new SSH connection that will be later assigned to a tunnel can be done by following these steps:  In the main The Tube window click on “Tunnel wizard” and you will now see the following window as in Image7 Image7 – Tunnel wizard – Create or choose SSH connection With the “Create new SSH connection” option selected as above you will have to input:  SSH host: server.example.com  User login: your username  SSH port: 22 (default port)  User password: your account password  Encryption cipher selection: Blowfish (default and recommended) If you do everything ok The Tube “Create or choose SSH connection window should look as in Image8 Image8 – The Tube Wizard - Creating a new SSH connection After the SSH connection parameters are entered click Next to go to Create or choose tunnel window. Note that if any parameter field of SSH connection is empty the Next and Finish buttons are not available. If the Create new tunnel option is selected (as in Image9) you can create a new tunnel. Image9 – The Tube – Create or choose tunnel To create new tunnel enter the following information:  Local port number in the Local port field  Remote server IP address or remote server hostname in the Remote host field  Remote server port number in the Remote port field Image10 – The Tube – Create or choose tunnel After the parameters are entered click Next to go to configure client applications that will work through the tunnel. You can configure the following browsers using The Tube:  Internet Explorer  Firefox  Opera  Mozilla See Image11 for the graphical reference of the web browsers list available for tunneling with The Tube. Image11 – The Tube – Configure application – Web Browsers If you wish to tunnel your email traffic using The Tube, you can configure the following e-mail clients:  Outlook Express  Microsoft Outlook  Mozilla Thunderbird  Mozilla Mail See Image12 for the graphical reference of the e-mail clients list available for tunneling with The Tube. Image12 – The Tube – Configure applications – E-Mail Clients When configuring e-mail clients both incoming and outgoing connections have to be configured for different tunnels. The incoming connections are POP3 and IMAP protocols, outgoing is SMTP.  In the Configure applications window click on E-mail clients option  Click on POP3 or IMAP protocol and select those applications that will work through the tunnel  Click the Finish button  Again, in the Configure applications window, click on E-mail clients option  Click on SMTP and select those applications that will work through the tunnel  Click the Finish button One or several e-mail applications can be selected at the same time. All selected e-mail clients will work through the one selected applications tunnel. If there are not any selected e-mail clients, the Finish button will be not available. The Finish button becomes available after one or several applications are selected for configuration. For more information on using The Tube and editing already created SSH connection or already configured tunnels please refer to The Tube manual pages that come with this free piece of software. Congratulations! You now have tunneled traffic for your favorite E-Mail clients for both incoming and outgoing protocols traffic. 3. Using Linux/Unix Console If you are a Linux user, before using any specific application, you need to tell Linux to send traffic destined for the remote machine to the tunnel instead of to the Internet. Follow these steps in order to do so:  Make sure you have SSH installed. OpenSSH is part of the default installation of most Linux distributions.  Edit the /etc/hosts file. It should contain the line: localhost localhost  Change it to add the names of the computers you would like to access on the network, such as localhost. It should end up looking like this: localhost localhost localhost This is actually translated for your better understanding to "Send any requests to the Internet back to the SSH Tunnel". You can add as many remote machines as you want by appending their hostnames to this list. Now you need to use SSH to establish the tunnel. This can be done by running the following command: ssh -f username@server.example.com -N –L 10001:localhost: <DESTPORT> The -f tells SSH to run in the background after getting your password. 1234 is just an example of a port that you wish to use locally for accessing the SSH Tunnel <DESTPORT> is the port number that indicates the default surfing port (as an example for our service is port 4111) or any other default surfing port that you receive with your account. The only port that varies is the default surfing port, the other service ports are the same for all servers. Remember to use the correct server instead of server.example.com as indicated by your account details. Enter your password when prompted. If SSH warns you about session keys, you can just type "yes" to continue with the connection. SSH Key Authentication To counteract the shortcomings of password authentication, SSH supports public key access. A user creates a pair of public and private keys, and installs the public key in his $HOME/.ssh/authorized_keys file on the target server. This is non sensitive information which needed not be guarded, but the other half — the private key — is protected on the local machine by a (hopefully) strong pass phrase. A public key is a long string of bits encoded in ASCII, and it's stored on one long line (though represented here on three continued lines for readability). It includes a type (SSH - RSA, or others), the key itself, and a comment. This key must be installed on the target system — one time — where it is used for subsequent remote access by the holder of the private key. This is the general procedure that happens when a SSH connection is established using login keys: 1. The SSH daemon on the server looks in the user's authorized_keys file, constructs a challenge based on the public key found there, and sends this challenge back to the user's SSH client. 2. The user makes an initial connection and sends a username along with a request to use a key. 3. The SSH client receives the key challenge. It finds the user's private key on the local system, but it's protected by an encrypting pass phrase. An RSA key file is named id_rsa on OpenSSH and SecureCRT, keyname.ppk on PuTTY. Other types of keys (DSA, for instance) have similar name formats. 4. The user is prompted for the pass phrase to unlock the private key. This example is from PuTTY. 5. SSH uses the private key to construct a key response, and sends it to the waiting SSHd on the other end of the connection. It does not send the private key itself! 6. SSHd validates the key response, and if valid, grants access to the system. As far as the user is concerned, this first exchange is little different from key access shown in the previous section: the only difference is which program prompts for the private key (SSH itself versus the agent). But where agent support shines is at the next connection request made while the agent is still resident. Since it remembers the private keys from the first time it was unlocked with the pass phrase, it's able to respond to the key challenge immediately without prompting. The user sees an immediate, direct login without having to type anything. It's very important to understand that private keys never leave the agent: instead, the clients ask the agent to perform a computation based on the key, and it's done in a way which allows the agent to prove that it has the private key without having to divulge the key itself. It's a clear win to avoid typing the pass phrase every time a new connection is launched, but SSH also provides Agent Forwarding which can pass the credential down the connection to the remote server. This credential can then be passed to yet another server where the user's public key has been installed, obviating passwords or the secret pass phrase for the entire duration of network navigation. Enabling agent forwarding is done in the PuTTY configuration dialogs much like all the rest, and just one additional box need to be checked. This option requires, of course, the use of pageant on the local system - without an agent, there's nothing to forward. Should a key-protected connection be attempted with no agent present, PuTTY will simply prompt for the pass phrase as it has all along (and will do so on each connection). Image31 – Enable PuTTY SSH agent forwarding 1. User launches a connection to Server A: PuTTY on the local machine gets the private key from the agent and provides it to the remote server. 2. Remote server processes the public and private key data and grants access. The user is given a shell on the local system. 3. User attempts to connect to System B with agent forwarding enabled and it connects to the SSH server there. 4. System B asks system A for the user's private key data, and the SSH server on system A in turn forwards this back to the original workstation where the agent is queried. 5. The local agent passes the data back up the connection, where it's forwarded from System A to System B. System B receives this credential, and access is granted by comparing to the public key stored on that machine for that user. This happens automatically and quickly: it takes no more than a second or two for the entire exchange to occur, and this forwarding can go over quite a long chain of SSH connections. This provides for transparent, secure access to a wide range of remote systems. Note - All of this requires that the user have an account on each machine in question, and that the user's public key is installed properly on each one. SSH forwarding doesn't provide any access which would not be granted absent forwarding; it just adds a more convenient mechanism to what's already provided. We suggest that you read further how to create keys and manage them using various online resources, such as: http://sial.org/howto/openssh/publickey-auth/ - OpenSSH Public Key Authentication http://acd.ucar.edu/~fredrick/mpark/ssh/rsa-unix.html - RSA key generation If these resources do not fit your requirements you should consider using a popular search engine to find more information. Creating a SSH Tunnel Chain In this section with are going to create a connection to “Server A” assigned with the example domain “servera.example.com” and in the same time creating a tunnel to the SSH server port of “Server B” (serverb.example.com). We are going to go through each of these steps, in order to setup a SSH tunnel chain with the help of the following screenshots: Image32 – Creating a new SSH session to “Server A” Image33 – In the SSH – Tunnels section create a new tunnel The new tunnel created should point to the SSH port of “Server B”. You will receive the SSH ports of the servers that our service is composed of together with your account details. Note that port 22 as mentioned in the screenshot is not always the SSH port, even if it is the default one. Make sure to check what is the SSH port for the server you are creating a SSH tunnel chain to! Image34 – Click “Add” in order to add the new forwarded port After this is done, in a new PuTTY session, you will have to create a connection which will connect to the local port which forwards through “Server A” to the SSH port of “Server B”. In this session you can also create the proper applications tunnels, as already described in a normal SSH Tunnel setup. At this point create and save a new session that connects to “Server A” as described in Image32. The difference resides in the SSH – Tunnels options, where you will forward the local port previously used towards the connection to “Server B” SSH server port. Image35 – Connecting to the local port that forwards to the SSH Server B Note that port 4111 is the default surfing port used in just this example, you should consult the default surfing ports that matches the server where your account resides. The other surfing port are the same on all servers. What is the level of my privacy? Checking your privacy level from time to time is a great idea, especially if you are running your favorite tools in a hostile (mostly insecure) environment. Privacy checking can be done using various free or commercial online tools and services, ranging at a time frame of seconds to several minutes, in any case, not consisting a real problem to performance versus time statistics. In order to check how well your firewall is configured and if you are infected with spyware it is recommended to run periodic port scans on your machine from an external service that allows this. Such features are also available for free at most online antivirus scanner web pages and firewall testing resources. For high privacy level purposes, most applications that access the Internet can be configure to use a SSH Tunnel. For it to work, they have to support a SOCKS 4 or SOCKS 5 proxy connection. Instant messaging programs like AIM, ICQ, Yahoo IM, and mIRC all support this. Setup is different for all application, but the settings will be the same. If you want to configure the application to use a SOCKS 4 or SOCKS 5 proxy server, host should be localhost, and Port should be 8080. Chapter 2 – Browsing the web Why do I need to browse securely? Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you're doing -- which is a good thing when you're doing something personal like checking email over the web or buying something from various ecommerce sites. But if you're just doing stuff like reading the daily news or checking movie times, is privacy that important? We would say yes from the position of a security conscious user, and here are the reasons why we keep our position, based on the increase of the following common online problems: (Note: All information is considered valid with default configurations)  Phishing attacks  Spam  Viruses  Denial of Service  Cracking  Eavesdropping  Man in the Middle attacks The objective is to encrypt your network traffic so it can not be read as it passes through over an insecure network. To do this, we will:  Use an SSH client on your computer to create a secure tunnel between our service and your computer  Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy.  Configure your favorite browser to use a SOCKS Proxy for network traffic instead of connecting directly. After this is all setup, the process for browsing a website will be as follows: Internet Explorer (considered default browser in this section) at i.e. work connects to the SSH client running on your computer at work. The SSH client connects to the SSH server running on your computer at home. Internet Explorer will make requests for websites using the SOCKS protocol, which SSH will intercept and handle for you. Thus, the SSH server talks to the website and returns the web page to the SSH client. The SSH client returns the web page to Internet Explorer. In essence, you are tricking Internet Explorer into thinking you have a proxy server running on your local machine, when in fact the proxy is running on your computer at home. Since all communication over your work network takes place through SSH, it can not be read. The SSH traffic CAN be seen or detected, but it will look like a garbled mess of letters and numbers. Other than being a little slower than usual, you shouldn't notice any difference when surfing the web when using the secure method. Browser configuration guidelines The configuration guidelines presented in this chapter are dealing with configuring web browsers that support SOCKS proxy servers but we are also going to learn how to use FreeCap in order to proxify our favorite browsers that do not support SOCKS. Important: These settings presume that you have the SSH Tunnel configured and customized. As your account details will also tell you, it is required to have a SSH Tunnel created from local port 10001 (or any other unused port) towards the remote server default surfing port 4111 (or the default surfing port that matches your account). 1. Internet Explorer Internet Explorer represents no problem as being configured to secure its traffic by SSH Tunnel means. First, go to http://www.whatismyip.com . Write down the number. This is your IP address without a SSH Tunnel enabled. In Internet Explorer:  Open the Tools menu, and then click Internet Options.  Click the Connections tab, and then click LAN Settings. (see Image13) Image13 – Internet Explorer – Internet Options  Check "Use a proxy server ..." and click the “Advanced” button. (see Image14) Image14 – Internet Explorer – LAN Settings  Delete anything from the "Proxy address to use" and "Port" boxes.  On the HTTP line, enter "localhost" for the address, and the example port "10001" for the Port. (see Image15) Image15 – Internet Explorer – LAN Settings - Advanced Important: These settings presume that you have the SSH Tunnel configured and customized. As your account details will also tell you, it is required to have a SSH Tunnel created from local port 10001 (or any other unused port) towards the remote server default surfing port 4111 (or the default surfing port that matches your account).  Click OK, then close Internet Explorer and restart it. Now go to http://www.whatismyip.com again. If everything worked correctly, the page should have changed to show your home / SSH server IP address. If it shows the IP address of the SSH server indeed then congratulations, you are surfing the web securely and privately via Internet Explorer and SSH Tunneling. 2. Mozilla Firstly to avoid the tunnel being used for all normal browsing you can create a new Profile. To do this, please select Switch Profile from the Tools menu. (Image16) Image16 – Mozilla – Tools Menu Each profile has its separate preferences which can be set up independently, and also defaults to having a different set of bookmarks (favorites), so the pages you need to access over the tunnels can be easily accessed. Once the profile exists select the name in the list on the right, and click Use Profile. Any changes you make to the preferences menus etc, will only affect the profile in use at the time. Once you have configured the browser to have a suitable tunnel profile you can select it from the Switch profile dialogue or by using command-line options (or make it the default). Now go to the “Edit” / “Preferences” menu (see Image17) Image17 – Mozilla – Prefferences In the “Category” pane on the left select (and expand if required) Advanced, then select Proxies (see Image18) Image18 – Mozilla – Preferences – Advanced - Proxies In the pane on the right check “Manual proxy configuration” and enter the following settings:  “HTTP Proxy”: localhost  “Port”: 10001 (see Image19) Image19 – Mozilla – Preferences – Advanced – Proxies - SOCKS Important: These settings presume that you have the SSH Tunnel configured and customized. As your account details will also tell you, it is required to have a SSH Tunnel created from local port 10001 (or any other unused port) towards the remote server default surfing port 4111 (or the default surfing port that matches your account). 3. Mozilla Firefox In order to configure Firefox to use the SSH Tunnel, follow these steps:  Navigate to the menu “Tools” then click on “Options” and select the “General” tab from the list (see Image20) Image20 – Firefox – Options – General Options Tab  Click “Advanced” then “Network” tab and “Connection Settings”, choose “Manual proxy configuration” and under “HTTP Proxy” put in localhost with port 10001 (see Image21)