SSH and Tunneling

From OS X Scientific Computing

Jump to: navigation, search


Contents

Telnet and FTP?

Never, ever, use telnet. Ever. Or ftp. These programs send you password through the aether as clear text, opening you to exploits by all kinds of nefarious evildoers. Instead, learn to use ssh, scp, and sftp.

Fugu: A nice, free, GUI for sftp

fugu.png

I'm generally a command-line person, but this free little application provides a nice intuitive and visually pleasing GUI interface that also permits integrated editing of remote files and so forth. Here's a screen shot grabbed from their website:

uploading.png

SSH: the basics

How to log in remotely to another machine using ssh

If you want to log in remotely to your account on another machine, simply issue the command

         ssh username@host.wherever.org

If you want to display X-windows programs on your machine that are run remotely, then include the -X or -Y flags:

         ssh -X username@host.wherever.org
         ssh -Y username@host.wherever.org

Try -X first, as it is more secure. If there are problems, try the -Y option instead.

How to avoid interrupted connections

My DSL service provider seems to delight in causing my ssh connections to hang up. This irks me. I finally discovered a very simple solution. Create a file called ~/.ssh/config and put into it the following three lines:

Host *
   ServerAliveInterval 120
   ServerAliveCountMax 3 

Problem solved (at least for me).

How to set up passwordless logins

Generate a public key on the computer you want to log in from:

% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/yourname/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/yourname/.ssh/id_rsa.
Your public key has been saved in /Users/yourname/.ssh/id_rsa.pub.
The key fingerprint is:

.......

Copy the public key to the computer you want to log in to.

% scp /Users/yourname/.ssh/id_rsa.pub yourname@remote.computer.domain:temp.pub
password: [enter your password]

Log into the remote computer

and append that public key to the appropriate file in your remote account's .ssh directory:

% ssh yourname@remote.computer.domain
password: [enter your password]
cat temp.pub >> ~/.ssh/authorized_keys

If the .ssh directory does not exist, you must first issue the command

mkdir ~/.ssh

and if the file ~/.ssh/authorized_keys does not yet exist, replace the above cat command with

cat temp.pub > ~/.ssh/authorized_keys

(but do this only if ~/.ssh/authorized_keys does not yet exist, or it will clobber the file rather than append to the bottom of it.


With the 10.9 update, I found that I had to copy authorized_keys2 to authorized_keys

cp  ~/.ssh/authorized_keys2   ~/.ssh/authorized_keys

Test it.

It should now be set up for passwordless secure login.

Connecting securely with ssh tunnels

The idea of how to establish and use ssh tunnels, and why you might want to do this, is best illustrated with some examples. I have chosen two examples that you might very well want to put to use: Using a web proxy to access restricted websites (like scientific literature your library has a subscription to), and connecting to a mail server from anywhere, even if your local service provider tries to prevent this (DSL home service providers, hotel internet, etc).

Example One: Tunneling to a proxy server for web browsing

  • Problem: I want to read restricted-access journals from home, but I only have access from work.
  • Solution: Configure Firefox or SeaMonkey to use your work computer as a proxy.


For example, I can access most scientific journals on-line from machines that have recognized IP addresses (i.e., are affiliated with our university, whose library has paid for on-line access). If I am at home or on the road, I cannot do this easily unless I use a proxy server. Fortunately, this is fairly easy to do.

Establish the SSH tunnel connection

The syntax for establishing tunnel connections is as follows:

% ssh -ND 8080 yourname@your.computer.atwork

Choose a port, 8080, or any un-used non-root port. The -N flag says to establish the connection but not to make it a login shell, and the -D flag says to use dynamic port forwarding with ssh acting as a SOCKS server.


Configure FireFox or SeaMonkey Preferences to use a proxy

On Mac OS X, I use Safari as my primary web browser, but I keep several on hand. Because of this, I can dedicate FireFox as my proxy web browser. If FireFox is your primary web browser, other browsers in the Mozilla family, such as SeaMonkey, have this capability as well.

  • In Firefox.app, go to Preferences > General and hit the "Connection Settings" button on the lower right side of the panel. A second panel will be revealed. Enter what is shown here:

socks4.png

Then click the "OK" button.

Thanks very much to James Davis and Adam Smith of UCSC SOE for the tip.

  • With SeaMonkey, go to Preferences > Advanced > Proxies > Manual Proxy Configuration > Advanced and you will get essentially the same configuration pane as pictured above. (SeaMonkey also has a nice free WYSIWYG HTML editor, called Composer.)

.


Example Two: Tunneling to a remote mail server

  • Problem: I want access to my email securely from any connection point in the world.
  • Solution: Configure smtp and pop or imap SSH tunnels.


Apple's Mail program logs onto a mail server computer every time it checks your mail, and every time it sends your mail. Depending on your mail server, it might send your password over the internet in clear text, as our POP3 server does. This is something worth avoiding, especially if you are on the road or using a commercial internet service provider. To get around this problem, you can create a "tunnel" using ssh. Essentially, you can trick the mail program into using a pre-established ssh connection instead of using the insecure connection, thereby avoiding having to send your password in clear text. In fact, if you have enabled passwordless login, you can avoid dealing with passwords altogether. As side benefits, the connection seems to be established faster, and you can send mail from anywhere that allows you to make an ssh connection to the mail-server computer. (Many locations and DSL providers forbid you to make an smtp connection to your own mail server to avoid spamming issues and to try to force you to use theirs.)

Establish the SSH tunnel connection

The syntax for establishing tunnel connections is as follows:

% ssh -C -L 1110:localhost:110 -N yourname@yourmail.server.domain
% ssh -C -L 2525:localhost:25 -N yourname@yourmail.server.domain

That is pretty much all there is to establishing the required tunnels for POP3 mail, but a bit of explanation is in order. If you would normally log into the computer that is your email host with a command of the form

% ssh yourname@yourmail.server.domain 

then just subtitute what you would actually type for this to the right of the -N option flag in the above two tunnel commands. (These are the same names you put in the email program for POP3 mail server and smtp server, respectively.) The ports (110 and 25) are the (insecure) ports used for POP3 and smtp mail. (If you are using the ssl secure ports, there is no need to be doing this). Again, these are the same as you used for configuring mail. The -N flag says to establish the connection but not to make it a login shell. Don't change ``localhost." The other two ports (1110 and 2525) are arbitrary choices. You can pick any (unused) port (although the ones below 1024 are reserved for root). The -L flag tells ssh to do port forwarding (i.e., to establish the tunnel, treating the local port 1110 as if it were the remote port 110). The (optional) -C flag is for compression. This is handy on a lower-speed connection, but might actually slow stuff down on a high-speed connection.

How to get the Mail.app program to use the tunnels

To get Mail.app to use your ssh tunnels, you have to reconfigure its settings.

  1. First, establish the above tunnels.
  2. Then open Mail.app and under Preferences, go to Accounts and open the Account Information tab. Where it says Incoming Mail Server, you should enter 127.0.0.1 and where it says Outgoing Mail Server (SMTP), you should change the Server Settings by clicking the button, and add in 127.0.0.1 and port 2125 (or whatever port number corresponds to what you chose for the second tunnel command) and make these the default settings. This is illustrated in the following two screen shots below:

    mail_setup_1.png

    mail_setup_2.png

  3. Then go to Advanced tab, click on it to reveal the new pane, and enter the port 1110 (or whatever you picked for the first tunnel). You should now be set to collect and send your mail via ssh tunnels. If the tunnels become interrupted, you will have to re-establish them.

SSH Tunnel Manager

stm_gros.png

I find that it is easy to start and maintain the tunnels using a simple free gui application called SSH Tunnel Manager. This saves you typing and remembering the above commands. Should you require permanent, always-on tunnels, it might be better to run a launchd item to do this.

Personal tools