Home : Library : Tutorials : Tunneling through SSH

Secure communications: Tunneling with SSH

What is SSH?

Are you familiar with Telnet? Or perhaps Rlogin, or Rsh? (If not, then you might want to check out these Telnet tutorials at Oregon State University and Superscripts.com first - links will open in a new window.) As you know, these programs allow you to connect to other computers, and are very commonly used across the Internet (or were at one time). The problem is that they can be very insecure. When you use Telnet to connect to another computer, you are sending your password in the clear - this means that your password is not encrypted in any way. If somebody is monitoring your Internet connection (known as sniffing), they will be able to see your password.

Enter SSH.

SSH stands for Secure SHell, and it works very similar to the other login programs (it's based on Rsh, actually) with one important difference - it encrypts the entire communication session. When you enter your login and password they are encrypted before being sent. Likewise, everything you type and everything that comes back to you is encrypted as long as you're within that SSH session. The concept is very similar to how the military scrambles their radio communications to keep them from being intercepted by the enemy.

Where do I get it? How do I use it?

First, the computer you're connecting to needs to be running an SSH server. Installing and configuring an SSH server is beyond the scope of this document. Please see the documentation for your SSHD (the server program) distribution for help setting up and configuring a server. In most cases, this server will be installed and set up by the company who is providing you your Internet access. If your ISP does not offer SSH connectivity, you might want to talk to them about doing so.

Now that you've found an SSH server, you need an SSH client installed on your computer in order to connect to it. There are many commercial SSH clients available but I don't have any experience with them, and so cannot offer an effective opinion or advice in their use. There are two major freeware (freely available) clients for Windows that I am aware of (links below will open in a new window):

If you can recommend other free SSH clients, please let me know.

SSH clients and servers are also available for just about every operating system and platform that exists (Unix, Linux, Macintosh, Windows, OS/2, etc.) PuTTY, on the Windows platform(s), is what I will focus on here, although the principles are the same for any SSH client and can easily be applied to whatever platform and client you are using. I switched to PuTTY, from TeraTerm Pro, a few years back because it is still under active development (TeraTerm Pro has not been updated since 1989) and it provides support for the newer, and more secure, SSH 2 protocol. This tutorial is written for PuTTY version 0.52, but it should be applicable to any later version as well. For this exercise you only need putty.exe, but feel free to download, install and use all of the PuTTY tools if you like.

Protocol: ( ) Raw (*) Telnet ( ) Rlogin ( ) SSH

Once you have PuTTY downloaded and installed, simply start it up to make a connection to a remote computer. As you can see above, PuTTY gives you several options for how to establish that connection - including the unsecure Telnet login. You want to chose SSH so that your connection and subsequent communication is encrypted and therefore hidden from prying eyes. (If your ISP doesn't support SSH, you can still use PuTTY as a Telnet client, but you won't be able to use the tunneling features discussed below.)

How do I encrypt my other connections?

One of the really great things about SSH is that it includes a capability called port forwarding. What this means is that you can specify that the SSH client listen to a certain port number on your computer, then forward those connections to any port on the the server you are connected to. (Even better, you can forward connections to any other computer that the server has access to - whether you can get to it directly from your computer or not.) The following figure illustrates this:

This ability opens up a whole world of possibilities with regards to avoiding connection problems and getting around things like port filtering (where the ISP may be blocking access to a particular port for security reasons but you still have SSH access), not to mention the additional security offered by the SSH encrypted connection. From the server's point of view the connection is coming from the SSH server itself (localhost) - not from some other computer out in the internet (yours). Basically what you are doing is boring a hole (or tunnel) through the Internet to the server and then telling the other programs that need to connect to that server to use the tunnel instead of connecting directly.

So, how exactly do you do this?

First, you have to tell SSH to forward the port number you want to tunnel. In PuTTY follow these steps:

  1. From the menu on the left side of the Configuration window (see image to the right), select Connection -> SSH -> Tunnels.
  2. Under Add new forwarded port enter the port number that your computer is going to listen to for the Source port.
  3. For the Destination, enter the computer name and port that the remote server will forward the connection to in the following format: name:port. In most cases, this will be localhost:port. (Remember that the computer name you supply is from the server's perspective - not the name/address that might be visible from your own computer.)
    [ Source: 3306 | Destination: localhost:3306 | (*) Local ]
  4. Make sure the Local radio button is selected (not Remote) and click the Add button.
  5. The newly added port forwarding rule will then show up in the Forwarded ports box (see below). If you wish to remove the forwarded port, select it and click the Remove button.
  6. Don't forget to save your changes by going back to the Session page and clicking Save.
  7. So far, all we have done is define the port forwarding tunnel. To actually make it active, simply log in to the SSH server. As long as you remain connected, the tunnel should be open and functioning.

[ L3306 - localhost:3306 ]

In the sample above, I am forwarding a MySQL server connection (port 3306). The SSH forwarding mechanism accepts the connection and then forwards it - through the SSH tunnel - to the SSH server, which hands off the connection to the MySQL database engine - running on the same server (localhost). MySQL is a common database server used by many Internet Service Providers. For security reasons, access to the server is usually restricted to incoming connection request from localhost. For most people, this means logging in to their shell account (with either Telnet or SSH) and using the command-line mysql client - which can sometimes be cryptic and cumbersome to use. With an SSH tunnel established, however, I can use my favorite Windows-based database manager - DBTools - and work in style! When setting up my database connections, I simply tell DBTools to connect to localhost (port 3306 is assumed, as it is the default MySQL connection port). When the MySQL server receives the connection request, it appears to be coming from itself (its own localhost) and so the access restriction requirements are met. Everybody is happy!


I hope this tutorial has been helpful and informative for you. If you would like to make a suggestion or comment regarding it, please feel free to let me know. And be sure to watch my Tutorials index page for other helpful hints - including a forthcoming essay on advanced tips and tricks with port forwarding.

Home : Library : Tutorials : Tunneling through SSH

copyright | about | site map

© Shawn South, 2002. All rights reserved.
Republication, duplication or redistribution of any kind is prohibited without express written permission.