A secure command line interface is just the beginning of the many ways
SSH can be used. Given the proper amount of bandwidth, X11 sessions can
be directed over an SSH channel. Or, by using TCP/IP forwarding,
previously insecure port connections between systems can be mapped to
specific SSH channels.
Opening an X11 session over an established SSH connection is as easy
as running an X program on a local machine. When an X program is run
from the secure shell prompt, the SSH client and server create a new
secure channel, and the X program data is sent over that channel to
the client machine transparently.
X11 forwarding can be very useful. For example, X11 forwarding can be
used to create a secure, interactive session with
up2date. To do this, connect to the server using
ssh and type:
After supplying the root password for the server, the
Red Hat Update Agent appears and allows the remote
user to safely update the remote system.
SSH can secure otherwise insecure TCP/IP protocols via port
forwarding. When using this technique, the SSH server becomes an
encrypted conduit to the SSH client.
Port forwarding works by mapping a local port on the client to a
remote port on the server. SSH can map any port from the server to any
port on the client; port numbers do not need to match for this
technique to work.
To create a TCP/IP port forwarding channel which listens for
connections on the localhost, use the following command:
ssh -L local-port:remote-hostname:remote-port username@hostname |
 | Note |
|---|
| | Setting up port forwarding to listen on ports below 1024 requires
root level access.
|
To check email on a server called mail.example.com
using POP3 through an encrypted connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.com |
Once the port forwarding channel is in place between the client
machine and the mail server, direct a POP3 mail client to use port
1100 on the localhost to check for new mail. Any requests sent to port
1100 on the client system are directed securely to the
mail.example.com server.
If mail.example.com is not running an SSH server,
but another machine on the same network is, SSH can still be used to
secure part of the connection. However, a slightly different command
is necessary:
ssh -L 1100:mail.example.com:110 other.example.com |
In this example, POP3 requests from port 1100 on the client machine
are forwarded through the SSH connection on port 22 to the SSH server,
other.example.com. Then,
other.example.com connects to port 110 on
mail.example.com to check for new mail. Note, when
using this technique only the connection between the client system
and other.example.com SSH server is secure.
Port forwarding can also be used to get information securely through
network firewalls. If the firewall is configured to allow SSH traffic
via its standard port (22) but blocks access to other ports, a
connection between two hosts using the blocked ports is still possible
by redirecting their communication over an established SSH connection.
| Note |
|---|
| | Using port forwarding to forward connections in this manner allows
any user on the client system to connect to that service. If the
client system becomes compromised, the attacker also has access to
forwarded services.
System administrators concerned about port forwarding can disable
this functionality on the server by specifying a
No parameter for the
AllowTcpForwarding line in
/etc/ssh/sshd_config and restarting the
sshd service.
|
