A secure command line interface is just the beginning of the many ways
SSH can be used. Given the proper amount of bandwidth, X11 sessions can
be directed over an SSH channel. Or, by using TCP/IP forwarding,
previously insecure port connections between systems can be mapped to
specific SSH channels.
Opening an X11 session over an established SSH connection is as easy
as running an X program on the local machine. When an X program is run
from the secure shell prompt, the SSH client and server create a new
secure channel, and the X program data is sent over that channel to
your client machine transparently.
X11 forwarding can be very useful. For example, you can use X11
forwarding to create a secure, interactive session with
up2date on the server to update packages. To do
this, connect to the server using ssh and
type:
You will be asked to supply the root password for the server. Then, the
Red Hat Update Agent will appear and you
can update your packages on the server as though you were sitting in
front of the machine.
With SSH you can secure otherwise insecure TCP/IP protocols via port
forwarding. When using this technique, the SSH server becomes an
encrypted conduit to the SSH client.
Port forwarding works by mapping a local port on the client to a
remote port on the server. SSH allows you to map any port from the server to
any port on the client; the port numbers do not need to match for it
to work.
To create a TCP/IP port forwarding channel which listens for
connections on the localhost, use the following command:
ssh -L local-port:remote-hostname:remote-port username@hostname |
 | Note |
|---|
| | Setting up port forwarding to listen on ports below 1024 requires root
access.
|
So if you want to check your email on a server called
mail.domain.com using POP through an encrypted connection, you can
use the following command:
ssh -L 1100:mail.domain.com:110 mail.domain.com |
Once the port forwarding channel is in place between the two machines,
you can direct your POP mail client to use port 1100 on localhost to
check for new mail. Any requests sent to port 1100 on your system will
be directed securely to the mail.domain.com server.
If mail.domain.com is not running an SSH server daemon, but you can log
in via SSH to a machine on the same network, you can still use SSH to
secure the part of the POP connection. However, a slightly different
command is needed:
ssh -L 1100:mail.domain.com:110 other.domain.com |
In this example, you are forwarding your POP request from port 1100 on
your machine through the SSH connection on port 22 to
other.domain.com. Then, other.domain.com connects
to port 110 on mail.domain.com to allow you to
check for new mail. Using this technique, only the connection between
your system and other.domain.com is secure.
Port forwarding can also be used to get information securely through
network firewalls. If the firewall is configured to allow SSH traffic
via its standard port (22) but block access through other ports, a
connection between two hosts using the blocked ports is still possible
by redirecting their communication over an established SSH connection.
| Note |
|---|
| | Using port forwarding to forward
connections in this manner allows any user on the client system to
connect to the service to which you are forwarding connections.
If the client system becomes compromised, the attacker will also
have access to forwarded services.
System administrators concerned about port forwarding can disable
this functionality on the server by specifying a
No parameter for the
AllowTcpForwarding line in
/etc/ssh/sshd_config and restarting the
sshd service.
|
