SSH-Tunneling

 Tunneling Another TCP Session Through SSH

Problem: You want to secure a client/server TCP connection such as pop,imap,nntp,irc,vnc etc. both the client and server must reside on computers that run ssh.
 
Solution: Tunnel(forward) the TCP connection through SSH. To secure port 119, the NNTP protocol for usenet news, which you read remotely from news.example.com

# ssh -f -N -L12345:localhost:119 news.example.com

While this tunnel is open, read news via local port 12345,

# export NNTPSERVER=localhost
# tin -r -p 12345
Tunneling or port forwarding uses ssh to secure another tcp/ip connection, such as an NNTP or IMAP connection. you first create a tunnel, a secure connection between an ssh client and server. Then you make your tcp/ip applications communicate over the tunnel.

ssh -f -N -L12345:localhost:119 news.example.com

 It establishes a tunnel between localhost and news.example.com. The tunnel has three segments,

1. The news reader on your local machine sends data to local port 12345. This occurs entirely on your local machine, not over the network

2. The local SSH client reads port 12345, encrypts the data, and sends it through the tunnel to the remote ssh server on news.example.com

3. The remote ssh server on news.example.com decrypts the data and passes it to the news server running on port 119. This runs entirely on news.example.com not over the network.
   
there for when your local news client connect to local port 12345,
# tin -r -p 12345

the connection operates through the tunnel to the remote news server on news.example.com. Data is sent back from the news server to the news client by the same process in reverse.

The general syntax is:

ssh -f -N -Llocal_port_number:localhost:remote_port_number remote_host

How to protect Outgoing Network Connections - ssh

ssh - performs remote logins and remote command execution
 
scp - copies files between computers
 
sftp - copies files between computers, with an interactive, ftp-like user interface

sshd - server daemon

ssh-keygen - create and modifies public and private keys

ssh-agent  - caches ssh private keys to avoid typing pass-phrases
 
ssh-add    - Manipulates the key cache of ssh-agent

~/.ssh  - Directory(per user) for keys and configuration files
 
/etc/ssh - Directory(system wide) for keys and configuration files
 
~/.ssh/config - Client config file(per user)
 
/etc/ssh/sshd_config - client configuration file(system wide)

To invoke a remote command

# ssh -l remoteUser remotehost uptime

Authenticating by public key(OpenSSH)

Problem: you want to set up public-key authentication between an OpenSSH client and an OpenSSH server.

Solution:

 Public Key Authentication:-

Public key authentication let's you prove your identity to a remote host using a cryptographic key instead of a login password.

1. Generate a key if necessary:
  # mkdir -p ~/.ssh         ---- if it doen't already exist
  # chmod 700 ~/.ssh
  # cd ~/.ssh
  # ssh-keygen -t dsa
 
2. Copy the public key to the remote host:
  # scp -p id_dsa.pub remoteuser@remotehost:
    passwd: ****

3. Log into the remote host and install the public key:    
# ssh -l remoteUser remotehost
Password: *****
# mkdir -p ~/.ssh         ---- if it doen't already exist
# chmod 700 ~/.ssh
# cat id_dsa.pub >> ~/.ssh/authorized_keys   (appending)
# chmod 600 ~/.ssh/authorized_keys
# mv id_dsa.pub ~/.ssh    optional
# logout

4. Log back in via public-key authentication:

# ssh -l remoteUser remotehost
Enter passphrase for key '/home/smith//.ssh/id_dsa': ***

Note: SSH keys are more secure than passwords because keys are never transmitted over the network, where as passwords are.

An SSH "key" is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine, encrypted with a passphrase. The public key is copied to the remote(server)machine.
When establishing a connection the SSH client and server perform a complex negotiation based on the private and public key and if they match, your identity is proven and the connection succeeds.

The SSH server must be configured to permit public-key authentication, which is the default

/etc/ssh/sshd_config
publickeyAuthentication yes   ---- if no, change it and restart sshd

Public-Key authentication lets allow you prove your identity to a remote host using a sryptographic key instead of a login password.