08. December 2011 · Comments Off on Using SSH to secure Internet connections · Categories: Networking, Web · Tags: Linux, Security, Windows
Last updated on 09/23/2021

Two ways to use SSH to secure Internet connections are local port forwarding and dynamic port forwarding. Local port forwarding forwards web traffic from a server, while dynamic port forwarding transforms your SSH client into a SOCKS proxy server. Both can be useful for secure Internet access in insecure environments such as public networks. To use either, you need to be able to login onto a remote system. Both are easy to use.

Local Port Forwarding

Local port forwarding can be used to access specific sites from another machine. For example, to route traffic from www.somewebsite.com on a remote PC ([email protected]) to port 12345 on a client PC, the following could be entered into a command window:

ssh -L 12345:www.somewebsite1.com:80 [email protected]<host>

multiple connections may also be combined into one command as follows:

ssh -L 12345:www.somewebsite1.com:80 -L 23456:www.somewebsite2.com:80 [email protected]<host>

Use:
You just need to open a browser and point it to https://localhost:12345/ to securely access somewebsite1.com or https://localhost:23456/ to access somewebsite2.com.

Note: An IP address can also be used in place of yourdomain.com (e.g. [email protected]).

Dynamic Port Forwarding

Dynamic port forwarding is even more powerful as it allows you to securely connect to any web page and to bypass firewalls. To set it up, the following could be entered into a command window:

ssh -C -D 23456 [email protected]
  • The -C is optional and is used to enable compression, which can speed up connections
  • The -D enables dynamic port forwarding
  • 23456 is the port on the client PC

Use:
To use this connection, you will need to configure your browser to use a SOCKS proxy. See the following articles on how to do this for your browser:

Make Tech Easier – How to Secure Your Internet Connection via SSH

Ubuntu Help – SSHOpenSSHPortForwarding (see Dynamic Port Forwarding)

The How-to-Geek – 5 Cool Things You Can Do With an SSH Server (see SSH Tunneling)


Useful Related Articles:

Linux Magazine – Port Forwarding with SSH

OpenBSD Man Pages for SSH – Manual Pages

University of Victoria – An Introduction to the Black Art of Port Forwarding with SSH

Share
23. February 2011 · Comments Off on Install and configure SSH on Windows · Categories: Networking · Tags: Security, Windows
Last updated on 02/14/2023

This guide explains how to install and configure a SSH server for a Windows XP home computer. SSH (Secure Shell) is a secure communications networking protocol based on the client-server model. It’s used to log into and execute commands between remote computers or devices and is widely used as a secure replacement for the insecure telnet and rlogin protocols. SSH encrypts all of the data, including the authentication data, allowing secure communications over unsecured networks, such as the Internet. Connections are made using public-key cryptography or password authentication, while the data itself is encrypted using one of several included encryption algorithms. It supports tunneling, port forwarding and transferring files with the associated protocols SFTP (Secure File Transfer Protocol) and SCP (Secure Copy Protocol), which are part of the standard SSH package. Typically used on Linux and UNIX systems, SSH runs on Windows systems using Linux-like environments such as Cygwin.

Benefits of SSH

  • Enhanced Security – user and host authentication, data encryption and integrity
  • Remotely connect computers (running Windows or Linux) and execute commands
  • Use applications such as Filezilla or WinSCP for file management operations on the same computer or from a remote computer
  • TCP/IP and X11 connection tunneling (a slightly more complex topic not explained in this guide)

The OpenSSH package

This guide uses the free and precomplied version of the OpenSSH suite, a stand alone version of SSH using a stripped down version of Gygwin. This allows for a quicker and smaller installation than if OpenSSH is installed as part of a regular Cygwin installation. The OpenSSH suite consists of the SSH program, SCP, SFTP and several supporting utilities (see https://openssh.org). The Windows version of OpenSSH hasn’t been updated for sometime, so the latest pre-compiled version available for Windows is v3.8.1p1-1 (July 2004), which still works well. See https://sshwindows.sourceforge.net/ for more information. For this guide, the SSH server is setup for password authentication.
______________________________________________________________________________

Step 1: Install OpenSSH

  1. Download OpenSSH for Windows v3.8.1p1-1. This is the direct download link.
  2. Unzip the archive and then run the installer setupssh.exe.
  3. Change the installation location to “C:OpenSSH” instead of program files to avoid spaces in directory names.
  4. Use the default settings as shown on the screen-shot below.
  5. That’s it for the installation; however, the SSH server’s passwd file must be configured next before using.
openssh install screen

OpenSSH installation options

Step2: Configure OpenSSH

  1. On your computer, click Start–> Run–> Type in “cmd” (without quotes), and then hit the OK button.
  2. In the command window, cd to the “OpenSSHbin” folder. If you are changing ports, go to the next step; otherwise, skip to Step 4.
  3. (Optional step) OpenSSH uses port 22 by default. If for some reason you need to use another port, you can change the port assignment for OpenSSH to prevent port conflicts. In the command window, cd to “OpenSSHetc” and enter “edit sshd_config” to launch the command line editor to change the port assignment (this is at approx line 13 in the file – an external text editor such as notepad may also be used). For example, to change the port to 5704:

    #Port 22
    change to:
    Port 5704

    (note that “#” needs to be removed to change the port assignment. Any other unused port other than 5704 is also OK)

    Make sure to save the file
  4. Enter the following in the command window. In the following commands, -l indicates local and -d indicates domain. Press Enter after each line; don’t include quotes:
    1. “mkgroup -l >> ..etcgroup”
      1. Creates a group file for local user accounts
    2. “mkgroup -d >> ..etcgroup” (skip – not normally required)
      1. Creates a group file for domain users. Returns [2453] if there is no PDC – primary domain controller
      2. Most instructions state to run both of the above commands. However, the “OpenSSHreadme.txt” file in “OpenSSHdoc” states: “If you use both mkgroup commands, the group file will contain duplicates. You will need to remove these by hand in a text editor.” Kind of confusing, but when both are executed I got the [2453] error for -d, but it didn’t change anything in the group file.
    3. “mkpasswd -l -u username >> ..etcpasswd”
      1. Adds a local authorized user to passwd file for local user accounts. NOTE: Omitting the username switch adds ALL users from the machine or domain, including service accounts and the Guest account.
    4. “mkpasswd -d -u >> ..etcpasswd” (skip – not normally required)
      1. Adds passwd file for all domain user accounts. Returns [2453] if there is no domain controller
      2. Again, if you get the [2453] error with the -d switch above, it doesn’t apply and won’t change anything in the passwd file.
  5. Enter net start opensshd  to start the SSH server (net stop opensshd stops the SSH server). It’s installed as a service, so in the future, the server will automatically start each time the computer boots.
  6. The SSH server is now configured with password authentication (the default configuration). If you want to use public key authentication, you need to generate public and private keys using the supplied executable and change the sshd_config file.  Note that the “keyauthentication.txt” file in the “OpenSSHdocs” directory states: “This document is outdated. You can use this as a reference, but please don’t expect it to be accurate. I will update this soon.” In any case, it shouldn’t be too difficult to accomplish public key authentication using the “keyauthentication.txt” by cross referencing its information with additional sources. Some other sources explaining how to setup public-key authentication for OpenSSH are below:

    OpenSSH RSA Authentication for Windows and Linux

    ssh-keygen Tutorial – Generating RSA and DSA keys

    OpenSSH for Windows
  7. Done with the configuration. Next, testing the SSH server.

    configure ssh in command window

    SSH server configuration

Test the installation on the SSH server (from the same machine)

  1. Enter ipconfig in the command window to find your ip address.
  2. Enter ssh [email protected] or ssh yourusername@servername (servername = computername) into the command window to login using SSH. You can also use any of the login options listed at the end of this page for logging in using a command window on the PC with the SSH server.

    Note: You may get a usage warning screen as shown below. If so, ignore it and sign in with your password. Also note that if you are logging in to the server for the first time, depending on the application being used to connect, you may also get another warning similar to: “The server’s host key was not found in the cache. You have no guarantee …blah blah… rsa2 key fingerprint is: ssh-rsa 1024 95:3c:9e:2b:23:df:bd:57:b4:ad:f1:5f:4c:2f:9c:ba
    “. This warning can also be safely ignored if you know the SSH server is the correct one you intended to log into. The warning is an anti-spoofing technique where each server is given a unique host key to prevent it from imitating another server. This technique is explained in detail on the WinSCP web site.
  3. It’s working if you get the screen below. Next, some optional tweaking for changing the home directory.
ssh logon warning screen

SSH login warning screen

Optional Tweaking

Changing the Home Directory within Documents and Settings for user(s):
By default all user home directories are set to (/home/username) in the passwd file in the “OpenSSHetc” directory, where (/home) corresponds to “C:Documents and Settings” for Windows XP. This is somewhat inconvenient since most users may want to start in “My Documents”. To change it, open the passwd file in a text editor and change the second to last entry from “/home/username” to “/home/username/My Documents” and save. Entries are separated by a colon “:”  for each user and are located just before the “/bin/switch” entry (switch stands for switch.exe, which enables both scp/sftp and the SSH standard command prompt to be available by switching between them).

Changing Home to outside the default directory on the SSH Server
To place users outside the default directory for their Windows profile, you need to change the directory that (/home) corresponds to by editing the value of the “native” key in the registry under (HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwinmounts v2/home). The value of “native” corresponds to the (/home) directory in the passwd file. For instance, if the “native” entry is changed to C:Users, then all users will be placed under separate folders in that directory — e.g., C:Usersusername1, C:Usersusername2, etc. If you then change each user (/home/username) in the passwd file to just (/home), this puts those users under C:Users. If you have a subdirectory such as “C:\UsersOpenSSH”, you can place users there by changing the entries in the passwd file to (/home/OpenSSH) or (/home/OpenSSH/username) for separate user account directories.

Note that changing the home directory using this method works only for logins (Passwd), and doesn’t work for for SCP or SFTP. Instead, use Cygdrive Notation to change the directory for using Passwd, SCP, and SFTP (explained in next paragraph).

Registry entry to change default directory

HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwinmounts v2/home

Changing the Drive of the Home Directory when using Passwd, SCP, and SFTP (Cygdrive Notation)
To access any folder on any drive letter outside the installation root (/home), a special notation called Cygdrive is required when using SCP, SFTP and for the home directory entries in passwd. Cygdrive notation changes the mapping of drive letters by mapping them into a UNIX-style file-system. Cygdrive notation overrides all other settings in the registry.

To use, add “/cygdrive/driveletter” to the start of the folder path in the user passwd file and/or when using the SCP or SFTP commands. For instance, to change to the “C:windowssystem” directory in a command window use: “cd /cygdrive/c/windows/system. To transfer file example.txt to d:test using SCP, the command would be “scp example.txt  user@localhost:/cygdrive/d/test/“.

You can even change the prefix of cygdrive notation by adding two entries to the registry. Open HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwinmounts v2, and add a REG_DWORD called “Cygdrive flags” and set it to 2a hex. Then add a REG_SZ called “Cygdrive prefix” and set its value to the new prefix. For instance, if you set it to “/” then the C: drive becomes accessible using Cygdrive notation “/c”, the D: drive with “/d”, or the F:test folder with “/f/test” and so forth. If it’s set to “/foo”, then the C: drive becomes accessible using Cygdrive notation “/foo/c”, the D: drive with “/foo/d”, or the F:test folder with “/foo/f/test” and so on. This behavior can be tested in a command window using the command “mount –change-cygdrive-prefix /foo” before permanently changing the registry.

______________________________________________________________________________

Remote connections from the network

To connect to the SSH server from a remote computer on the network, a SSH compliant client is needed. SSH is usually installed by default on Linux systems, and SSH clients such as Putty are often included as well. If the remote computer will be a Windows machine, it needs to have at least the Cygwin or OpenSSH client installed in order to connect with the SSH server from a command window, while Putty is a stand-alone application. The client portion for OpenSSH can be installed separately during the OpenSSH installation process. The installation process sets the path variable for the OpenSSH client and/or Server, so that SSH commands are available from any command window on that machine. Even with an OpenSSH or Cygwin client installed, it’s a good idea to have a client like Putty also installed, because it makes connecting much simpler.

Connecting from the outside world

To connect to the SSH server from the outside world, you need to port forward port 22 (or the port set during the OpenSSH installation) to the router. Port forwarding can be setup with a program like SimplePortForwarding or by following instructions in the router user’s manual. This sets up the router to forward any connection to port 22 to the SSH server. Then, all that’s needed to connect is to use a terminal in Linux, a command window in Windows, or a client like Putty from any computer connected to the Internet and the public IP address for your router.

Using Filezilla, WinSCP and Putty

Client utilities such as Filezilla, WinSCP, and Putty can be used on the computer with the SSH server, from remote computers on the LAN, and from the outside world to connect to the SSH server. When using any of these utilities from the SSH server machine, you can use 127.0.0.1, computername, or localhost as the IP with the user login and password info for those accounts. You can also use the SFTP protocol for Filezilla, SCP or SFTP for WinSCP, and SSH for Putty. The beauty of using WinSCP or Filezilla on an SSH server machine is that file tasks like changing permissions with CHMOD, moving, or deleting files are easily accomplished using a mouse and the application UI, such as those for locally installed web sites. In other words, unlike natively installed servers, such as a FTP server, the SSH server and applications using the server can run on the same machine without any loss of functionality since the SSH server runs in a separate environment (Cygwin) using the loopback interface.

filezilla setup screen

Localhost login with Filezilla

putty config screen

Putty config screen (hostname can also be localhost or 127.0.0.1)

winscp config screen

Localhost login with WinSCP

List of connecting options from command window and applications:

Using a Command Window:

Password will be the same as the user password for that machine (commands are case sensitive)

  • Remote computer on the network with SSH client installed:
  • Remote computer from outside world with SSH client installed:

Using client applications such as Putty, WinSCP or Filezilla

User Name and Password will be the same as the user login credentials for that machine

  • On the SSH server:
    • IP Address: 127.0.0.1, localhost, servername, or 192.168.x.xxx
  • Remote computer on the network:
    • IP Address: servername or 192.168.x.xxx
  • Remote computer from outside world (router set with port forwarding):
    • IP Address: xxx.xxx.x.xxx (remote ip address, port usually set in application)

______________________________________________________________________________

SSH commands other than for basic connecting using port 22 are not covered in this guide. However, below are some sources for addtional information. When making an SSH connection, the commands for Linux and Windows are essentially the same.

ezpz HostingCommon SSH Commands – Linux Shell Commands

The Geek Stuff5 Basic Linux SSH Client Commands

Taming the BeastUsing SSH and Unix commands – a beginners tutorial

Phoenixnap19 Common SSH Commands in Linux With Examples

____________________________________________________________________________

Unofficial OpenSSH Suite installer for Windows – mls-software.com (ver 6.6.1p1-3 tested on 10/08/2014 with Windows XP. Server requires several additional protocols and drivers. It also has a slightly different setup. Possibly could work, but not worth the investment in time and effort.)

Win32-OpenSSH – 32 and 64 bit binaries (OpenSSH-Win64.zip and OpenSSH-Win32.zip) for Windows 8 or earlier.

Share
Private
feed
">Bear

Bad Behavior has blocked 1883 access attempts in the last 7 days.

privacy