glennji.com

Because life's too short to save your work

Why I (heart) SSH

Sep 15

Two words: SSH tunneling.

SSH (Secure SHell) is an secure (encrypted) point-to-point communication protocol.  At the simplest level, SSH connects a "client" to a "server" and opens up a "shell" or terminal session from client to server.  Like Telnet, but all the traffic is encrypted "strong" cryptography (for suitably paranoid values of "strong").

But it's more than that - SSH can also act like a secure FTP server with the "scp" command.  Try winscp, for example: it gives a full two-pane FTP-like interface, but uses SSH/scp (or SFTP if required) in the background.

And then le bombe: SSH can "tunnel" other connections between client and server, like a multiprotocol proxy that keeps track of connections - everything goes over the single encrypted channel, but is split back up at the end.  Which means you can open a single port in your firewall but connect to a variety of network services remotely: file-sharing (SMB, NFS); media (UPnP); remote-clients (RDesktop, VNC, Xwindows); shared printers; etc.

Okay, so a working example.

I have a home network connected to the Internet through a regular ADSL2 modem.  Inside the network, we use local IP addresses; outside, the modem translates our outgoing requests into it's own public IP (NAT). The modem has a built-in firewall, but it's very simplistic and really only allows "port forwarding" (i.e. any traffic to a port on the firewall is redirected to a port on an internal machine).

So I set-up an SSH server on a machine inside, and tell the modem to port-forward the SSH port to it.  Now, whenever someone attempts to connect to my public IP address on port 22, the connection is handed over to a little black box inside the network.  Combine that with dyndns (which gives my public IP address a host and domain name) and I can pop open a PuTTY session from work to home -- which is immediately pretty cool, as I can get my files and music (via SCP) and bounce from host to host as I like.

But better than that, by running a local Xserver called Xming, I can fire up GUI-fied programs on my home computers and have them appear on my screen at work!  All built in to Unix, baby.

Better again, by setting up tunnels I can use my home system as a kind of traffic router.  Tunnel the IPP ports and I can print to my home printer.  Tunnel my home proxy and I have privacy at work (and at home, if I'm using TOR).  Tunnel media streaming, or security cameras, or IP-enabled coffee machines.

In fact, the end-point of the tunnel doesn't have to be a local service: I can tunnel local (work) port 900 to the Google Talk servers, then I can use GTalk by connecting to localhost:900 instead of gtalk.google.com!

A bit rambly, but I'll write this up properly one day (promise).