SSh tuneling

Could someone please explain ssh tunneling to me.

I tried googling a bit but if someone could explain it themselves or point me in the direction of some good example that would be great. Hopefully you can answer any quick questions I have too.

I am particularly interested in tunneling RDP through SSH.

Thanks for you time
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here's an article specificlly on setting up RDP to go through SSH.

Here's an article on SSH tunneling:

What information would you like on tunneling? How it works? What it does?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dushan De SilvaTechnology ArchitectCommented:
As an alternative, you could use a PPTP VPN or IPSec VPN to tunnel your RDP sessions.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

A VPN would be an alternative, depending on exactly what you're trying to do. If you're trying to get into your home computer remotely, then the SSH tunneling is the best option by far (most people don't have routers that support VPN or VPN servers at home).

Fortunately, RDP traffic is encrypted anyway... but using SSH or VPN would provide another layer of protection.

You'll need to set up a SSH server and possibly do port forwarding (this assumes you're trying to get into a machine at home and you have a router there). One such product you could use on one of your home machines is freeSSHd (

If you're not sure on what ports to forward (port 22 is for SSH traffic), go look up the information for your router at
jculkincysAuthor Commented:

 I don't think I completely grasp the idea of how public and private keys work.

could you explain a little how ssh is superior to other things like telnet

thanks alot for your help

- do you have any experience with tunneling RDP through IPSec VPN or PPTP VPN? does it offer any benfits over ssh?
Telnet transmits all data, including passwords, in plaintext, which could be intercepted by unknown parties. That party could then take your account information and log in as you without your even realizing it. (BTW - SSH can be used as an FTP replacement also)

Private and public keys... to give the simple explanation of it... public keys are for encrypting and private keys are for decrypting. Data that is encrypted with a party's public key can only be decrypted by the party's private key.

Let's say you and I want to communicate with each other. We've both already generated public and private keys. We'll exchange public keys. So whenever you want to talk to me, you'll encrypt your message with my public key that I've given you. Then you'll transmit that data over the network to me. Only I'll be able to decrypt it because I've kept my private key secret. Ditto for if I send a message to you.. once a message has been encrypted with your public key by me, only you'll be able to decrypt it. (Note: Private keys are NEVER transmitted.)

This is more secure than shared secret encryption because anyone who knows that shared secret would be able to encrypt and decrypt any conversation.

SSH is one of many products that uses public key encryption... PGP also uses it. Many other products out there, but this is just to give you an example on security and examples.

It's really one of the few safe ways to be able to communicate across an insecure network (in this case a LAN or the internet as a whole).

Here is a link that talks a bit more about public-key encryption and might clarify a bit more:
- do you have any experience with tunneling RDP through IPSec VPN or PPTP VPN? does it offer any benfits over ssh?>>

Yes, you could use a consumer-grade router that can terminate a VPN tunnel like the Linksys RV0xx series.  However, it doesn't always work.  Check other threads about it.  The best and easiest way would be to do it with a Cisco PIX firewall.  The 501 works perfectly and is relatively cheap.  Many people here can help with the config and there are already dozens of threads on exactly how to configure in addition to Cisco's documentation.  Cheaper Cisco SOHO routers that are just as good as the PIX for VPN can be obtained from ebay for as low as $109 as of this afternoon however they require a more steep learning curve to configure due to their additional functionality.  Note- if you get Cisco router hardware for your VPN end point, you may still need to buy a SmartNet contract which is not always easy to obtain in order to download the VPN client.  Or, with the PIX, you can use Windows' built-in PPTP VPN client.
jculkincysAuthor Commented:
How would a sender encrypt a message that would be decypted by a private key that it has no idea about.
I guess each computer public and private keys are related in a unique way?

How would a product like WinSSHD help with this task
WinSSHD is another product you could use. It's just the trial product that's free, which is why I steered towards another product, but it would certainly work.

But yes, the public and private keys are related. However, without knowledge of a ton of the background variables, it's impossible to be able to try to figure out what both keys are. (Lots of randomness is built into the algorithms that generate the keys)

Public keys are used for encryption only, whereas private keys are for decryption only. Yes, both are generated by the same user... but each is only intended for one purpose. The idea is the secret needed to do the unlocking is always kept out of the public domain, which maintains the secrecy and seurity of the whole concept.
jculkincysAuthor Commented:
Alright I think I know understand what public key encryption is. And I have a crude idea of how to implement it with forwarding (SSH+RDP).

What would demand the least change from end users (ie people who want to access their employer's terminal server from home)? It seems that port forwarding through SSH would require them to download and require Putty. Would a hardward solution be better here? Would Cisco's 501 PIX be able to handle a terminal serving (at most) 10 concurrent users?

Thanks for your help

jculkincysAuthor Commented:
Thank you for your help

I thought I was geting a little off topic here so I have created a new question
SSH would indeed involve users obtaining a client. However, the PIX 501 should be able to handle what you're trying to do. Client side it would require instrutions to set up the connection, but it's not rocket science (Neither is doing SSH).
jculkincysAuthor Commented:
If I went with a PIX 501 solution - wouldn't I need one unit for each remote user and one for the terminal server? So 4 remote users would require a total of 5 PIX's.
The clients wouldn't need anything except to set up connections to access the PIX. All of the hardware would be on the office side.
jculkincysAuthor Commented:
Hmm thats very interesting to me.  So you are telling me that numberous remote users (say like 15) can point go through one Cisco PIX 501 which is located at my workplace and connected to a terminal server?

What do you mean by "set up connections to access the PIX"
- would this just involve pointing their RDP clients at the PIX instead of the terminal server? Then their RDP protocol would be forwarded to the terminal server.

Could you point me in the direction of some documentation of this or an example.
I tried my best to do some googling so I would save you trouble.
If you could verify that this link is doing what I am interested in - I would appreciate it.
jculkincysAuthor Commented:
masnrock and plemieux72

You can post your answer at
that way I can continue to reward you (since its really not related to this original question)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.