?
Solved

SSh tuneling

Posted on 2006-04-08
16
Medium Priority
?
1,321 Views
Last Modified: 2013-11-21
Could someone please explain ssh tunneling to me.

I tried googling a bit but if someone could explain it themselves or point me in the direction of some good example that would be great. Hopefully you can answer any quick questions I have too.

I am particularly interested in tunneling RDP through SSH.

Thanks for you time
jculkincys
0
Comment
Question by:jculkincys
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 32

Accepted Solution

by:
masnrock earned 1600 total points
ID: 16407603
Here's an article specificlly on setting up RDP to go through SSH.
http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Here's an article on SSH tunneling:
http://docs.cs.byu.edu/docs/sshtunnels/

What information would you like on tunneling? How it works? What it does?
0
 
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16408054
0
 
LVL 10

Expert Comment

by:plemieux72
ID: 16408123
As an alternative, you could use a PPTP VPN or IPSec VPN to tunnel your RDP sessions.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 32

Expert Comment

by:masnrock
ID: 16408228
A VPN would be an alternative, depending on exactly what you're trying to do. If you're trying to get into your home computer remotely, then the SSH tunneling is the best option by far (most people don't have routers that support VPN or VPN servers at home).

Fortunately, RDP traffic is encrypted anyway... but using SSH or VPN would provide another layer of protection.

You'll need to set up a SSH server and possibly do port forwarding (this assumes you're trying to get into a machine at home and you have a router there). One such product you could use on one of your home machines is freeSSHd (http://freesshd.com)

If you're not sure on what ports to forward (port 22 is for SSH traffic), go look up the information for your router at http://www.portforward.com/
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16408359
mansrock

 I don't think I completely grasp the idea of how public and private keys work.

could you explain a little how ssh is superior to other things like telnet

thanks alot for your help

Plmieux
- do you have any experience with tunneling RDP through IPSec VPN or PPTP VPN? does it offer any benfits over ssh?
0
 
LVL 32

Expert Comment

by:masnrock
ID: 16408413
Telnet transmits all data, including passwords, in plaintext, which could be intercepted by unknown parties. That party could then take your account information and log in as you without your even realizing it. (BTW - SSH can be used as an FTP replacement also)

Private and public keys... to give the simple explanation of it... public keys are for encrypting and private keys are for decrypting. Data that is encrypted with a party's public key can only be decrypted by the party's private key.

Let's say you and I want to communicate with each other. We've both already generated public and private keys. We'll exchange public keys. So whenever you want to talk to me, you'll encrypt your message with my public key that I've given you. Then you'll transmit that data over the network to me. Only I'll be able to decrypt it because I've kept my private key secret. Ditto for if I send a message to you.. once a message has been encrypted with your public key by me, only you'll be able to decrypt it. (Note: Private keys are NEVER transmitted.)

This is more secure than shared secret encryption because anyone who knows that shared secret would be able to encrypt and decrypt any conversation.

SSH is one of many products that uses public key encryption... PGP also uses it. Many other products out there, but this is just to give you an example on security and examples.

It's really one of the few safe ways to be able to communicate across an insecure network (in this case a LAN or the internet as a whole).

Here is a link that talks a bit more about public-key encryption and might clarify a bit more:
http://www.webopedia.com/TERM/P/public_key_cryptography.html
0
 
LVL 10

Assisted Solution

by:plemieux72
plemieux72 earned 400 total points
ID: 16408616
<<Plmieux
- do you have any experience with tunneling RDP through IPSec VPN or PPTP VPN? does it offer any benfits over ssh?>>

Yes, you could use a consumer-grade router that can terminate a VPN tunnel like the Linksys RV0xx series.  However, it doesn't always work.  Check other threads about it.  The best and easiest way would be to do it with a Cisco PIX firewall.  The 501 works perfectly and is relatively cheap.  Many people here can help with the config and there are already dozens of threads on exactly how to configure in addition to Cisco's documentation.  Cheaper Cisco SOHO routers that are just as good as the PIX for VPN can be obtained from ebay for as low as $109 as of this afternoon however they require a more steep learning curve to configure due to their additional functionality.  Note- if you get Cisco router hardware for your VPN end point, you may still need to buy a SmartNet contract which is not always easy to obtain in order to download the VPN client.  Or, with the PIX, you can use Windows' built-in PPTP VPN client.
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16409713
How would a sender encrypt a message that would be decypted by a private key that it has no idea about.
I guess each computer public and private keys are related in a unique way?

How would a product like WinSSHD help with this task
http://www.bitvise.com/winsshd.html
0
 
LVL 32

Expert Comment

by:masnrock
ID: 16410365
WinSSHD is another product you could use. It's just the trial product that's free, which is why I steered towards another product, but it would certainly work.

But yes, the public and private keys are related. However, without knowledge of a ton of the background variables, it's impossible to be able to try to figure out what both keys are. (Lots of randomness is built into the algorithms that generate the keys)

Public keys are used for encryption only, whereas private keys are for decryption only. Yes, both are generated by the same user... but each is only intended for one purpose. The idea is the secret needed to do the unlocking is always kept out of the public domain, which maintains the secrecy and seurity of the whole concept.
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16416732
Alright I think I know understand what public key encryption is. And I have a crude idea of how to implement it with forwarding (SSH+RDP).

What would demand the least change from end users (ie people who want to access their employer's terminal server from home)? It seems that port forwarding through SSH would require them to download and require Putty. Would a hardward solution be better here? Would Cisco's 501 PIX be able to handle a terminal serving (at most) 10 concurrent users?

Thanks for your help


0
 
LVL 2

Author Comment

by:jculkincys
ID: 16419496
Thank you for your help

I thought I was geting a little off topic here so I have created a new question
http://www.experts-exchange.com/Networking/Q_21808538.html
0
 
LVL 32

Expert Comment

by:masnrock
ID: 16419706
SSH would indeed involve users obtaining a client. However, the PIX 501 should be able to handle what you're trying to do. Client side it would require instrutions to set up the connection, but it's not rocket science (Neither is doing SSH).
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16420062
If I went with a PIX 501 solution - wouldn't I need one unit for each remote user and one for the terminal server? So 4 remote users would require a total of 5 PIX's.
0
 
LVL 32

Expert Comment

by:masnrock
ID: 16420211
The clients wouldn't need anything except to set up connections to access the PIX. All of the hardware would be on the office side.
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16420319
Hmm thats very interesting to me.  So you are telling me that numberous remote users (say like 15) can point go through one Cisco PIX 501 which is located at my workplace and connected to a terminal server?

What do you mean by "set up connections to access the PIX"
- would this just involve pointing their RDP clients at the PIX instead of the terminal server? Then their RDP protocol would be forwarded to the terminal server.


Could you point me in the direction of some documentation of this or an example.
I tried my best to do some googling so I would save you trouble.
If you could verify that this link is doing what I am interested in - I would appreciate it.
http://www.mcse.ms/archive123-2004-9-1072914.html
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16420647
masnrock and plemieux72

You can post your answer at http://www.experts-exchange.com/Networking/Q_21808538.html
that way I can continue to reward you (since its really not related to this original question)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question