Tuesday, July 12, 2005

Secure Connectivity through SSH

First Two Para for only those who know what kind of work we are doing currently other people may not be able to understand what I am saying. If it so please leave first two para.
Since from when I am working in this project I am searching some appropriate solution for establishing the secure connection on internet. From very first day I am not able to understand the solution which looks totally ugly and stupid for me (file transfer over https connection). Ultimately I am able to do the thing which I wanted to do. This happened because on of my friend as me for some thing through the news group and I analyzed that its good for me.
Because when ever I suggest some thing good the question always comes we can not go against the clients sec policy. And in that term its seems good solution. Although I am still not able to use this solution (Because we can not go against the client sec policies where ssh is allowed still ....)but might be it help u people.

SSH is an extremely useful tool in that it allows you to do many things in a secure fashion that you might not otherwise be able to do. One of the things SSH allows you to do is to set up a reverse encrypted tunnel for data transfer. Typically, when you initiate an SSH tunnel, you forward a port on the local machine to a remote machine which can allow you to connect to an insecure service in a secure way, such as POP3 or IMAP. However, you can also do the reverse. You can forward a port on the remote machine to the local machine while still initiating the tunnel from the local machine.

This is useful if you have a service on the remote end that you want to have connected to something on the local machine, but you don't wish to open up your firewall or have SSH private keys stored on the remote machine. By using a reverse tunnel, you maintain all of the control on the local machine. An example which I took is for forwarding logging messages; by setting up a reverse SSH tunnel, you can have a logger on the remote system send logs to the local system (i.e., syslog-ng).

To set up the reverse tunnel, use:

$ ssh -nNT -R 1100:local.keekar.com:1100 remote.keekar.com

Let me explain what this does. Is initiate a connection to remote.keekar.com and forwards TCP port 1100 on remote.keekar.com to TCP port 1100 on local.keekar.com.
The "-n" option tells ssh to associate standard input with /dev/null,
"-N" tells ssh to just set up the tunnel and not to prepare a command stream, and "-T" tells ssh not to allocate a pseudo-tty on the remote system.

These options are useful because all that is desired is the tunnel and no actual commands will be sent through the tunnel, unlike a normal SSH login session.

The "-R" option tells ssh to set up the tunnel as a reverse tunnel.

Now, if anything connects to port 1100 on the remote system, it will be transparently forwarded to port 1100 on the local system.

Please dont forgot to send me ur views abt this approach.

1 comment:

Anonymous said...

Hi Mukesh,

Mate you are a gem, you are just incredible, keep up the good work.

Coming to point, do we need any additional software to achieve this Secure Connectivity through SSH or the O/S (Unix & WIN2K3) will do the job, thanks.
TK (from Sydney, Austrlia)