Takeaway:HDI

OpenSSH offers a suite of tools for secure client-server communication and enables you to create secure “tunnels” for any kind of client-server communication, including checking/sending e-mail or Web browsing. This How do I… introduces you to OpenSSH’s secure tunneling capabilities by demonstrating how the program can be used to create an encrypted tunnel for checking a POP3 mailbox.

This article is also available as a TechRepublic download.

OpenSSH

When logging into a remote system over the Internet, there’s always a danger that your password, if transmitted in plaintext, could be intercepted and misused by a hacker monitoring the byte-stream. Most users are well aware of this risk and mitigate it by using so-called “secure shell” programs, which are designed to encrypt user credentials before transmitting them over the Internet. The most popular of these programs is OpenSSH, an OpenBSD project.

What many OpenSSH users don’t realize, however, is that the program doesn’t just allow you to encrypt your telnet sessions. It also offers a suite of tools for secure client-server communication and enables you to create secure “tunnels” for any kind of client-server communication, including checking/sending e-mail or Web browsing. Using these tunnels can significantly improve the security of your system, especially in environments where confidentiality is a key order-winner.

This How do I… introduces you to OpenSSH’s secure tunneling capabilities by demonstrating how the program can be used to create an encrypted tunnel for checking a POP3 mailbox. It assumes a properly configured *NIX system and access to a remote POP3-compliant mailbox.

Step 1: Download and install OpenSSH

The first step, obviously, is to download and install OpenSSH. You can obtain the source code from the official OpenSSH Web site — flavors exist for a wide variety of platforms, and the files are digitally signed to avoid compromising your security. This tutorial uses OpenSSH v4.3.

Once you’ve downloaded the package, decompress it into a temporary directory and execute the standard configure-make-install cycle:

shell> tar -xzvf openssh-4.3p2.tar.gz

shell> cd openssh-4.3p2/

shell> ./configure

shell> make

shell> make install

Step 2: Generate host keys and start the OpenSSH daemon

The final step in the installation process is the generation of a pair of host keys — unique identifiers for your particular system. These keys, one private and one public, are usually stored in files such as /etc/ssh_host_key and /etc/ssh_host_key.pub, respectively.

shell> make install

...

Generating public/private rsa1 key pair

Your identification has been saved in /etc/ssh_host_key

Your public key has been saved in /etc/ssh_host_key.pub

...

Generating public/private dsa key pair

Your identification has been saved in /etc/ssh_host_dsa_key

Your public key has been saved in /etc/ssh_host_dsa_key.pub

...

Generating public/private rsa key pair

Your identification has been saved in /etc/ssh_host_rsa_key

Your public key has been saved in /etc/ssh_host_rsa_key.pub

Once the keys have been generated, start the OpenSSH daemon by executing the sshd binary (as the super-user):

shell> /sbin/sshd

Verify that the service is running by opening a telnet connection to port 22:

shell> telnet localhost 22
Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

SSH-1.99-OpenSSH_4.3

Step 3: Create a secure tunnel to your POP3 server

Let’s now assume that your local system is named localbox and the system hosting your target POP3 mailbox is named remotebox. The next step is then to create an encrypted SSH tunnel between an unused port on localbox and port 110 (the standard port for POP3 connections) on remotebox. This process is referred to as TCP forwarding, and it’s fairly easy to do with OpenSSH — simply run the following command:

shell> ssh -L 2110:localbox:110 remotebox


root@localbox's password: ****

Translated into English, this says “forward all connections on unused port 2110 on localbox to POP3 port 110 on remotebox, encrypting them along the way.” As a result of this command, all connection attempts to port 2110 on localbox are automatically encrypted and routed to port 110 on remotebox.

Now, if you opened a telnet connection to port 2110 on localbox, like this:

shell> telnet localbox 2110

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

+OK DPOP ready

Your connection would automatically be forwarded to port 110 — the POP3 mail service — on remotebox, with the addition of high-quality encryption to ensure that no one can “eavesdrop” on the bytes flowing back and forth.

Two important points to note in this context: If you’re using a privileged port, you must have superuser privileges to forward ports in this manner. Also, you should not attempt to use port numbers that are already in use.

Step 4: Change your POP3 client settings

Once you’ve got the secure tunnel working, you need to tell your mail client about the changes. Pre-tunnel, your mail client probably connected directly to remotebox to retrieve e-mail — an insecure connection that had your mail password traveling down the wire in an unencrypted format. Your client settings might have looked like this:

Server: remotebox

Port: 110

User: john

Password: guessme

Post-tunnel, your mail client should be reset to connect directly to port 2110 on your local system, with OpenSSH taking care of forwarding the connection to the remote server and encrypting it along the way. Your new settings might look like this:

Server: localbox

Port: 2110

User: john

Password: guessme

And that’s about it! You should now have a secure tunnel between your mail client and your mail server, with no danger of your password and data being visible to others. Obviously, this is just one example — you can just as easily set up OpenSSH to encrypt SMTP, FTP, IRC or any other client-server connections, or even to create encrypted tunnels through firewalls. Try it out for yourself or read more in the OpenSSH manual. Have fun!