view · edit · print · history

OpenSSH: SSH Tunnel on Demand

Note: The author is not responsble for any harm that has been directly or indirectly caused using this document. Use this information at your own risk.

Introduction

SSH tunnels send TCP/IP data over a secure network connection. SSH tunnels are usually managed manually. This document is about the setup and teardown of SSH tunnels on demand using [x]inetd. This document was inspired, translated, and derived from Achim Settelmeier's HOWTO: SSH-Tunnel on demand (see References below).

Since [x]inetd establishes the SSH connection, this method is great for NNTP, POP3, IMAP, SMTP, IRC, and more. However, HTTP would probably be too slow to be useful.

SMTP will be used as an example for the rest of this document.

Requirements

First, you will need a user account at the SSH server and SMTP server. Then, you will need to setup public key authentication for the SSH tunnel. The SSH server does not have to be the one providing SMTP service, but it should be on the same side of the firewall as the SMTP server. This configuration is for OpenSSH using protocol version 2. Other SSH implementations may differ in configuration. 

 local            |        ssh_server      smtp_server
   H              |          H    |             |
   +==============|==========+    +-------------+
                  |
               firewall

   === SSH tunnel (encrypted)
   --- Normal connection (unencrypted)

You will need the program netcat (nc) on the SSH server. On the local side, you will need xinetd (preffered) or inetd.

Public Key Authentication

SSH has the ability to authenticate using the RSA or DSA algorithms. On the local machine, the ssh-keygen command creates key pairs. The private key is stored in $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa and public key is stored in $HOME/.ssh/id_dsa.pub or $HOME/.ssh/id_rsa.pub. Next, the public key is added to $HOME/.ssh/authorized_keys on the SSH server. The user can now log in without giving the password on the SSH server. The ssh manpage has more information about how public key authentication works.

The first step is to generate the key pairs. Use the following command on the local machine: ssh-keygen -t dsa -f smtptunnel -N ""

This will generate a DSA key pair and put them in $HOME/.ssh/smtptunnel and $HOME/.ssh/smtptunnel.pub. The -N "" option sets a blank passphrase for this key pair. The passphrase must be blank because [x]inetd will not give the user an interactive SSH session. Therefor, the user will not be able to enter the passphrase.

Note: If there is a way to get this to work with an authentication agent, please contribute.

Now transfer the smtptunnel.pub file to the SSH server and store it in $HOME/.ssh/. The smtptunnel.pub file should be appended to $HOME/.ssh/authorized_keys on the SSH server.

Now an SSH connection can be established without a password. This can be tested using the following command on the local machine: ssh ssh_user@ssh_server -i $HOME/.ssh/smtptunnel

References

Credits

Nixes changes · ALL changes
Page last modified on January 31, 2005, at 04:15 PM