vincentkong.com

If you have a server, but only want to allow users to copy files via sFTP without providing shell access. This can be done with rssh, a restricted shell for use with OpenSSH that allows only scp and/or sftp.

To install rssh

$ apt-get install rssh

By default rssh doesn’t allow anything, to allow only sftp modify the rssh.conf file.

$ nano /etc/rssh.conf

Uncomment the line for allowsftp and other transfer protocols you want to enable.

#allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

To restrict a user to only allow sftp access, modify the /etc/passwd file

$ nano /etc/passwd

For example

ftp:x:100:100::/home/ftp:/usr/bin/rssh

Sometimes, you are connected to an internet which is unknown/insecure such as public WiFi hotspots or you are just surfing the internet at work.  In these type of scenarios you might want to secure your connection so no one can sniff at what or where you’re surfing. One way to create a secure connection is to create an SSH tunnel, and have your web browser use it as a SOCKS proxy.

The first requirement is to have a remote host running an SSH server. e.g. a box at home running OpenSSH. Then, you need to have an SSH client installed on your local machine, for Windows you can use PuTTY.

Establish an SSH tunnel using PuTTY:

Create a new PuTTY session

Run PuTTY and create a new session to connect to the remote host. Fill in the hostname, the port (usually 22), make sure SSH is checked.

Configure the Secure Tunnel

Click on “Tunnels” on the left panel to set up dynamic fowarding for a local port. Under “Add new forwarded port” type in the port number (e.g. 4080) for the source port, leave the destination blank, and check Auto and Dynamic. Then click the “Add” button. You should see D4080 listed in the “Forwarded Ports” box.

Establish an SSH tunnel on Linux:

Use the following command:

$ ssh -D 4080 username@remote_host_server

The tunnel is created when you login to the SSH server.

Configuring Your Web Browser:

To use the SSH tunnel as a SOCKS proxy you need to change the connection settings in the browser.

In the Firefox Connection Settings:

• Check “Manual Proxy Configuration:”
• Fill in 127.0.0.1 for the “SOCKS Host:” and 4080 for “Port:”
• Check “SOCKS v5″

Once everything is done you are now surfing the web securely.

A couple of days ago my office implemented a new firewall which block almost all incoming and outgoing traffic, including SSH which prevented me from accessing my Linux server. The only thing that was accessible was the internet through a HTTP proxy which implemented filtering capabilties and required credentials. Fortunately, with this I’m able to create a tunnel and encapulate a SSH connection into HTTP.

To create a HTTP tunnel I chose to use the GNU HTTP Tunnel software which does the work to encapsulate TCP into HTTP requests. For the Windows platform a binary version is also available

Setting up the tunnel

On the home computer (server):

Install the GNU HTTP Tunnel with the following command:

$ apt-get install httptunnel

Start the HTTP Tunnel server:

$ hts --forward-port localhost:22 8080

Here the HTTP Tunnel server receives HTTP requests through port 8080, decapsulates and re-assembles the ssh stream and forwards it to port 22, the SSH server.

On the office computer (client):

Start the HTTP Tunnel client:

$ htc --forward-port 900 --proxy OfficeProxy:8080 HomeComputer:8080

Here the HTTP Tunnel client listens on port 900 for a ssh stream, as well it establishes a TCP connection which can pass data back and forth to the home computer through the HTTP proxy.

If the proxy requires authentication, add --proxy-authorization username:password to the htc command line.

Finally to establish a SSH connection run the following:

$ ssh username@localhost:900

For information: Punching holes into firewalls

Remote Desktop enables you to connect to your computer across the Internet from a computer. Once connected, you can control your computer using the mouse and keyboard while showing you everything that’s happening on the screen. With this, you can access your files, applications, and e-mail while leaving your computer at home or in the office.

Remote Desktop is very convenient, it suffers from to flaws: Although the connection uses 128-bit encryption, it still has the man-in-the-middle vulnerability where the traffic can be decrypted along the way. The default port of Remote Desktop is also 3389 which in most circumstances is blocked by firewalls in the network.

A solution to these flaws is to use Remote Desktop through a SSH tunnel.

SSH Server

The first requirement is to have an SSH server existing on your network. If you already have a Linux server like Ubuntu then you can install OpenSSH. However, if you only have computers with Windows then you can install copSSH.

Port Forwarding for SSH

To access the SSH server from a remote location you need to do port forwarding on port 22 through any firewall and router.

Enabling Remote Desktop

To enable Remote Desktop on Windows XP, right click on “My Computer”, and select “Properties”. Under the “Remote” tab check the box “Allow users to connect remotely to this computer”. The Remote Desktop user will require a password associated with the account.

Connecting to the SSH Server

To connect to your SSH Server remotely requires knowledge of your public IP address. This can be checked easily using the website http://checkip.dyndns.org. If you are using an ISP that provides you with a dynamic IP address, then you can setup a free account with No-IP http://www.no-ip.com or DynDNS http://www.dyndns.com where they can provide you with a fully qualified domain name.

Install/Configuring PuTTY

To open a SSH tunnel from the remote computer to your SSH server, you need to install PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty on the remote client computer. Open the application after installation is completed.

1. Expand “SSH” under “Connection”, and then go to “Tunnels”.
2. Under “Add new forwarded port:” enter a port number beside “Source port” e.g. 3390
3. Beside “Destination” enter your computer name or computer local IP address along with the port for Remote Desktop 3389 e.g. 192.168.1.10:3389, and click on the “Add” button.

Use a different Source port for each additional Remote Desktop host PC.

To improve traffic click on “SSH” under “Connection”. Check the box “Enable Compression”

Click on “Session” and under the “Host Name (or IP address)” enter the public IP address or a fully qualified domain name of the SSH server PC. Enter a unique name in the “Saved Sessions” window and click on “Save”. Click on “Open” and login to the SSH server with the appropriate user and password information.

SSH Tunneling the Remote Desktop session

Establishing a Remote Desktop connection through SSH tunnel is accomplished when PuTTY is started and the user has logged on to the SSH server. To Remote Desktop from the client computer, on the client computer go to “Start” > “All Programs” > “Accessories” > “Communications” and select “Remote Desktop Connection”. In the “Computer:” textbox enter “localhost:3390″, and click on the “Connect” button.

To create the private and public keys type on the unix prompt:

$ ssh-keygen

You can use the default location, and not use a passphrase. The keys will be created in the directory:

/home/<username>/.ssh/

Inside this directory you’ll find two files id_rsa (the private key), and id_rsa.pub (the public key).

Login into the remote server and created the ‘.ssh’ under the home directory. Ensure the directory only has permissions to the owner.

$ ssh <remote username>@<remote hostname>
$ mkdir .ssh
$ chmod 700 .ssh


Go back to your host server and copy the public key to the remote server.

$ sftp <remote username>@<remote hostname>
$ put /home/<username>/.ssh/id_rsa.pub ./ssh

Login into the remote server again and rename the public key to authorized_keys. Also ensure the file only has permissions to the owner.

$ ssh <remote username>@<remote hostname>
$ cd .ssh
$ mv id_rsa.pub authorized_keys
$ chmod 600 authorized_keys

Next time you ssh to the remote server, you should be logged in automatically without needing to enter a password.