vincentkong.com

A couple of days ago my office implemented a new firewall which block almost all incoming and outgoing traffic, including SSH which prevented me from accessing my Linux server. The only thing that was accessible was the internet through a HTTP proxy which implemented filtering capabilties and required credentials. Fortunately, with this I’m able to create a tunnel and encapulate a SSH connection into HTTP.

To create a HTTP tunnel I chose to use the GNU HTTP Tunnel software which does the work to encapsulate TCP into HTTP requests. For the Windows platform a binary version is also available

Setting up the tunnel

On the home computer (server):

Install the GNU HTTP Tunnel with the following command:

$ apt-get install httptunnel

Start the HTTP Tunnel server:

$ hts --forward-port localhost:22 8080

Here the HTTP Tunnel server receives HTTP requests through port 8080, decapsulates and re-assembles the ssh stream and forwards it to port 22, the SSH server.

On the office computer (client):

Start the HTTP Tunnel client:

$ htc --forward-port 900 --proxy OfficeProxy:8080 HomeComputer:8080

Here the HTTP Tunnel client listens on port 900 for a ssh stream, as well it establishes a TCP connection which can pass data back and forth to the home computer through the HTTP proxy.

If the proxy requires authentication, add --proxy-authorization username:password to the htc command line.

Finally to establish a SSH connection run the following:

$ ssh username@localhost:900

For information: Punching holes into firewalls

Remote Desktop enables you to connect to your computer across the Internet from a computer. Once connected, you can control your computer using the mouse and keyboard while showing you everything that’s happening on the screen. With this, you can access your files, applications, and e-mail while leaving your computer at home or in the office.

Remote Desktop is very convenient, it suffers from to flaws: Although the connection uses 128-bit encryption, it still has the man-in-the-middle vulnerability where the traffic can be decrypted along the way. The default port of Remote Desktop is also 3389 which in most circumstances is blocked by firewalls in the network.

A solution to these flaws is to use Remote Desktop through a SSH tunnel.

SSH Server

The first requirement is to have an SSH server existing on your network. If you already have a Linux server like Ubuntu then you can install OpenSSH. However, if you only have computers with Windows then you can install copSSH.

Port Forwarding for SSH

To access the SSH server from a remote location you need to do port forwarding on port 22 through any firewall and router.

Enabling Remote Desktop

To enable Remote Desktop on Windows XP, right click on “My Computer”, and select “Properties”. Under the “Remote” tab check the box “Allow users to connect remotely to this computer”. The Remote Desktop user will require a password associated with the account.

Connecting to the SSH Server

To connect to your SSH Server remotely requires knowledge of your public IP address. This can be checked easily using the website http://checkip.dyndns.org. If you are using an ISP that provides you with a dynamic IP address, then you can setup a free account with No-IP http://www.no-ip.com or DynDNS http://www.dyndns.com where they can provide you with a fully qualified domain name.

Install/Configuring PuTTY

To open a SSH tunnel from the remote computer to your SSH server, you need to install PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty on the remote client computer. Open the application after installation is completed.

1. Expand “SSH” under “Connection”, and then go to “Tunnels”.
2. Under “Add new forwarded port:” enter a port number beside “Source port” e.g. 3390
3. Beside “Destination” enter your computer name or computer local IP address along with the port for Remote Desktop 3389 e.g. 192.168.1.10:3389, and click on the “Add” button.

Use a different Source port for each additional Remote Desktop host PC.

To improve traffic click on “SSH” under “Connection”. Check the box “Enable Compression”

Click on “Session” and under the “Host Name (or IP address)” enter the public IP address or a fully qualified domain name of the SSH server PC. Enter a unique name in the “Saved Sessions” window and click on “Save”. Click on “Open” and login to the SSH server with the appropriate user and password information.

SSH Tunneling the Remote Desktop session

Establishing a Remote Desktop connection through SSH tunnel is accomplished when PuTTY is started and the user has logged on to the SSH server. To Remote Desktop from the client computer, on the client computer go to “Start” > “All Programs” > “Accessories” > “Communications” and select “Remote Desktop Connection”. In the “Computer:” textbox enter “localhost:3390″, and click on the “Connect” button.

To create the private and public keys type on the unix prompt:

$ ssh-keygen

You can use the default location, and not use a passphrase. The keys will be created in the directory:

/home/<username>/.ssh/

Inside this directory you’ll find two files id_rsa (the private key), and id_rsa.pub (the public key).

Login into the remote server and created the ‘.ssh’ under the home directory. Ensure the directory only has permissions to the owner.

$ ssh <remote username>@<remote hostname>
$ mkdir .ssh
$ chmod 700 .ssh


Go back to your host server and copy the public key to the remote server.

$ sftp <remote username>@<remote hostname>
$ put /home/<username>/.ssh/id_rsa.pub ./ssh

Login into the remote server again and rename the public key to authorized_keys. Also ensure the file only has permissions to the owner.

$ ssh <remote username>@<remote hostname>
$ cd .ssh
$ mv id_rsa.pub authorized_keys
$ chmod 600 authorized_keys

Next time you ssh to the remote server, you should be logged in automatically without needing to enter a password.

OpenSSH (Open Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

Installing OpenSSH for Ubuntu

From the Ubuntu desktop:

1. Go to System > Administration > Synapatic Package Manager
2. Search for “openssh-server” and “Mark for installation”
3. Click on the “Apply” to install

From the command line:

$ sudo apt-get install openssh-server

Configuration Files

The configuration files for OpenSSH is located in:

/etc/ssh

Disabling SSH Root Logins

Edit the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no.