Help teh SSH nub...
August 10, 2006 7:41 AM Subscribe
I want to setup an SSH tunnel on OSX, but...
So I'm relaitvely ignorant of this type of thing. But here's the situation. I'm going to be accessing the Internet almost exclusively from coffee shops, university wifi networks and the like, so from what I understand the best way for me to make sure no one is snooping on the websites I'm browsing is to run an SSH tunnel.
I've googled it, yet I'm still a bit confused how to get things going. My machine is a Powerbook, and since I don't know of a secured remote host that I can SSH to, I was planning on setting up another machine (an older iMac) at a friend's house and tunneling through that.
Problem is I don't know how to properly setup the host machine, or the client machine. Can you help me? (Again, both machines will be running OSX.) Is this worth the trouble? Is it much trouble? Please walk me through this, most of the how-to pages I've looked at have left me scratching my head. Bonus points for explaining how to tunnel my AIM connection.
So I'm relaitvely ignorant of this type of thing. But here's the situation. I'm going to be accessing the Internet almost exclusively from coffee shops, university wifi networks and the like, so from what I understand the best way for me to make sure no one is snooping on the websites I'm browsing is to run an SSH tunnel.
I've googled it, yet I'm still a bit confused how to get things going. My machine is a Powerbook, and since I don't know of a secured remote host that I can SSH to, I was planning on setting up another machine (an older iMac) at a friend's house and tunneling through that.
Problem is I don't know how to properly setup the host machine, or the client machine. Can you help me? (Again, both machines will be running OSX.) Is this worth the trouble? Is it much trouble? Please walk me through this, most of the how-to pages I've looked at have left me scratching my head. Bonus points for explaining how to tunnel my AIM connection.
ssh imac -L 8080:imac:80
The iMac needs have Apache's proxy server enabled, and you need to go to the Network pane of System Preferences and enter localhost and port 8080 as the HTTP proxy server.
You also need to enable port forwarding (port 22) on your friend's router.
This only covers HTTP traffic. If you use non-webmail email or chat, it gets complicated, and you need to set up a VPN rather than use SSH.
posted by cillit bang at 8:03 AM on August 10, 2006
The iMac needs have Apache's proxy server enabled, and you need to go to the Network pane of System Preferences and enter localhost and port 8080 as the HTTP proxy server.
You also need to enable port forwarding (port 22) on your friend's router.
This only covers HTTP traffic. If you use non-webmail email or chat, it gets complicated, and you need to set up a VPN rather than use SSH.
posted by cillit bang at 8:03 AM on August 10, 2006
host: System Preferences -> Sharing -> Services Tab -> Tick Remote Login
Make sure the ssh server is reachable from the net.
client: Open terminal and run the following command: ssh -D 1081 username@olderimacip
You now have a socks proxy running on your powerbook that will forward requests through the ssh tunnel to your friends house.
You can configure any app that supports socks so that it uses the proxy with ip 127.0.0.1 and port 1081
One problem: many apps including firefox will not use the socks proxy to resolve domain names, so people can still see the domains you go to (though not what you do there).
If that bothers you, you'll need to use a http proxy, like
privoxy. Set privoxy up so that it uses your socks proxy, then configure firefox so that it uses privoxy.
If this is too much hassle, there are other alternatives.
Tor is very secure but also quite slow and a bit of a pain to setup.
JAP Tends to be nice and fast and is very easy to use, but is less secure. Theres no way the coffee shop will be able to see what your traffic is, but at one point the German government forced the universities that run it to install a backdoor to send out reports if certain sites were visited (child porn and nazi stuff iirc).
posted by Olli at 8:10 AM on August 10, 2006
Make sure the ssh server is reachable from the net.
client: Open terminal and run the following command: ssh -D 1081 username@olderimacip
You now have a socks proxy running on your powerbook that will forward requests through the ssh tunnel to your friends house.
You can configure any app that supports socks so that it uses the proxy with ip 127.0.0.1 and port 1081
One problem: many apps including firefox will not use the socks proxy to resolve domain names, so people can still see the domains you go to (though not what you do there).
If that bothers you, you'll need to use a http proxy, like
privoxy. Set privoxy up so that it uses your socks proxy, then configure firefox so that it uses privoxy.
If this is too much hassle, there are other alternatives.
Tor is very secure but also quite slow and a bit of a pain to setup.
JAP Tends to be nice and fast and is very easy to use, but is less secure. Theres no way the coffee shop will be able to see what your traffic is, but at one point the German government forced the universities that run it to install a backdoor to send out reports if certain sites were visited (child porn and nazi stuff iirc).
posted by Olli at 8:10 AM on August 10, 2006
Unless you're only interested in connecting to one site via the tunnel, your friend will have to be running a proxy server on his machine. A SOCKS proxy server will take specially formatted, arbitrary requests and perform them on your behalf and then return the response to you. Dante is a pretty popular one, and there's even a Fink package for it (assuming your friend is running OS X also).
Now, let's assume the SOCKS server is setup on your friends machine, running on port 8080. How do we use it? Well, what you need to do is tell your browser, your FTP client, your IRC client, etc to connect via the SOCKS server. If you check out the proxy settings of most popular web browsers then you'll notice a spot to enter SOCKS information.
If we just entered your friend's IP address and port number (8080) directly then we'd be no better off than when we started. Anyone in between would be able to snoop the SOCKS request. This is where the SSH tunnel comes in. What we do next is create a tunnel FROM our local machine on port 8080 TO your friend's machine on port 8080. Here's the syntax:
ssh -L 8080:localhost:8080 me@my.friends.machine.com
How does "8080:localhost:8080" break down? The first number is the port on the LOCAL machine to open up and forward. The second bit is the address to forward to, RELATIVE to the remote machine. Since we are trying to forward to the remote machine itself, this is "localhost". Finally, the last number is the port to use on the REMOTE machine.
Setup your browser, FTP client, etc to connect to the LOCAL machine on port 8080 and away you go.
Is this worth the trouble? Is it much trouble?
In my opinion, no. I'm a pretty paranoid guy myself, but there's just no reason (for me) to jump through all these hoops. How do I know that the remote machine's connection isn't being watched? Do I trust my friend to not snoop on me? Never mind what kind of statistics the website operators are keeping.
At some point you just have to let go. However, I am more cautious on wireless networks than I am wired. Make sure that before your submit any login information that you're using SSL (the little lock). Evaluate how important your communications are, and if you honestly care if anyone is watching. For example:
1) GMail authentication is secure, but after that it's open. Do you can if people see your email as you read it?
2) MetaFilter is insecure all around, not for login, not for browsing. If I'm snooping while you're reading threads on MF then that's all I need to impersonate you.
3) AOL IM is insecure everywhere. Do you care if people have your IM password. (note that Google Talk, however, is secure)
4) Authentication to TypePad is secure, but posting to your blog is not. But it's kind of silly to be picky about who reads your blog posts.
Also, it's worth pointing out that you might be openning your friend's machine to attack. He's now running extra software that has to be updated when security issues are found (and there are always security issues). He needs to make sure that it's properly restricted and that not just anyone can connect to the proxy. It's certainly a risk for him, and not one I'd take for my friends.
I'd look into seeing if your campus has a VPN already. Mine (UIUC) does and sometimes I use that when I need more security. And if you just absolutely can't live with some of the points I made above, then the easiest thing is to just stay off the wireless networks completely.
posted by sbutler at 8:16 AM on August 10, 2006
Now, let's assume the SOCKS server is setup on your friends machine, running on port 8080. How do we use it? Well, what you need to do is tell your browser, your FTP client, your IRC client, etc to connect via the SOCKS server. If you check out the proxy settings of most popular web browsers then you'll notice a spot to enter SOCKS information.
If we just entered your friend's IP address and port number (8080) directly then we'd be no better off than when we started. Anyone in between would be able to snoop the SOCKS request. This is where the SSH tunnel comes in. What we do next is create a tunnel FROM our local machine on port 8080 TO your friend's machine on port 8080. Here's the syntax:
ssh -L 8080:localhost:8080 me@my.friends.machine.com
How does "8080:localhost:8080" break down? The first number is the port on the LOCAL machine to open up and forward. The second bit is the address to forward to, RELATIVE to the remote machine. Since we are trying to forward to the remote machine itself, this is "localhost". Finally, the last number is the port to use on the REMOTE machine.
Setup your browser, FTP client, etc to connect to the LOCAL machine on port 8080 and away you go.
Is this worth the trouble? Is it much trouble?
In my opinion, no. I'm a pretty paranoid guy myself, but there's just no reason (for me) to jump through all these hoops. How do I know that the remote machine's connection isn't being watched? Do I trust my friend to not snoop on me? Never mind what kind of statistics the website operators are keeping.
At some point you just have to let go. However, I am more cautious on wireless networks than I am wired. Make sure that before your submit any login information that you're using SSL (the little lock). Evaluate how important your communications are, and if you honestly care if anyone is watching. For example:
1) GMail authentication is secure, but after that it's open. Do you can if people see your email as you read it?
2) MetaFilter is insecure all around, not for login, not for browsing. If I'm snooping while you're reading threads on MF then that's all I need to impersonate you.
3) AOL IM is insecure everywhere. Do you care if people have your IM password. (note that Google Talk, however, is secure)
4) Authentication to TypePad is secure, but posting to your blog is not. But it's kind of silly to be picky about who reads your blog posts.
Also, it's worth pointing out that you might be openning your friend's machine to attack. He's now running extra software that has to be updated when security issues are found (and there are always security issues). He needs to make sure that it's properly restricted and that not just anyone can connect to the proxy. It's certainly a risk for him, and not one I'd take for my friends.
I'd look into seeing if your campus has a VPN already. Mine (UIUC) does and sometimes I use that when I need more security. And if you just absolutely can't live with some of the points I made above, then the easiest thing is to just stay off the wireless networks completely.
posted by sbutler at 8:16 AM on August 10, 2006
Unless you're only interested in connecting to one site via the tunnel, your friend will have to be running a proxy server on his machine
Not so. You can use the -D flag on ssh to run a SOCKS proxy on the client machine. No special setup (other than allowing remote login) is required on the server.
ssh -D 1080 user@host.example.com
Then set your Web browser to use localhost:1080 as a SOCKS proxy. For many Mac Web browsers, this is done through the Network system preferences pane. Firefox has its own proxy settings, however. Frankly it would probably be easiest (assuming you usually use Safari) to leave the Network prefs alone, set up Firefox to use the proxy, and use Firefox to surf when you're at an unsecure hotspot, rather than switching the proxy settings back and forth constantly.
Also, it's worth pointing out that you might be openning your friend's machine to attack.
This is actually true whether he's running a proxy server or not. Lots of people will be trying to get in through ssh. If his passwords are easily guessed, they may succeed. I suggest configuring ssh not to use passwords (rather it should use key pairs) and moving the port to something besides 222. However, do this after you get it working, otherwise you won't be sure why it's not working.
posted by kindall at 8:38 AM on August 10, 2006
Not so. You can use the -D flag on ssh to run a SOCKS proxy on the client machine. No special setup (other than allowing remote login) is required on the server.
ssh -D 1080 user@host.example.com
Then set your Web browser to use localhost:1080 as a SOCKS proxy. For many Mac Web browsers, this is done through the Network system preferences pane. Firefox has its own proxy settings, however. Frankly it would probably be easiest (assuming you usually use Safari) to leave the Network prefs alone, set up Firefox to use the proxy, and use Firefox to surf when you're at an unsecure hotspot, rather than switching the proxy settings back and forth constantly.
Also, it's worth pointing out that you might be openning your friend's machine to attack.
This is actually true whether he's running a proxy server or not. Lots of people will be trying to get in through ssh. If his passwords are easily guessed, they may succeed. I suggest configuring ssh not to use passwords (rather it should use key pairs) and moving the port to something besides 222. However, do this after you get it working, otherwise you won't be sure why it's not working.
posted by kindall at 8:38 AM on August 10, 2006
moving the port to something besides 222
22. Sorry, my 2-finger got enthusiastic.
posted by kindall at 8:43 AM on August 10, 2006
22. Sorry, my 2-finger got enthusiastic.
posted by kindall at 8:43 AM on August 10, 2006
Not so. You can use the -D flag on ssh to run a SOCKS proxy on the client machine. No special setup (other than allowing remote login) is required on the server.
Hey, when did that get added? That's kinda cool!
posted by sbutler at 9:15 AM on August 10, 2006
Hey, when did that get added? That's kinda cool!
posted by sbutler at 9:15 AM on August 10, 2006
Response by poster: Thanks for the answers everyone. Things are working great now, and I actually feel like I understand it, ha.
posted by dead_ at 9:59 AM on August 10, 2006
posted by dead_ at 9:59 AM on August 10, 2006
SSH Tunnel Manager and a relatively cheap hosting company, something like UnixShell.com or Tektonic.net as a hosting plan. Though unixshell isn't selling anymore...
Basically, just buy a cheap, full access hosting plan, with ssh access, open up SSH Tunnel Manager, click the play button, enter your password and change your network location to one that points to your local machine (127.0.0.1) and the port you've configured in SSH Tunnel Manager.
Plus, those hosting plans are great ways to learn the ins and outs of system administration.
On preview: nice work, dead_
posted by Freen at 8:23 PM on August 10, 2006
Basically, just buy a cheap, full access hosting plan, with ssh access, open up SSH Tunnel Manager, click the play button, enter your password and change your network location to one that points to your local machine (127.0.0.1) and the port you've configured in SSH Tunnel Manager.
Plus, those hosting plans are great ways to learn the ins and outs of system administration.
On preview: nice work, dead_
posted by Freen at 8:23 PM on August 10, 2006
This thread is closed to new comments.
Other than that it'd help if you told us what you've already tried doing, rather than us trying to draw up a list of step-by-step instructions, which'll be hard as we don't know how far you've got with things.
posted by edd at 7:52 AM on August 10, 2006