SSH Forwarding

Thu 05 June 2008 by LrdShaper

I read a post last night in the ReadyNAS Forums asking about how to securely access the Bittorent Client Web UI in his ReadyNAS from a remote location. I made a step by step guide in their forums on how to go about doing that thru SSH Forwarding and I thought I should write it here as well.

This post attempts to give a step by step guide to access your home network securely from anywhere using SSH forwarding (internet connection is a must of course). For completion's sake, I will also be covering the steps on how to configure your linux machine to only accept private keys as an authentication method in this article.

There are always assumptions, this one assumes that:
1) You have a linux machine connected to the internet thru your home network
2) You have OpenSSH already installed on your linux machine
3) You already have ssh access
4) You're router is configured to forward port 22 to the linux machine running OpenSSH
5) You're connecting to your linux machine remotely via a Windows PC/notebook (Connecting via Mac or linux is also possible but will not be covered here)
6) This article is targeted for ReadyNAS and NSLU2 (running uNSLUng firmware) owners but is also applicable to any linux machine

Great, then let's start

Install Putty and generate you own private keys
===============================================
1) Download and install Putty on your PC (client)

2) Open Puttygen, click on the SSH-2 RSA radio button and click on Generate. You may change the Key comment to anything you want. It would help to be descriptive.

3) Enter a Key passphrase. Make sure its a phrase and not a single word, also make sure it's known only to you. Then click on Save private key. Now you have a private key, don't close Puttygen yet

Configure your login to use Public Keys
=======================================
1) SSH into your linux machine (let's call this ssh_server) using your favorite login

2) Create the .ssh directory

cd ~
mkdir .ssh
chmod 700 .ssh

3) Go back to Puttygen and copy the Public key for pasting into OpenSSH authorized_keys file:. It will look someting like:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAje3r9k2PV1TyDOAZ0E/bG4t+NNxeH3c8hJmA1ayaFboA0Y
61bfnwKJaFh3eN8aCI7r5CgybTgPUP06KSb1mql2NR+m7L6rwtAnqrAUg9Kx6Ocr9zZ2DgCFnKlG
njte7rh8le05R8l+oThf3PQyvWu68sJUMtCW7P3Ka/ikwv7xM= rsa-key-20080605

4) Now in your SSH session create the authorized_keys file:

cd ~/.ssh
vi authorized_keys

Then paste the public key that you copied from Puttygen.

6) Close Puttygen and make sure the authorized_keys are not accessible by anyone else

chmod 600 authorized_keys

7) DON"T CLOSE YOUR CURRENT SSH SESSION YET! We still need to test out the keys you created using Putty. Type in the ip address of your linux machine and choose SSH for connection type. Go to Category-> Connection-> SSH-> Auth then click on Browse and select the Private key you saved earlier. Now click on Open and try to login. You should be prompted with something like:

login as: root
Authenticating with public key "root@Corinthian"
Passphrase for key "root@Corinthian":

Now type in the passphrase you entered in Puttygen and you should be logged in. Hooray!
8) Then we need to edit the sshd_config so that we prevent anyone from logging in without the Private key

vi /etc/ssh/sshd_config

Look for the PasswordAuthentication option, uncomment it and make sure it looks like

PasswordAuthentication no

9) Reload the sshd_config so that the changes are applied:

/etc/init.d/ssh reload -- if using a ReadyNAS device or a machine running Debian
/opt/etc/init.d/S**sshd -- if using an NSLU2 running uNSLUng firmware (change ** accordingly)

NOTE THAT MAKING THE ABOVE CHANGES TO sshd_config WILL PREVENT ANYONE FROM LOGGING IN TO YOUR LINUX MACHINE VIA SSH INCLUDING YOURSELF! IF YOU LOSE YOUR KEYS YOU WILL HAVE NO WAY TO SSH INTO YOUR LINUX MACHINE (ReadyNAS users can do a firmware re-install to reset the sshd_config and NSLU2 users running uNSLUng can enable telnet via the Admin Page)

Use SSH Forwarding to access your home network from any internet connected PC
=============================================================================
You can use SSH forwarding to forward ports to any ip on your home network.

Let's say your ssh_server also runs a web service like a bittorent web UI listening on port 8082 that you want to access remotely:

1) Open up Putty and key in the remote ip of your router (or your router's dynamic dns name if you have one) load the private key as used in option 9 of Configure your login to use Public Keys above

2) Go to Category-> Connection-> SSH-> Tunnels

3) On your Source port enter 8082, on your Destination enter localhost:8082 and click on the Local radio button then click on Add

4) Click on Open and login

5) Once you're logged in, open your favorite browser and type in http://localhost:8082 in the address bar. You should now see your bittorrent web client ;)

So what exactly happened? What we just did is tell our SSH connection that all traffic on port 8082 on the client will be forwarded to port 8082 of ssh_server which is where the bittorrent web UI is running.

But what if you want to access an svn repository that is running on a different server in your network? You can also access that by telling SSH to forward to a 3rd host. Assuming your svn_server has an internal ip of 192.168.1.90 and is listening on the default port 3690:

Source port 3690, Destination 192.168.1.90:3690, Local
Then on your svn browser use svn://localhost to access your repository

It doesn't end there. You can use it for VNC, Remote Desktop Connection, and yes and even remote printing or mounting samba shares remotely.

Hope you find this useful. Cheers!


Comments