Tunnelling Using Secure Shell Protocol Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

SSH (Secure Shell) is a set of programs used for accessing a remote computer or an insecure network securely, like the Internet. It replaces the "Berkeley Services", which is insecure having the following commands: rsh, rlogin, rcp and applications like FTP and Telnet. [SSH.Com, 2003] It uses UNIX/LINUX command interface, where the user can login in using authentication and remotely control the network. [SearchSecurity.Com, 2005] It is made up of 3 parts:

"Transport Layer Protocol" which gives privacy, authentication and reliability of the server. This layer usually uses over TCP/IP connection to run but may even run over other dependable connection. It is given by SSH-TRANS.

"User Authentication Protocol" which will authenticate the user before connection to server. It is used over the transport layer. It is given by SSH-USERAUTH.

"Connection Protocol" divides the secure tunnel into many channels which are logical. It is used over the authentication protocol and is given by SSH-CONNECT. [Ylonen, Lonvick, 2006]

When connection of the transport later is made, the user sends out a service request. After the authentication of the user is completed, another service request is sent out. This lets coexistence of new protocols along with the ones given. There are many uses of the connection protocol. The most common use is providing a set up of an interactive SSH session and tunnelling/forwarding random ports of TCP/IP and connections of X11. [Ylonen, Lonvick, 2006]

When user sends data to a network through a computer, the SSH codes it automatically. When the recipient gets this coded data, SSH decodes it automatically. The user is not aware of the safe coding procedure of data in the connection to the network. The coding algorithm is modern and found in various applications in big companies which are mission-critical. [Barrett, Silverman, 2001]

SSH prevents any kind of security attacks on the data, like obtaining credit card numbers, passwords etc, changing data when it is being transferred between users, and faking addresses of networks or changing the connections to a server that is not real. [SSH.Com, 2003]

There are 2 versions of SSH. SSH-1 uses many coding algorithms which are patented (some expired) and it is exposed to a security hazard where data is inserted by a hacker in the stream of communication. SSH-2 is used in OpenSSH suite (version of connection tools of SSH - http://www.openssh.com/) which is an improvised version of SSH1 where there is no threat since it uses an advanced "key exchange" algorithm. Connections of SSH-1 are not supported by OpenSSH. [Red Hat Inc, 2005]


There is a client/server design, where the SSH program (server) allows or cancels any connections being received to the computer it has been installed on. The user runs SSH programs (client) on other systems and tries to make a communication to the SSH server, which is prevented from any changes. [Barrett, Silverman, 2001] Figure 1 below shows the basic architecture of SSH.

Fig 1. Basic Architecture of SSH [Media.Wiley.Com, 2003]

The process is:

Authentication is provided by the client to the SSH server. At the beginning of the connection, the user gets the "host key" of the server. This key cannot be imitated unlike an IP address.

The server verifies the authorization of the user to create connection to the SSH by checking the username and password or a "public key" which is presented to the client. The whole process is done in coding.

When the server validates the user and he/she is permitted and connection is made, the SSH session is started between user and SSH. Encrypted communications take place. [Media.Wiley.Com, 2003]

This client/server architecture allows users to have one authentication/authorization source, which lets them access the SSH service only and more authentication is required for the access to other services like intranet, email, etc. This single source allows them to access programs devoid of more usernames/passwords. [Media.Wiley.Com, 2003]


A. Security of Remote Login.

Users connect to their account on various computers from their computer, by first connect to their ISP and then, login in using the Telnet program. But, the information used to login in like the username and password is not secure because telnet transfers this information in plaintext format, which is readable and there is a chance of a security breach by someone. This problem does not occur if SSH is being used. Example; if the username goutami is used to log in on a host computer main.host.com, with ssh, this command used is:

$ ssh -l goutami main.host.com

The login details are coded/encrypted before it is being sent from the host machine through an encrypted connection. The user is then authenticated by the client and server logs the user in and then, the encrypted session starts between the two parties. The coding process that takes place in the connection s transparent. [Barrett, Silverman, 2001].The encryption is 128 bits, which makes any interrupt data in a connection difficult to decode. [RedHat.Com, 2005]

B. Security of File Transfer

When transferring a private file between two different logins in two different computers over a network (internet), usually email or transfer programs like FTP (File Transfer Protocol), rcp is used, but there is no security using them for transfers as anyone can interfere in the connection. To avoid this, the file is first encrypted using "PGP (Pretty Good Privacy)" program on the first account ([email protected]), then transfer to the second account ([email protected]) where it is decrypted. But this kind of process is strenuous and is not transparent. Files can be transferred securely using SSH with a "secure copy command" which is;

$ scp gfile [email protected]:

where gfile is the file name. This command is run on the firstaccount.com. scp coded the file when it is sent from firstaccount.com and decoded it when it is received by secondaccount.com [Barrett, Silverman, 2001]

C. Security for Execution of Remote Command

If the user is the administrator (system) and wants to run one command in all the systems (local area network - LAN), a Unix command /usr/ucb/w is used. If rsh is configured in the user's computer, then it can be used in the form of rsh daemon/service (rshd). Assuming there are 4 computers in the LAN - black, red, blue and yellow, the command (Shell Script) is:


for machine in black red blue yellow


rsh $machine /usr/ucb/w


The results of the command are sent as a plaintext through the LAN, which makes it insecure. Instead of using rsh, ssh can be used to give the following command:


for machine in black red blue yellow


ssh $machine /usr/ucb/w


Though the outputs are similar in both cases, the results and the command are coded when they are transferred and when connected to a system, authentication maybe required. [Barrett, Silverman, 2001]

D. Authentication

Having various passwords for accounts on different computers can be a problem when it comes to remembering them. Users make mistakes when entering the passwords wrong or in the wrong place. SSH uses "keys" as a method of authentication instead of passwords. Keys are defined as series of bits which forms an identity. There are 2 kinds: Public and Private keys. They are kept coded and often a passphrase is required to decode them. With the help of the keys and an authentication program, the user can be authenticated by SSH to all the system without the need to entering all the different passwords. The process is:

First, keep files ("public key files") in the accounts, which allows ssh, scp accessing the accounts.

Start ssh-agent program in the local computer.

Select keys that is required during login.

With ssh-add, enter the keys into agent which needs the passphrase of the key.

Now, the user has access to all the computers containing the public key files without needing a password. Before login out, end the ssh-agent command. [Barrett, Silverman, 2001]

Keys are generated using ssh-keygen. An example, given by SSH Communications Security Corp (www.ssh.com), is used to explain the setup. [SSH.Com, 2003] The terms used in this example:

RemoteHost = SSH server; RemoteUser = username of the user; LocalHost = computer with SSH Client;

1. In the configuration files in both remote (/etc/ssh2/sshd2_config) and local machine (/etc/ssh2/ssh2_config), the AllowedAuthorisation field should have the words "publickey", so that authorization of public key is possible.

AllowedAuthentications publickey


Local> ssh-keygen2

Generating 2048-bit dsa key pair

1 oOo.oOo.o

Key generated.

2048-bit dsa, [email protected], Wed Mar 22 2002 00:13:43 +0200

Passphrase :

Passphrase Again :

Private key saved to /home/user/.ssh2/id_dsa_2048_a

Public key saved to /home/user/.ssh2/id_dsa_2048_a.pub

3. When the passphrase is asked, a sequence of 20 or more characters should be entered. An .ssh2 directory is created by SSH-keygen2, when the authentication keys are stored in 2 files. One key is private which the user must not share and must be used along with passphrase (id_dsa_2048_a) and the other is a public key which can be shared (id_dsa_2048_a.pub). [SSH.Com, 2003]

E. Control of Access

To allow user to access another user's account for a definite use, SSH allows this access without showing or modifying the password of the user. [Barrett, Silverman, 2001]

F. Tunnelling/Port Forwarding

Applications using TCP/IP like ftp, telnet connection has increased security when SSH is used. "Port forwarding" or "Tunnelling" is a method which makes these connections go through SSH connection where all data being transferred is coded from beginning to end. It also allows these applications to go through firewalls in networks which are prevented otherwise. If user wants to connect to a network (example, b.white.com), which has a firewall that does not allow any connection to all especially the port for the network (example, port 20), from a system, he/she can use SSH protocol, which is allowed by the firewall since it is secured, through a port on the system (example, port 120) and create a connection between the 2 ports. The command for this is:

$ ssh -L 120:localhost:20 b.white.com

Once the connection is formed, data can be transferred between the network and the user's computer. [Barrett, Silverman, 2001]

G. Management

Secure management is maintained using SSH by allowing communication which is coded for any system or management. It also makes GUI (Graphic User Interface) connections secure, instead of using insecure programs like Telnet, etc. Authentication which is 2-factor based (public key and password) is provided by SSH for accessing management methods, because this kind of authentication prevents any security breech. SSH also lessens the costs and add simplicity for administrative purpose for system and device management. The advantages are:

Coded management.

Coded management of GUI with tunnelling.

Less cost.

Removes the need of "out-of-band" management networks.

Simple to use.

Authentication based on 2 factors. [Media.Wiley.Com, 2003]

H. Secure Services for Proxy

SSH is used to set up proxy services, which is used for accessing remote devices, systems and application in a secure and simple way. These proxies set up a secure traffic of web over networks like the Internet. It is also used for connecting to remote servers which is found in intra-networks with the help of HTTP (Hyper Text Transfer Protocol) tunnelling to the Internet with SSH. This provides security for the web and application when these servers are accessed. [Media.Wiley.Com, 2003]


For Windows:

WinSCP (http://winscp.net/) - which gives a graphical interface for transferring files securely.

Freeware SSH and SCP for Windows 9x, NT, ME, 2000 and XP  (http://www.jfitz.com/tips/ssh_for_windows.html)

SSH under Windows  (http://www.openssh.com/windows.html) - with OpenSSH.

PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) - Free implementation of Telnet and SSH for Win32

CHAFFEE (http://bmrc.berkeley.edu/people/chaffee/winntutil.html) - Command-line only client

sshCE (http://www.movsoftware.com/products/sshce/sshce.htm)- SSH1 client for Windows CE with VT100/VT52 emulation

For Mac [except Classic OS (Operating System)]:

OpenSSH (http://www.openssh.com/)

Fugu (http://rsug.itd.umich.edu/software/fugu/) - Cocoa interface to SSH, SCP and SFTP.

MacCVSClient and SSH  (http://www.heilancoo.net/MacCVSClient/MacCVSClientDoc/ssh-osx.html) - Using the SSH protocol with MacCVSClient.

Version Control with CVS on Mac OS X  (http://developer.apple.com/internet/opensource/cvsoverview.html) [Cube Soft Networks, 2010]

Fig 2. Screenshot of SSH service after SSH software has been installed on windows [Media.Wiley.Com, 2003]


Tunnelling is the encrypted connection between two computers across an insecure network, like the Internet. [Flickenger, 2001]


Fig 3 Encrypted Tunnel (SSH2) [SSH.Com, 2003]

This allows users to check their email through any web service (DSL, Modem, Cable, etc) using the IP address securely. There is an authentication procedure for the connection between client and server and it maybe connected to a port number which is fixed, or the port number available is selected for tunnelling. [SSH.Com, 2003] Port forwarding is of 2 types:

Local: sends incoming data from a local port to a certain remote port

Remote: sends incoming data from a remote port to a local port. [SSH.Com, 2003]

To set up port forwarding, first SSH connection has to be set up. The process is explained using an example, originally illustrated by Rob Flickenger, where the user wants to read his/her email from a private computer using an email client like Microsoft Outlook. It can be done by configuring the email client but the connection is not secure. During data transfer, there is a chance that a hacker may intervene and collect the information or modify it. OpenSSH and SecureCT clients are used.

Step 1: Connection

In OpenSSH, the following command was entered: [Flickenger, 2001]

# ssh -L 110:mailhost:110 -l user -N mailhost

-L 110:mailhost:110 - this part of the command creates port forwarding. It request SSH to transfer mail from port 110 on the local computer to port 110 on the user's computer (remote).

mailhost - is the name of the mail server or its IP address

user - name of the user

port 110 - POP (Post Office Protocol) port of the email client.

-N - remote command should not be executed. [O'Brien, 2006]

In SecureCRT, a connection was created for the mail server. As seen in the screenshot 1 below (Fig. 4), ssh2 was selected for "Protocol". The name of the mail server or IP address was entered in "Hostname". [Flickenger, 2001]


Fig 4. Screenshot 1 [Flickenger, 2001]

Under the "Advanced" option, the "Port Forwarding" tab was selected. 110 was entered for "local port", mail host for "hostname" and 110 for "remote host". It was saved. (Fig 5) [Flickenger, 2001]

http://www.oreillynet.com/wireless/2001/02/23/graphics/scrt2.pngFig 5. Screenshot 2 [Flickenger, 2001]

Once the connection was made, the user entered his/her username and password and the tunnel was created.

Step 2: Configure

The email client needed to be configured for the user to receive emails through the correct "hostname" (localhost and not mailhost). Here, Netscape Communicator is used as the email client.

Under the "Preference" option, "Mail & Newsgroups Tree" was expanded and "Mail Servers" was selected. The current mail server for incoming mail was removed and new one was added. Under the "General" tab, localhost was typed for "Server Name". POP3 was selected for "Server Type" and OK was clicked. The email was now retrievable. (Fig 6) [Flickenger, 2001]


Fig 6: Screenshot 3[Flickenger, 2001]


It permits a computer outside a LAN to connect with a computer inside the LAN. The most common port forwarding is port 21 (FTP access) and port 80 (web servers). For tunnelling to happen, Mac (OS X) uses an ipfirewall (ipfw) which is pre-installed and Linux uses iptables. [TopBits.com, 2010]


One machine can use one port at a time.

Any machine can connect to the forwarded port, making the connection little insecure.

The technology is made in such a way that the end machine acknowledges the incoming data from a router and not the original computer that sends out the data. [TopBits.com, 2010]

Applications and Variations

It is majorly used in schools, offices, homes where computers are connected to a network (Internet) and port forwarding is done between these computers if they share the IP address. Unix systems encourage port forwarding since the root administrator only can access ports below 1024. The users generally forward the incoming data of a low number port to a higher one.

There are two basic variations of tunnelling. The "Double port forwarding" is a network of computers connected using many routers. Data from port of one router is forwarded to the other router which forwards to the host of the LAN. The "Reverse port forwarding" comprises a session server and client. Port is connected to the server and server is connected to the client with the server component. [TopBits.com, 2010]


VPN (Fig 7) is a network of computers which allows users to have access to a private network through a public network (Internet). The information from the private network can be shared between the users in VPN and provide privacy and security at the same time, using tunnelling methods, where data is coded when sent and decoded when received. It is also cost efficient. The added security here is even the receiving and sending addresses of network is encrypted. [Collins, Keeley, Waye, 2010] It uses authentication techniques which allow authorized people to connect to the network. [Supprt.Microsoft.com, 2007]

Fig 7. VPN [VPNInfo.com, 2010]

To use VPN, its client software must be installed in the user's system. There is a firewall between the user's system and the server/host network. Once the system tries to connect to the network, the VPN client software gets connected to VPN server using the tunnelling method. When the user's authentication is successful, the connection (secure tunnel) between user's computer and server is formed and data started getting exchanged through this tunnel. They are encrypted when sent, decrypted when received. Though this secure connection is made through an insecure network, it is considered to be secure for the user's computer to be trusted by other computers in the network.

VPN client programs are programmed in such a way that all the IP traffic should go through the tunnel till the network is active, meaning that access to any information outside the secure network will go through the firewall just like when connected physically with a cable. In that way, the chances of a third party to get access to the network is less. This kind of security is crucial because other user in the network cannot be trusted completely. Each user would like to keep their data secure and private. The security plays an important part when the user accesses the network from a Wi-Fi access point. [VPNInfo.com, 2010]

The process of encryption and tunnelling is done by the SSH. It provided the security required for the network. The next example explains the steps to create VPN tunnel using SSH. Both server and client need to be configured. This example was originally given by Erik Meitner. [Meitner, 2007] Before starting the steps for configuration, the terms used in the example:

Private net =, eth0 on the server has public IP, eth1 on the server has private IP, VPN network =, tun0 on the server has private IP, tun0 on the client has private IP

Client: Key is generated through keygen. In the file /etc/network/interfaces, the following was added:

face tun0 inet static

pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 true

pre-up sleep 5




up route add -net netmask gw tun0

post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit

Server: In /etc/ssh/sshd_config file, two keywords were modified:

PermitTunnel point-to-point

PermitRootLogin forced-commands-only

In /root/.ssh/authorized_keys file, the following command was added:

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == [email protected]

ssh-rsa is replace with the public key /root/.ssh/id_rsa.pub

In /etc/network/interfaces file, the following was added:

iface tun0 inet static




In /etc/sysctl.conf file, the net.ipv4.conf.default.forwarding was changed to 1

$ sudo sysctl net.ipv4.conf.default.forwarding=1

The system was restarted. When VPN was used:

[email protected]:~$ sudo ifup tun0

RTNETLINK answers: File exists

run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

[email protected]:~$ ping -c 2

PING ( 56(84) bytes of data.

64 bytes from icmp_seq=1 ttl=64 time=96.3 ms

64 bytes from icmp_seq=2 ttl=64 time=94.9 ms

--- ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 999ms

rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms

[email protected]:~$ sudo ifdown tun0

Exit request sent.


SSH can provide security for both simple and big programs. The user does not have to compromise on security to access any private data. This protocol is being used in organizations, hospitals, schools, etc where secure data transfer is required. Authentication, which is an important factor, will ensure that there is no security threat on any data. SSH is being used to enhance protocols which were not secure. In 2006, an article stated that SSH was going to enhance FTP to SFTP (Secure File Transfer Protocol) [AccessmyLibrary.com, 2006] As each protocol gets secure, more organizations and users will be able to use more security in their network, for as years go by, the security hazard keeps increasing with the number of attackers and their software and techniques.