Requiring Ssh For Remote Connections - Red Hat ENTERPRISE LINUX 3 Reference Manual

280
To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the
following command:
ssh -L local-port:remote-hostname:remote-port username@hostname
Note
Setting up port forwarding to listen on ports below 1024 requires root level access.
To check email on a server called
use the following command:
ssh -L 1100:mail.example.com:110 mail.example.com
Once the port forwarding channel is in place between the client machine and the mail server, direct a
POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port
1100 on the client system will be directed securely to the
If
mail.example.com
SSH can still be used to secure part of the connection. However, a slightly different command is
necessary:
ssh -L 1100:mail.example.com:110 other.example.com
In this example, POP3 requests from port 1100 on the client machine are forwarded through the
SSH connection on port 22 to the SSH server,
connects to port 110 on
only the connection between the client system and
Port forwarding can also be used to get information securely through network firewalls. If the firewall
is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a con-
nection between two hosts using the blocked ports is still possible by redirecting their communication
over an established SSH connection.
Note
Using port forwarding to forward connections in this manner allows any user on the client system to
connect to that service. If the client system becomes compromised, the attacker also has access to
forwarded services.
System administrators concerned about port forwarding can disable this functionality on the server by
specifying a parameter for the
No
ing the service.
sshd

19.6. Requiring SSH for Remote Connections

For SSH to be truly effective, using insecure connection protocols, such as Telnet and FTP should
be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be
captured later while logging in using Telnet.
Some services to disable include:
mail.example.com
is not running an SSH server, but another machine on the same network is,
mail.example.com
AllowTcpForwarding
using POP3 through an encrypted connection,
mail.example.com
other.example.com
to check for new mail. Note that by using this technique,
other.example.com
line in
/etc/ssh/sshd_config
Chapter 19. SSH Protocol
server.
. Then,
other.example.com
SSH server is secure.
and restart-