Table of Contents
Advertisement
Section 10.6:Requiring SSH for Remote Connections
If mail.domain.com is not running an SSH server daemon but you can log in via SSH to a machine
near it, perhaps through a firewall, you can still use SSH to secure the part of the POP connection that
occurs over public networks. A slightly different command is needed:
ssh -L 1100:mail.domain.com:110 other.domain.com
In this example, you are forwarding your POP request from port 1100 on your machine through the
SSH connection on port 22 to other.domain.com. Then, other.domain.com connects to port 110 on
mail.domain.com to allow you to check for new mail. Only the connection between your system
and other.domain.com is secure, but in many situations, this is enough to get your information safely
through public networks by providing more security than you had before.
Of course, in this example and the one above it, you must be able authenticate to the SSH server to
perform the TCP/IP forwarding. Be sure that you can execute normal SSH commands before attempt-
ing to set up TCP/IP forwarding.
TCP/IP forwarding can be particularly useful for getting information securely through network fire-
walls. If the firewall is configured to allow SSH traffic via its standard port (22) but block access
through other ports, a connection between two hosts using the blocked ports is still possible by redi-
recting their communication over an established SSH connection between them.
This can be very dangerous, however. Using TCP/IP forwarding to forward
connections in this manner allows any user on the client system to connect
to the service you are forwarding connections to, which can be hazardous if
your client system becomes compromised.
Check with the system administrator who administers your firewall
before using TCP/IP forwarding to bypass it.
concerned about TCP/IP forwarding can disable this functionality on the
server by specifying a No parameter for the
/etc/ssh/sshd_config and restarting the sshd service.
10.6 Requiring SSH for Remote Connections
For SSH to be truly effective in protecting your network connections, you must stop using all insecure
connection protocols, such as telnet and rsh. Otherwise, a user's password may be protected
using ssh on one day only to be captured when they log in the next day using telnet.
To disable insecure connection methods to your system, use serviceconf or chkconfig to make
sure that these services do not start up with the system. To use serviceconf to configure services
that start at runlevels 2, 3, and 5, type the command:
Note
System administrators
AllowTcpForwarding
line in
165
Advertisement
Table of Contents
