Using SSH in Windows

What can SSH and SSH Tunneling with Putty do for me?

Here at Brookhaven National Labs, we utilize firewalls to block external access to our internal network. While the security benefits of denying access to the masses should obvious, it does tend to hinder researchers who genuinely need remote access.

Those wishing to securely access their office or lab computer systems can do so however by utilizing techniques described in this document. The methodology illustrated below is called tunneling. It uses secure shell for authentication and data encryption. While some find the concept a bit confusing, once set up, this canned approach can be used repetitively and seamlessly.

How does an SSH Tunnel work?

SSH tunnels are connections that routes traffic from an arbitrary port on one machine through a gateway to a remote machine.

There are basically three steps required to create a tunnel to your remote system and it requires your client, a bastion host (gateway) and a remote host.

1. The SSH connection is initiated from the client to the gateway.
2. TThe gateway is instructed to listen for traffic on some port of your client and send it through a specific port on the remote host. This port is said to be forwarded.
3. On your client, use the application that you wish to connect to the remote host and tell it to use the forwarded port./li>

What are SSH Keys?

SSH employs public and private encryption keys to secure communication between computer systems. When an SSH connection is initiated, each system exchanges public keys. Only a computer that has the matching private key has the ability to read communications encrypted with the public key. This implies that public keys can be used to identify computers.

The first time connect to a machine is made, SSH will give a warning like:

The authenticity of host 'somehost.bnl.gov (XXX.XXX.X.XXX)' can't be established but keys of different type are already known for this host.

RSA key fingerprint is ae:b5:6e:35:30:66:a0:20:4f:9b:9d:31:80:30:f7:60.

Are you sure you want to continue connecting (yes/no)?

This is reasonable if this is your first connection but could be suspicious if this occurs to a system you have frequently used after the initial response.

SSH will store the public key in a cache so that on follow-up connections it can compare the received public key with the cached version and verify that it hasn't changed. If the key has changed, SSH will warn you that someone could be trying to lure you into giving your password to the wrong machine. Usually such key changes are due to normal machine maintenance and nothing to worry about, but an unexpected change in the SSH keys of the host to whom you are connecting could mean that an attacker is intercepting your traffic. If you are paranoid then you might want to ask the administrator of the remote machine why the key changed.

What you need:

• A windows computer (XP, Vista or Windows 7) Antivirus software installed. If you do not have antivirus software, you may download OfficeScan from the BNL website: http://www.bnl.gov/cybersecurity/antivirus.asp
• The SSH client called PuTTY which can be downloaded from:
  http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
  It is best to download the Windows installer for everything except PuTTYtel.
• An SSH Gateway account. To set up the desired ITD user accounts, go to the Account Management Office http://www.bnl.gov/itd/amo/
  They can provide you with a Cryptocard, SecureID and accounts for the SSH gateway, BNL Domain, SSH keys, etc.
• Xming is a free X Window Server for Microsoft XP/2008/Windows7. You may download it free from sourceforge. http://sourceforge.net/projects/xming/

Tunneling X using putty and Xming

1. Ensure that the Xming program running and then execute your putty software.
2. Create a new session or modify an existing one. In this example, we will modify and existing session.
   
   Start by loading the desired session.
   
   
   
3. Ensure that Enable X11 forwarding is checked.
   
   
   
4. Save the session for future use.
   
   
   
5. Open the session and login to the remote host or gateway.
   
   
   
6. Login to a remote host that you have an account on using the –X option.
   
   
   
7. Once you have logged into the gateway, ssh to the desired remote host using the "-X" option to forward X11. run your desired X11 application. In this example we will use “xterm&” for simplicity.
   
   
   
8. The X11 application should now open a window. Congratulations, you have just tunneled X11!
   
   

Tunneling a Remote Desktop using Putty

1. SStart Putty (double-cling on the putty icon. A window similar to this one should open:
   
   
   
2. Enable compression and select SSH protocol level 2 as the default.
   
   
   
3. Configure “tunneling.”
   In this example a fictitious remote desktop is tunneled to a port on the local machine via the gateway.
   
   
   
4. The Source port (3389) is the port on the user machine that will address connections that are intended to be tunneled. The destination defines a host and a port that the remote gateway’s ssh daemon will connect incoming traffic from the user machine. Clicking on Add with apply the configuration for use.
   
   
   
5. Starting Remote Desktop
   
   
   
6. The remote desktop will open.
   
   

Tunneling with PUTTY and PSFTP

1. Set up a connection like the ones above and title it to reflect that it is for use with a secure FTP tunnel.
   
   
   
2. Since Windows typically uses ports below 3000, pick a port above that number to bind to. In this example we will use 3100 as our source port. The destination is the remote host name we want to forward from and in this example 22 is the port we wish to connect with. Notice it is separated by a colon.
   
   Normally Dynamic is desired although we will use Local in this example.
   
   
   
3. Now click the Add button and the port forwarding box should look similar to this example.
   
   
   
4. Be sure to save your setting and then open the session.
   
   
   
5. Login to the gateway as you normally would.
   
   
   
6. Once connected you may minimize the window.
   
   
   
7. Double click on the PSFTP icon to start the program. It should open a window like this.
   
   Type "Open localhost 3100" and press enter. At this point you are logging into the remote host entered in the previous step of configuring the PUTTY session. In this example we are connected to host.bnl.gov on port 22.
   
   
   
8. If this is the first time you have connected to the remote host, you will get this message. Answer "y" and store the key.
   
   
   
   Enter your username as you would normally.
   
   
   
9. Enter your password.
   
   
   
10. Now you should be connected to the remote host directly using the SSH tunneling.
    
    
    
11. You may type help at anytime if you are unsure of what Putty Secure FTP commands are available.
    
    
    
12. You may now transfer files directly to the remote host in one step.i>

IIf you have a question that is not addressed in these pages, please send an email to itdhelp@bnl.gov.

Last Modified: February 14, 2011

One of ten national laboratories overseen and primarily funded by the Office of Science of the U.S. Department of Energy (DOE), Brookhaven National Laboratory conducts research in the physical, biomedical, and environmental sciences, as well as in energy technologies and national security. Brookhaven Lab also builds and operates major scientific facilities available to university, industry and government researchers. Brookhaven is operated and managed for DOE's Office of Science by Brookhaven Science Associates, a limited-liability company founded by the Research Foundation for the State University of New York on behalf of Stony Brook University, the largest academic user of Laboratory facilities, and Battelle, a nonprofit, applied science and technology organization.

Privacy and Security Notice  | Contact Web Services for help