Using SSH in Windows
What can SSH and SSH Tunneling with Putty do for me?
Here at Brookhaven National Labs, we utilize firewalls to block
external access to our internal network. While the security benefits
of denying access to the masses should obvious, it does tend to
hinder researchers who genuinely need remote access.
Those wishing to securely access their office or lab computer
systems can do so however by utilizing techniques described in this
document. The methodology illustrated below is called tunneling. It
uses secure shell for authentication and data encryption. While some
find the concept a bit confusing, once set up, this canned approach
can be used repetitively and seamlessly.
How does an SSH Tunnel work?
SSH tunnels are connections that routes traffic from an arbitrary
port on one machine through a gateway to a remote machine.
There are basically three steps required to create a tunnel to
your remote system and it requires your client, a bastion host
(gateway) and a remote host.
- The SSH connection is initiated from the client to the
- TThe gateway is instructed to listen for traffic on some port
of your client and send it through a specific port on the remote
host. This port is said to be forwarded.
- On your client, use the application that you wish to connect
to the remote host and tell it to use the forwarded port./li>
What are SSH Keys?
SSH employs public and private encryption keys to secure
communication between computer systems. When an SSH connection is
initiated, each system exchanges public keys. Only a computer that
has the matching private key has the ability to read communications
encrypted with the public key. This implies that public keys can be
used to identify computers.
The first time connect to a machine is made, SSH will give a
The authenticity of host 'somehost.bnl.gov (XXX.XXX.X.XXX)' can't
be established but keys of different type are already known for this
RSA key fingerprint is
Are you sure you want to continue connecting (yes/no)?
This is reasonable if this is your first connection but could be
suspicious if this occurs to a system you have frequently used after
the initial response.
SSH will store the public key in a cache so that on follow-up
connections it can compare the received public key with the cached
version and verify that it hasn't changed. If the key has changed,
SSH will warn you that someone could be trying to lure you into
giving your password to the wrong machine. Usually such key changes
are due to normal machine maintenance and nothing to worry about,
but an unexpected change in the SSH keys of the host to whom you are
connecting could mean that an attacker is intercepting your traffic.
If you are paranoid then you might want to ask the administrator of
the remote machine why the key changed.
What you need:
Tunneling X using putty and Xming
- Ensure that the Xming program running and then execute your
- Create a new session or modify an existing one. In this
example, we will modify and existing session.
Start by loading the desired session.
- Ensure that Enable X11 forwarding is checked.
- Save the session for future use.
- Open the session and login to the remote host or gateway.
- Login to a remote host that you have an account on using the
- Once you have logged into the gateway, ssh to the desired
remote host using the "-X" option to forward X11. run your
desired X11 application. In this example we will use “xterm&”
- The X11 application should now open a window.
Congratulations, you have just tunneled X11!
Tunneling a Remote Desktop using Putty
- SStart Putty (double-cling on the putty icon. A window
similar to this one should open:
- Enable compression and select SSH protocol level 2 as the
- Configure “tunneling.”
In this example a fictitious remote desktop is tunneled to a
port on the local machine via the gateway.
- The Source port (3389) is the port on the user machine that
will address connections that are intended to be tunneled. The
destination defines a host and a port that the remote gateway’s
ssh daemon will connect incoming traffic from the user machine.
Clicking on Add with apply the configuration for use.
- Starting Remote Desktop
- The remote desktop will open.
Tunneling with PUTTY and PSFTP
- Set up a connection like the ones above and title it to
reflect that it is for use with a secure FTP tunnel.
- Since Windows typically uses ports below 3000, pick a port
above that number to bind to. In this example we will use 3100
as our source port. The destination is the remote host name we
want to forward from and in this example 22 is the port we wish
to connect with. Notice it is separated by a colon.
Normally Dynamic is desired although we will use Local in this
- Now click the Add button and the port forwarding box should
look similar to this example.
- Be sure to save your setting and then open the session.
- Login to the gateway as you normally would.
- Once connected you may minimize the window.
- Double click on the PSFTP icon to start the program. It
should open a window like this.
Type "Open localhost 3100" and press enter. At this point you
are logging into the remote host entered in the previous step of
configuring the PUTTY session. In this example we are connected
to host.bnl.gov on port 22.
- If this is the first time you have connected to the remote
host, you will get this message. Answer "y" and store the key.
Enter your username as you would normally.
- Enter your password.
- Now you should be connected to the remote host directly
using the SSH tunneling.
- You may type help at anytime if you are unsure of what Putty
Secure FTP commands are available.
- You may now transfer files directly to the remote host in
IIf you have a question that is not addressed in these pages,
please send an email to firstname.lastname@example.org.
Last Modified: February 14, 2011