ITD Home

Groups & Services

A-Z Index

Unix Services

Homepage

Contact Us

General Information

Helpdesk

FAQs

BNL Site Index

Need Help

Helpdesk Homepage Call the Helpdesk for 24x7 support
Bus: 631.344.5522
Fax: 631-344-2140
Email: itdhelp@bnl.gov

Using SSH in Windows

Logo

What can SSH and SSH Tunneling with Putty do for me?

Here at Brookhaven National Labs, we utilize firewalls to block external access to our internal network. While the security benefits of denying access to the masses should obvious, it does tend to hinder researchers who genuinely need remote access.

Those wishing to securely access their office or lab computer systems can do so however by utilizing techniques described in this document. The methodology illustrated below is called tunneling. It uses secure shell for authentication and data encryption. While some find the concept a bit confusing, once set up, this canned approach can be used repetitively and seamlessly.

How does an SSH Tunnel work?

SSH tunnels are connections that routes traffic from an arbitrary port on one machine through a gateway to a remote machine.

There are basically three steps required to create a tunnel to your remote system and it requires your client, a bastion host (gateway) and a remote host.

  1. The SSH connection is initiated from the client to the gateway.
  2. TThe gateway is instructed to listen for traffic on some port of your client and send it through a specific port on the remote host. This port is said to be forwarded.
  3. On your client, use the application that you wish to connect to the remote host and tell it to use the forwarded port./li>

What are SSH Keys?

SSH employs public and private encryption keys to secure communication between computer systems. When an SSH connection is initiated, each system exchanges public keys. Only a computer that has the matching private key has the ability to read communications encrypted with the public key. This implies that public keys can be used to identify computers.

The first time connect to a machine is made, SSH will give a warning like:

The authenticity of host 'somehost.bnl.gov (XXX.XXX.X.XXX)' can't be established but keys of different type are already known for this host.

RSA key fingerprint is ae:b5:6e:35:30:66:a0:20:4f:9b:9d:31:80:30:f7:60.

Are you sure you want to continue connecting (yes/no)?

This is reasonable if this is your first connection but could be suspicious if this occurs to a system you have frequently used after the initial response.

SSH will store the public key in a cache so that on follow-up connections it can compare the received public key with the cached version and verify that it hasn't changed. If the key has changed, SSH will warn you that someone could be trying to lure you into giving your password to the wrong machine. Usually such key changes are due to normal machine maintenance and nothing to worry about, but an unexpected change in the SSH keys of the host to whom you are connecting could mean that an attacker is intercepting your traffic. If you are paranoid then you might want to ask the administrator of the remote machine why the key changed.

What you need:

Tunneling X using putty and Xming

  1. Ensure that the Xming program running and then execute your putty software.
  2. Create a new session or modify an existing one. In this example, we will modify and existing session.

    Start by loading the desired session.

    Figure 1
  3. Ensure that Enable X11 forwarding is checked.

    Figure 2
  4. Save the session for future use.

    Figure 3
  5. Open the session and login to the remote host or gateway.

    Figure 4
  6. Login to a remote host that you have an account on using the –X option.

    Figure 5
  7. Once you have logged into the gateway, ssh to the desired remote host using the "-X" option to forward X11. run your desired X11 application. In this example we will use “xterm&” for simplicity.

    Figure 6
  8. The X11 application should now open a window. Congratulations, you have just tunneled X11!

    Figure 7

Tunneling a Remote Desktop using Putty

  1. SStart Putty (double-cling on the putty icon. A window similar to this one should open:

    Figure 9
  2. Enable compression and select SSH protocol level 2 as the default.

    Figure 9
  3. Configure “tunneling.”
    In this example a fictitious remote desktop is tunneled to a port on the local machine via the gateway.

    Figure 10
  4. The Source port (3389) is the port on the user machine that will address connections that are intended to be tunneled. The destination defines a host and a port that the remote gateway’s ssh daemon will connect incoming traffic from the user machine. Clicking on Add with apply the configuration for use.

    Figure 11
  5. Starting Remote Desktop

    Figure 12
  6. The remote desktop will open.

    Figure 13

Tunneling with PUTTY and PSFTP

  1. Set up a connection like the ones above and title it to reflect that it is for use with a secure FTP tunnel.

    Figure 14
  2. Since Windows typically uses ports below 3000, pick a port above that number to bind to. In this example we will use 3100 as our source port. The destination is the remote host name we want to forward from and in this example 22 is the port we wish to connect with. Notice it is separated by a colon.

    Normally Dynamic is desired although we will use Local in this example.

    Figure 15
  3. Now click the Add button and the port forwarding box should look similar to this example.

    Figure 16
  4. Be sure to save your setting and then open the session.

    Figure 16
  5. Login to the gateway as you normally would.

    Figure 17
  6. Once connected you may minimize the window.

    Figure 18
  7. Double click on the PSFTP icon to start the program. It should open a window like this.

    Type "Open localhost 3100" and press enter. At this point you are logging into the remote host entered in the previous step of configuring the PUTTY session. In this example we are connected to host.bnl.gov on port 22.

    Figure 19
  8. If this is the first time you have connected to the remote host, you will get this message. Answer "y" and store the key.

    Figure 20

    Enter your username as you would normally.

    Figure 21
  9. Enter your password.

    Figure 22
  10. Now you should be connected to the remote host directly using the SSH tunneling.

    Figuree 23
  11. You may type help at anytime if you are unsure of what Putty Secure FTP commands are available.

    Figure 24
  12. You may now transfer files directly to the remote host in one step.i>

 

IIf you have a question that is not addressed in these pages, please send an email to itdhelp@bnl.gov.

 

 

Top of Page

Last Modified: February 14, 2011