Telnet let you access your computer from the command line remotely. Secure shell takes this concept further by adding encryption; anyone with some knowledge of ARP poisoning could eavesdrop on your telnet session to get your passwords and hijack your system. If you run ssh, eavesdroppers would see nothing but gibberish.
But SSH does more than that...it adds the ability to forward your X Windows applications. X is usually what's running on Linux systems for the graphical interface; this means that if you run a graphical program on Linux like Firefox or Thunderbird, it's using X to show up on the screen. If you connect from a remote computer using SSH forwarding X then tell it to run, for example, thunderbird, your mail client on your home computer...with your filters, custom folders, settings, will appear on the computer you're connecting from! Many Internet Service Providers (ISP's) will only allow access to their mail servers if you're "inside" their network. Using X forwarding to your home system, you'd be able to use your home email system with your customizations from a "foreign" network.
But the fun doesn't stop there...
SSH can redirect ports. It gets a little hairy in the execution because you have to understand the idea of locality in order to properly map things, but I use it on my system to redirect email connections; I'll use that as an example.
I have a friend running an email server for me; he's on a different network. I'll call that email server primary-email.
I have my home system with my email client running on it (Thunderbird). I'll call it homesystem.
I want to connect to primary-email to get and send email, but since we're on two different Internet Service Providers, I want to securely connect and exchange mail between my computer and the mail server (in case you didn't know, without the addition of secure login most email traffic is unencrypted so people can eavesdrop and save your email while it's in transit).
So my friend sets up a Linux system...we'll call it linuxbridge...and opens port 22 to his Linux system. I tell my computer to tunnel...using ssh...port 25 (SMTP is for sending mail) and port 110 (POP3...a protocol for receiving email) from my computer to his Linux system. All information traveling to and from homesystem and linuxbridge is then encrypted; from linuxbridge, the traffic is moved to primary-email on my friend's network.
Yes, people can eavesdrop on his network between linuxbridge and primary-email, but this configuration still blocks people on my network, my ISP's network, and anyone between my ISP and my friend's ISP from seeing my email.
The tunnels can forward any port you configure in this manner. I've used it for forwarding email traffic and RDP (Windows Terminal Services) sessions without problem. Plus you can set it to compress the traffic, in some cases helping to speed things up a little.
But that's not all!
Using an addon available for Linux and the Mac called FUSE (Filesystem in Userspace) you can run sshfs to "mount" a directory from your remote home computer to your local Mac or Linux computer. What does this mean?
Sitting at an Ubuntu Linux system and you want to access files on your home Ubuntu Linux system, you can run
sudo sshfs -C -o allow_other
If you don't already have the sshfs directory on which to mount the remote directory, you need to create it first.
sudo mkdir /mnt/sshfs
After you enter your password to the remote system, you can just "cd /mnt/sshfs" and do a directory listing...there's your home computer's home directory! Of course, copying files will be slower than doing things with local drives since you're copying and caching things over the network; the man page (man sshfs) gives options for turning off caching if applications like Nautilus are slowed down trying to pull information about directories at first...I noticed on my system it seemed to slow things down a bit. But it can be really handy at times, plus it's all encrypted and can use compression (notice the -C option) to help speed things up.
When you're finished, you just run "sudo fusermount -u /mnt/sshfs" to unmount the directory.
There are other things ssh can be used for, such as using the "scp" command to securely copy files between two networked computers. "Rsync" is a utility that syncronizes files and directories between two systems and it can be used with certain switches to connect using SSH for an added layer of encryption and compression during the operation. Some application build on the functionality...the OS X program Fugu is a graphical file transfer utility that lets you navigate your remote computer and transfer files between them using SSHD.
Yes, in order to do all these things, you need SSHD...the Secure Shell Daemon...running on the "server" computer. A daemon is a background process that handles tasks invisible to the user; the sshd process listens for and negotiates ssh connections. Your home system would need sshd running and if you have a NAT router...linksys, belkin, etc...between your computer and the Internet connection, it needs to be forwarding tcp port 22 to your internal computer. From there, you're all set to go.
Plus, of course, you need a strong password configured on your user account since there are automated scripts trying to log in to people's SSH service on the Internet. But more advanced configurations can mitigate that; running denyhost to automatically block IP addresses that try logging in with the wrong password more than, oh, three times helps. And/or you can change from the default port number 22 to another port to make it more obscure. Again, my posts are already too long to jump right into that topic, though.
In short if you have a Mac or a Linux system...especially if you have a Linux system...learn to use secure shell. It's a wonderful and flexible tool for copying files and granting remote access to your home system while you're on the road; I can copy files securely, navigate my home computer's filesystem with SSHFS, and run my X Windows applications from a portable computer without having the applications installed on the portable computer (X...and the X forwarded applications...only display on your system. The memory and drive storage and printers are all remote on your home system; part of the X Windows design is to divorce the display from the resources a computer uses. The program is laggy and can appear slow, but for most connections today it's not intolerable.)
Posts
No comments:
Post a Comment