[NCLUG] ssh question

Brian Wood bwood at beww.org
Mon Oct 6 15:28:02 MDT 2008 

Here's an idea:

If you are talking about just a single web browser, and your networks
are fast, you could just run the browser on the ssh server machine, and
use X forwarding to display it on your remote machine, as in:

ssh -X (ssh server IP)
firefox

No muss, no fuss, but slow unless your network connections are quick.

All that would be visible on your remote network would be ssh traffic to
your server.

Just a thought.

beww


Jim Hutchinson wrote:
> I'm wondering if any of the tech gurus on this list can help me with an ssh
> question. First, some background. I'm running an ssh sever at home. It
> listens on port 5151. I would like to be able to tunnel web traffic over the
> ssh connection for security when using open networks. I think I know how to
> do this. Normally I pick a random port for a socks proxy in firefox like
> port 8080. The command I use is
> 
> ssh -D 8080 -p 5151 user at ip_of_ssh_server
> 
> This does work. I can set up a socks proxy in firefox and as far as I can
> tell my web traffic is tunneled. However, there are times when I would
> prefer not to have traffic on a random port as that might alert the network
> police. A bunch of traffic on port 8080, for example, might look out of
> place. It seems to me it would be possible to use port 443 for the tunnel
> and that would then cause all web traffic to look as if it's just normal
> encrypted SSL traffic - or at least that is how I understand it. To do this
> I just change the command to
> 
> ssh -D 443 -p 5151 user at ip_of_ssh_server
> 
> As root of course for ports under 1024. This too seems to work. Going to a
> "what's my IP" type site tells me my IP is my ssh server IP and not the IP
> of the network I'm actually on.
> 
> What I'm wondering is if it's actually doing what I think it's doing.
> Everything I read talks about having the ssh server listen on port 443
> rather than forwarding that port but when I tried that nothing worked (i.e.
> connection just timed out and didn't connect). Does it matter what port the
> ssh server listens on (assuming you don't use a port that is used for
> something else)? Under what scenario would you want to have the ssh server
> listen on port 443? The only thing I can think of is if your work or
> whatever blocks all ports but 80 and 443 and there is no way to ssh out on a
> random port like 5151. Is that accurate?
> 
> Additionally, some people suggest using a command like
> 
> ssh user at IP -L 8080:localhost:80
> 
> Or something similar. I find this syntax much more confusing that a simple
> -D switch. Is there a solution for setting up a socks proxy that uses the -L
> (or -R) options or is this a different use? Is there any reason that would
> be better than the way I'm doing it above (i.e. ssh -D 443 -p 5151
> user at ip_of_ssh_server).
> 
> Hope that makes sense to someone. Thanks in advance for any help.
>

More information about the NCLUG mailing list