Using an encrypted SSH session as a way to tunnel your communications has several advantages: (1) system administrators cannot spy on your activities, (2) you will not become a victim for using an unencrypted wireless access point, and (3) you can bypass website and service blocks. I won’t cover how to setup a SSH server here though. *nix and BSD users already have sshd and man sshd_config to help them, while Microsoft Window users have plethora of articles on the subject.
What concerns me, then, is how to get ssh going automatically, possibly on the startup of your computer, so you have a tunnel ready to use when you need it. I won’t be using the ever popular PuTTY telnet/SSH client though; *nix’s SSH client is far more customizable and it’s available for Windows too. You can get ssh by installing Cygwin (a large package) or just OpenSSH for Windows.
Before we begin, we need to get rid of the interactive password prompt. There "automated" part of this wouldn’t work if SSH had to bother you to ask you for a password. We can use SSH’s authorized keys system to fix this. Create a private/public key that you will use to login with through PuTTY’s PuTTYgen (you can do it with SSH too, but you’re on your own). Export the private and public keys to a file. Install the public key onto your server, making note to send the key over a secure connection (i.e. physical floppy disk).
Now, we’ll have to make the command line to run SSH on the client computer. We’ll start with the command to start SSH and login with our private key. The -v switch will show level 1 debugging messages. The -i switch tells SSH what private key to use to login (mykey_dsa in this case).
> ssh -v -i mykey_dsa user@example.com
Upon running that, SSH should connect to your SSH server and automatically login. You should not have to enter into an interactive prompt to enter a password if you did it right. If everything is going good, then let’s continue. Let’s add a dynamic SOCKS4 tunnel that you can use to proxy about everything on your computer.
> ssh -v -Dlocalhost:6000 -i mykey_dsa user@example.com
The -D switch will define a dynamic SOCKS tunnel. Note the lack of a space between the -D and the actual argument. The first argument is the address to bind to, while the second is the port you will use. The bind address should be localhost in order to lock this tunnel to just your computer. Now, that’s probably good enough of a port forward that you need. A SOCKS proxy will work on many applications such as Firefox. When setting up your proxy settings, make sure the SSH session is going, and set the proxy host to localhost and the port to the port that you chose (6000 in the example).
We’re not done yet though. What if the connection to the SSH dies while it is idle? You will have to tell SSH to enable keep-alives in order to check if it is still connected to the server. To do this, we add a few SSH configuration options to the command line.
> ssh -v -Dlocalhost:6000 -o TCPKeepAlive=no -o ServerAliveInterval=15 -o ServerAliveCountMax=2 -i mykey_dsa user@example.com
TCPKeepAlive sends TCP packets outside of the encrypted SSH session, leaving the opportunity for a malicious user to falsify a TCP keep alive packet. We don’t need to use this. However, ServerAliveInterval and ServerAliveCountMax are interesting to us. ServerAliveInterval is the interval at which SSH will send a SSH keep alive message through the encrypted SSH session. ServerAlievCountMax is the maximum number of times that a encrypted server keep alive message will fail before SSH considers that the connection has been broken. If ServerAliveInterval is 15 seconds and ServerAliveCountMax is 2, the SSH will have to wait up to thirty seconds to realize that the connection is no longer established. This is sufficient.
Now, let’s add two more settings. The switch -N will disable the interactive session once logged in. This way, your tunnel will work but you won’t be able to access shell without logging in with another window. Lastly, we will add ExitOnForwardFailure to force SSH to quit if it cannot make a port forward.
> ssh -Nv -Dlocalhost:6000 -o TCPKeepAlive=no -o ServerAliveInterval=15 -o ServerAliveCountMax=2 -o ExitOnForwardFailure=yes -i mykey_dsa user@example.com
Great! We’ve finished the command line. Now, all we need is the .bat batch script that will restart SSH if it dies (connection error, port forwarding failure, etc.) The code for an example batch script is below.
@echo off
:RUN echo Connecting…
ssh –Nv -Dlocalhost:6000 -o TCPKeepAlive=no -o ServerAliveInterval=15 -o ServerAliveCountMax=2 -o ExitOnForwardFailure=yes -i mykey_dsa user@example.com
echo Restarting in 10 seconds…
SLEEP 10
GOTO RUN
SSH will restart after 10 seconds automatically.
Now, just start the batch script whenever you want to have your tunnel ready. Remember to encrypt your keys (i.e. with Microsoft Windows’ in-built encryption) so no malicious attacker can login to your SSH server at his or her will. In addition, you may want to block everything but tunneling on your SSH server.