This Document describes how to encrypt ftp or pop3 password info with ssh (ssh-win by Cedomir Igaly) ftp://ftp.hh.schule.de/pub/win3/tcpip/ssh/ssh-port-forwarding.txt DocumentVersion 1.3 oliver gerschewski - 09.01.00 as I switched to Tera Term with the ssh-plugin, this is the final version... Reuse of this document is encouraged! 1. Intro 2.1 ssh-win settings 2.2 WS_FTP settings 2.3 whats happening 3.1 netscape mail 3.2 eudora (light) 3.2.1 Eudora and Windows NT 1. Intro ssh is capable of encrypting the communication of other protocols. Ftp, pop3 and X11 are just some examples that work. This can not only be done with unix-type clients but also with the free windows version of the client. In our environment people use ftp most often. So we wanted to encrypt the username and password information when using ftp, without having our user to change their ftp-client. (Afaik there is no ssh-ftp-client nor commercial nor free available yet. I even dont know if the ssh protocol allows a ftp connection without prior ssh connection.) So here is a brief description how to secure WS_FTP (by John A. Junod). This should work with any ftp-client that is capable of choosing an alternate ftp port an can do PASV transfers (of course your ftp-server has to support PASV mode too, the wu.ftpd works fine). 2.1 ssh-win settings As im using win3 the following describes the 16bit version off ssh-win, the 32bit seems very similiar, some dialogs are sligthly changed. When starting the ssh client it pops up an options window, which can be seen in ssh.gif. After filling in the host and username stuff you click the "Local Forwards" button. Then you get a new window with three fields to fill out: Local Port : If you run other local daemons, enter some value over 1023 (I prefer 4711 :-) Host : The remote ftp host name (preferably the same server where the ssh daemon runs). Your are limited to 14 characters, so you might have to enter the ip-adress instead of the ip-name. Remote Port: 21 The actual Version (1.98) ist now able to save this settings, so click the save button. This will cause trouble, when opening another connection to the same host. If you want another connection you have to make another profile without the local forward stuff to the same host. Now make your ssh connection as usual (you have to connect over ssh prior to using the ftp connection). Thats all there is to do with the ssh-client. 2.2 WS_FTP settings Next ist WS_FTP. Start the program and create a new profile. Name it whatever you like. Now fill in the other fields: Hostname: localhost (works with Trumpet Winsock; when using Novell-tcpip localhost wont work. Enter 127.0.0.1 instead) username: your remote username password: I leave this blank, so WS_FTP always asks me for my password on the remote machine Now click the "Advanced ..." button. Fill in "Remote Port" field: 4711 (or whatever you entered above) Check the "Passive Transfer" option box Click "OK" and save your entry. Now you are ready to open a ftp session, where your username and password get encrypted by the ssh client. If you like I'll try to explain it best to my knowledge... 2.3 whats happening The ftp-client tries to connect to yor local machine to port 4711. This port is redirected by the ssh client to the remote machine you mentioned above. As I said the data is encrypted, so its not possible to hand it directly to the remote ftp port. Instead it is handed to the remote ssh daemon (usually on port 22) who decrypts the information and now _locally_ hands it to the ftp port (21). Even if you dont connect to a ftp-server on the same host, using ssh to encrypt your userinfo might be an advantage: Imagine you trust your local PC, you trust your remote network but you dont trust the net that connects these two. Using ssh your data goes encrypted trough the untrusted net and is forwared decrypted in your remote network. After successfully logging in data is transfered over separate connections. As the ports for the data connections are opened randomly its not possible to redirect them, so data gets transferred unecrypted (always keep this in mind, e.g. when wanting to transfer ~/.ssh/identity or other secret information. I dont know if the username is echoed locally or by the ftp-server, if so it would be visible with a packet sniffer, I have to try it...). 3.1 netscape mail In the way descriped above it is also possible to secure pop3 connections. Netscape Mail is an example of an pop3-client that is able to connect to different ports. Just enter a second "Local Forward" within the ssh-client (ssh-win seems to become "unstable" when entering a second redirect, sometimes it works, somtimes it crashes ssh-win...): Local Port : 4712 Host : your pop3-server Remote Port: 110 Within Netscape mail click "Options - Mail and News Preferences - Servers". In "Incoming Mail(POP3)Server" enter: localhost:4712 Next connection will be over ssh. 3.2 eudora (light) Eudora (light) is harder to convince: I have been told that you might add to the eudora.ini [Settings] section "POPPort=4711" "SMTPPort=4712", but eudora ignores this settings. One way out is to change your "services" file. Depending on your tcp/ip stack this might be \windows\services (ms tcpip) or \trumpet\services (Trumpet Winsock) or somthing like \network\etc\services (Novell ip). This file usually contains a line like this: pop3 110/tcp postoffice change it to pop3 4711/tcp postoffice this change might affect other programs that read the port info from the services file, keep this in mind. Second thing to change is the "POP account" within eudora. Selct "Tools -> Options -> Personal Info" and change the POP Account to yourname@localhost. If you made the appropriate entries within ssh-win, your next mailpoll is encrypted. Eudora reads the services file at startup, so you might have to start it over. 3.2.1 Eudora and Windows NT Create a local forward within ssh as desvrobed above. Then set the pop3 port in c:\winnt\system32\drivers\ec\services to the _same_ port as in the forward, then edit eudora.ini to have POP3Port= that same number. Pegasus Mail Havent found a way... Thats it. Use the above information at your own risk. Oliver Gerschewski - gersch@hh.schule.de thanx to Stefan Weber, Uni Freiburg SOMOGYI Péter