Or “Where Are We Going, and Why Am I in This Handbasket?”

“Behold the beast, for which I have turned back;

Do thou protect me from her, famous Sage,

For she doth make my veins and pulses tremble.”

“Thee it behoves to take another road,”

Responded he, when he beheld me weeping,

“If from this savage place thou wouldst escape;

Because this beast, at which thou criest out,

Suffers not any one to pass her way,

But so doth harass him, that she destroys him …”

—Dante’s Inferno, Canto I, as Dante meets Virgil (trans. Henry Wadsworth Longfellow)

Privacy: “Where Is My Traffic Going?”

Primary questions for privacy of communications include the following:

Privacy of communications is the bedrock of any secure tunnel design; in a sense, if you don’t know who is participating in the tunnel, you don’t know where you’re going or whether you’ve even gotten there. Some of the hardest problems in tunnel design involve achieving large scale n-to-n level security, and it turns out that unless a system is almost completely trusted as a private solution, no other trait will convince people to actually use it.

Routability: “Where Can This Go Through?”

Primary questions for facing routability concepts are:

The tunneling analogy is quite apropos for this trait, for sometimes you’re tunneling through the network equivalent of soft soil, and sometimes you’re trying to bore straight through the side of a mountain. Routability is a concept that normally refers to whether a path can be found at all; in this case, it refers to whether a data path can be established that does not violate any restrictions on types of traffic allowed. For example, many firewalls allow Web traffic and little else. It is a point of some humor in the networking world that the vast permeability of firewalls to HTTP traffic has led to all traffic eventually getting encapsulated into the capabilities allowed for the protocol.

Routability is divided into two separate but highly related concepts: First, the capability of the tunnel to exploit the permeability of a given network (as in, a set of paths from source to destination and back again) to a specific form of traffic, and to encapsulate traffic within that form regardless of its actual nature. Second, and very important for long-term availability of the tunneling solution in possibly hostile networks, is the capability of that encapsulated traffic to exploit the masking noise of similar but nontunneled data flows surrounding it.

For example, consider the difference between encapsulating traffic within HTTP and HTTPS, which is nothing more than HTTP wrapped in SSL. While most networks will pass through both types of traffic, on the basis of the large amount of legitimate traffic both streams may contain, illegitimate unencrypted HTTP traffic stands out—the tunnel, if you will, is transparent and open for investigation. By contrast, the HTTPS tunnel doesn’t even need to really run HTTP—because SSL renders the tunnel quite opaque to an inquisitive administrator, anything can be moving over it, and there’s no way to know someone isn’t just checking their bank statement.

Or is there? If nothing else, HTTP is not a protocol that generally has traffic in keystroke-like bursts. It is a stateless, quick, and short request driven protocol with much higher download rates than uploads. Traffic analysis can render even an encryption-shielded tunnel vulnerable to some degree of awareness of what’s going on. During periods of wartime, simply knowing who is talking to who can often lead to a great deal of knowledge about what moves the enemy will make—many calls in a short period of time to an ammunition depot very likely means ammo supplies are running dry.

The connection to routability, of course, is that a connection discovered to be undesirable can quickly be made unroutable pending an investigation. Traffic analysis can significantly contribute to such determinations, but it is not all powerful. Networks with large amounts of unclassifiable traffic provide the perfect cover for any sort of tunneling system; there is no need to be excessively covert when there’s someone, somewhere, legitimately doing exactly what you’re doing.

Deployability: “How Painful Is This to Get Up and Running?”

Primary questions involving deployment and installation include the following:

Software installation stinks. It does. The code has to be retrieved from somewhere—and there’s always a risk such code might be exchanged for a Trojan—it has to be run on a computer that was probably working just fine before, it might break a production system, and so on. There is always a cost; luckily, there’s often a benefit to offset it. Tunnels add connectivity, which can very well be the difference between a system being useful/profitable and a system not being worth the electricity needed to keep it running. Still, there is a question of who bears the cost… .

Client upgrades can have the advantage that they’re highly localized in exactly the right place: those who most need additional capabilities are often most motivated to upgrade their software, whereas server-level upgrades require those most detached from users need to do work that only benefits others. (The fact that upgrading stable servers is generally a good way to fix something that wasn’t broken for the vast majority of users can’t be ignored either.)

Other tunneling solutions take advantage of software already deployed on the client side and provide server support for them. This usually empowers an even greater set of clients to take advantage of new tunneling capabilities, and provides the opportunity for administrators to significantly increase security by using only a few simple configurations—like, for example, automatically redirecting all HTTP traffic through a HTTPS gateway, or forcing all wireless clients to tunnel in through the PPTP implementation that shipped standard in their operating system.

Generally, the most powerful but least convenient tunneling solutions require special software installation on both the client and server side. It should be emphasized that the operative word here is special—truly elegant solutions use what’s available to achieve the impossible, but sometimes it’s just not feasible to achieve certain results without spreading the “cost” of the tunnel across both the client and the server.

The obvious corollary is that the most convenient but least powerful systems require no software installation on either side—this happens most often when default systems installed on both sides for one purpose are suddenly found to be co-optable for completely different ones. By breaking past the perception of fixed functions for fixed applications, we can achieve results that can be surprising indeed.

Flexibility: “What Can We Use This for, Anyway?”

Primary questions in ensuring flexible usage are

“Sometimes you’re the windshield, sometimes you’re the bug.” In this case, sometimes you’ve got the Chunnel, but other times you’ve got a rickety rope bridge. Not all tunneling solutions carry identical traffic.

Many solutions, both hand-rolled and reasonably professionally done, simply encapsulate a bitstream in a crypto layer. TCP, being a system for reliably exchanging streams of data from one host to another, is accessed by software by the structure known as sockets. One gets the feeling that SSL, the Secure Sockets Layer, was originally intended to be a drop-in replacement for standard sockets, but various incompatibilities prevented this from being possible. (One also gets the feeling there will eventually be an SSL “function interposer,” that is, a system that will automatically convert all socket calls to Secure Socket calls.)

Although its best performance comes when forwarding TCP sessions, SSH is built to forward a wide range of traffic, from TCP to shell commands to X applications, in a generic but extraordinarily flexible manner. This flexibility makes it the weapon of choice for all sorts of tunneling solutions, but it can come at a cost.

To wit: Highly flexible tunneling solutions can suffer from the problem of “excess capacity”—in other words, if a tunnel is established to serve one purpose, could either side exploit the connection to achieve greater access than it’s trusted for?

X-Windows on the UNIX platform is a moderately hairy but reasonably usable architecture for graphical applications to display themselves within, and one of its big selling points is its network transparency: A given window doesn’t necessarily need to be displayed on the computer that’s running it. The idea was that slow and inexpensive hardware could be deployed all over the place for users, but each of the applications running on them would “seem” fast because they were really running on a very fast and expensive server sitting in the back room. (Business types like this, because it’s much easier to get higher profit margins on large servers than small desktops. This specific “carousel revolution” was most recently repeated with the Web, Java/network computers, and of course, .NET, to various degrees of success.)

One of the bigger problems with stock X-Windows is that the encryption is non-existent, and, worse than being non-existent, authentication is both difficult to use and not very secure (in the end, it’s a simple “Ability To Respond” check). Tatu Ylonen, in his development of the excellent Secure Shell (SSH) package for highly flexible secure networking, included a very elegant implementation of X-Forwarding. Tunneling all X traffic over a virtual display tunneled over SSH, a complex and ultimately useless procedure of managing DISPLAY variables and xhost/xauth arguments was replaced with simply typing ssh user@host and running an X application from the shell that came up. Security is nice, but let’s be blunt: Unlike before, it just worked!

The solution was and still is quite brilliant; it ranks as one of the better examples of the most obvious but often impossible to follow laws of upgrade design: “Don’t make it worse.” Even some of the best of security or tunneling solutions can be somewhat awkward to use—at a minimum, they require an extra step, a slight hesitation, perhaps a noticeable processing hit or reduced networking performance (in terms of either latency or bandwidth). This is part of the usually unavoidable exchange between security and liberty that extends quite a bit outside the realm of computer security. Even simply locking the door to your home obligates you to remember your keys, delays entry into your own home, and imposes a inordinately large cost should keys be forgotten (like, for example, the ever-compounding cost of leaving your keys in the possession of a friend or administrator, and what may indeed become an emergency call to that person to regain access to one’s own property). And of course, in the end a simple locked door is only a minor deterrent to a determined burglar! Overall, difficult to use and not too effective—this is a story we’ve heard before.

There was a problem, though, an instructive one at that: X Windows is a system that connects programs running in one place to displays running anywhere. To do so, it required the capability to channel images to the display and receive mouse motions and keystrokes in return.

And what if the server was compromised?

Suddenly, that capability to monitor keystrokes could be subverted for a completely different purpose—monitoring activity on the remote client. Type a password? Captured. Write a letter? Captured. And, of course, this sensitive information would tunnel quite nicely through the very elegantly encrypted and authenticated connection. Oh. The security of a tunnel can never be higher than that of the two endpoints.

The eventual solution was to disable X-Forwarding by default. ssh -X user@host in OpenSSH will now enable it, provided the server was willing to support it as well. (No, this isn’t a complete solution—a compromised server can still abuse the client if it really needs to forward X traffic—but at some level the problem becomes inherent to X itself, and with most SSH sessions having nothing to do with X, most sessions could be made secure simply by disabling the feature by default. Moving X traffic over VNC is a much more secure solution, and in many slower network topologies is faster, easier to set up, and much more stable—check www.tightvnc.org for details.)

In summary, the problem illustrated is simple: Flexibility can sometimes come back to bite you; the less you trust your endpoints, the more you must lock down the capabilities of your tunneling solutions.

Quality: “How Painful Will This System Be to Maintain?”

Primary questions to face regarding systems quality include

There are some things you’d think were obvious; some basic concepts so plainly true that nobody would ever assume otherwise. One of the most inherent of these regards usability: If a system is unusable, nobody is going to use it. You’d think that whole “not able to be used” thing might be a tip-off, but it really isn’t. Too many systems are out there that, by dint of their extraordinary complexity, cannot be upgraded, hacked upon, played with, specialized to the needs of a given site, or whatnot because all energy is being put towards making them work at all. Such systems suffer even in the realm of security, for those who are too afraid they’ll break something are loathe to fix anything. (Many, many servers remain unpatched against basic security holes on the simple logic that a malicious attack might be a possibility but a broken patch is guaranteed.) So a real question for any tunnel system is whether it can be reasonably built and maintained by those using it, and whether it is so precariously configured that any necessary modifications run the risk of causing production downtime.

Less important in some cases but occasionally the defining factor, particularly on server-side aggregators of many cryptographic tunnels, is the issue of speed. All designs have their performance requirements; no solution can efficiently meet all possible needs. When designing your tunneling systems, you need to make sure they have the necessary carrying capacity for your load.

 Create a valid path from client to server.

 Independently authenticate and encrypt over this new valid path.

 Forward services over this independent link.

Drilling Tunnels Using SSH

So we’re left with a bewildering set of constraints on our behavior, with little more than a sense that an encapsulating approach might be a method of going about satisfying our requirements. What to use? IPSec, for all its hype, is so extraordinarily difficult to configure correctly that even Bruce Schneier, practically the patron saint of computer security and author of Applied Cryptography, was compelled to state “Even though the protocol is a disappointment—our primary complaint is with its complexity—it is the best IP security protocol available at the moment.” (My words on the subject were something along the lines of “I’d rather stick red-hot kitchen utensils in my eyes than administer an IPSec network,” but that’s just me.)

SSL is nice, and well trusted—and there’s even a nonmiserable command-line implementation called Stunnel (www.stunnel.org) with a decent amount of functionality—but the protocol itself is limited and doesn’t facilitate many of the more interesting tunneling systems imaginable. SSL is encrypted TCP—in the end, little more than a secure bitstream with a nice authentication system. But SSL extends only to the next upstream host and becomes progressively unwieldy the more you try to encapsulate within. Furthermore, standard SSL implementations fail to be perfectly forward-secure, essentially meaning that a key compromise in the future will expose data sent today. This is unnecessary and honestly embarrassing.

We need something more powerful, yet still trusted. We need OpenSSH.

Basic Access: Authentication by Password

“In the beginning, there was the command line.” The core encapsulation of SSH is and will always be the command line of a remote machine. The syntax is simple:

dan@OTHERSH0E -

# ssh user@host

$ ssh claneiO.0.1.11

[email protected]’s password:

FreeBSD 4.3-RELEASE (CURRENT-12-2-01) #1: Mon Dec 3 13:44:59 GMT 2001$

Throw on a –X option, and if an X-Windows application is executed, it will automatically tunnel. SSH’s password handling is interesting—no matter where in the chain of commands ssh is, if a password is required, ssh will almost always manage to query for it. This isn’t trivial, but is quite useful.

However, passwords have their issues—primarily, if a user’s password is shared between hosts A and B, host A can spoof being the user to host B, and vice versa. Chapter 12 goes into significantly more detail about the weaknesses of passwords, and thus SSH supports a more advanced mechanism for authenticating the client to the server.

Transparent Access: Authentication by Private Key

Asymmetric key systems offer a powerful method of allowing one host to authenticate itself to many—much like many people can recognize a face but not copy its effect on other people, many hosts can recognize the private key referenced by their public component, but not copy the private component itself. So SSH generates private components—one for the SSH1 protocol, another for SSH2—which hosts all over may recognize.

Local Port Forwards

A local port forward is essentially a request for SSH to listen on one client TCP port (UDP is not supported, for good reason but greater annoyance), and should any traffic come to it, to pipe it through the SSH connection into some specified machine visible from the server. Such local traffic could be sent to the external IP address of the machine, but for convenience purposes “127.0.0.1” and usually “localhost” refer to “this host”, no matter the external IP address.

The syntax for a Local Port Forward is pretty simple:

ssh –L listening_port:destination_host:destination_port

user@forwarding_host

Let’s walk through the effects of starting up a port forward, using IRC as an example.

This is the port we want to access from within another network—very useful when IRC doesn’t work from behind your firewall due to identd. This is the raw traffic that arrives when the port is connected to:

effugas@OTHERSH0E –

$ telnet newyork.ny.us.undernet.org 6667

Trying 66.100.191.2…

Connected to newyork.ny.us.undernet.org.

Escape character is ‘^]’.

NOTICE AUTH :*** Looking up your hostname

NOTICE AUTH :*** Found your hostname, cached

NOTICE AUTH :*** Checking Ident

We connect to a remote server and tell our SSH client to listen for localhost IRC connection attempts. If any are received, they are to be sent to what the remote host sees as newyork.ny.us.undernet.org, port 6667.

effugas@OTHERSH0E –

$ ssh [email protected] –L6667:newyork.ny.us.undernet.org:6667

Password:

Last login: Mon Jan 14 06:22:19 2002 from some.net on pts/0

Linux libertiee.net 2.4.17 #2 Mon Dec 31 21:28:05 PST 2001 i686 unknown

Last login: Mon Jan 14 06:23:45 2002 from some.net

1ibertiee:–>

Let’s see if the forwarding worked—do we get the same output from localhost that we used to be getting from a direct connection? Better—identd is timing out, so we’ll actually be able to talk on IRC.

effugas@OTHERSHOE –

$ telnet 127.0.0.1 6667

Trying 127.0.0.1…

Connected to 127.0.0.1.

Escape character is ‘^]’.

NOTICE AUTH :*** Looking up your hostname

NOTICE AUTH :*** Found your hostname, cached

NOTICE AUTH :*** Checking Ident

NOTICE AUTH :*** No ident response

Establishing a port forward is not enough; we must configure our systems to actually use the forwards we’ve created. This means going through localhost instead of direct to the final destination. The first method is to simply inform the app of the new address—quite doable when addressing is done “live,” that is, is not stored in configuration files:

$ irc Effugas 127.0.0.1

*** Connecting to port 6667 of server 127.0.0.1

*** Looking up your hostname

*** Found your hostname, cached

*** Checking Ident

*** No ident response

*** Welcome to the Internet Relay Network Effugas (from newyork.ny.us.undernet.org)

More difficult is when configurations are down a long tree of menus that are annoying to modify each time a simple server change is desired. For these cases, we actually need to remap the name—instead of the name newyork.ny.us.undernet.org returning its actual IP address to the application; it needs to instead return 127.0.0.1. For this, we modify the hosts file. This file is almost always checked before a DNS lookup is issued, and allows a user to manually map names to IP addressed. The syntax is trivial:

bash−2.05a$ tail –nl /etc/hosts

10.0.1.44 alephdox

Instead of sending IRC to 127.0.0.1 directly, we can modify the hosts file to contain the line:

effugas@OTHERSH0E /cygdr ive/c/wi ndows/system32/drivers/etc

$ tai1 –nl hosts

127.0.0.1 newyork.ny.us.undernet.org

Now, when we run IRC, we can connect to the host using the original name—and it’ll still route correctly through the port forward!

effugas@OTHERSH0E /cygdrive/c/windows/system32/drivers/etc

$ irc Timmy newyork.ny.us.undernet.org

*** Connecting to port 6667 of server newyork.ny.us.undernet.org

*** Looking up your hostname

*** Found your hostname, cached

*** Checking Ident

*** No ident response

*** Welcome to the Internet Relay Network Timmy

Note that the location of the hosts file varies by platform. Almost all UNIX systems use /etc/hosts, Win9x uses WINDOWSHOSTS;WinNT uses WINNTSYSTEM32DRIVERSETCHOSTS; and WinXP uses WINDOWSSYSTEM32DRIVERSETCHOSTS. Considering that Cygwin supports Symlinks(using Windows Shortcut files, no less!), it would probably be good for your sanity to execute something like ln –s HOSTSPATH HOSTS /etc/hosts.

Note that SSH Port Forwards aren’t really that flexible. They require destinations to be declared in advance, have a significant administrative expense, and have all sorts of limitations. Among other things, although it’s possible to forward one port for a listener and another for the sender(for example, –L16667:irc.slashnet.org:6667), you can’t address different port forwards by name, because they all end up resolving back to 127.0.0.1. You also need to know exactly what hosts need to get forwarded—attempting to browse the Web, for example, is a dangerous proposition. Besides the fact that it’s impossible to adequately deal with pages that are served off multiple addresses (each of the port 80 HTTP connections is sent to the same server), any servers that aren’t included in the hosts file will “leak” onto the outside network.

Mind you, SSL has similar weaknesses for Web traffic—it’s just that HTTPS (HTTP–over–SSL) pages are generally engineered to not spread themselves across multiple servers (indeed, it’s a violation of the spec, because the lock and the address would refer to multiple hosts).

Local forwards, however, are far from useless. They’re amazingly useful for forwarding all single–port, single–host services. SSH itself is a single–port, single–host service—and as we show a bit later, that makes all the difference.

Dynamic Port Forwards

That local port forwards are a bit unwieldy doesn’t mean that SSH can’t be used to tunnel many different types of traffic. It just means that a more elegant solution needs to be employed—and indeed, one has been found. Some examination of the SSH protocols themselves revealed that, while the listening port began awaiting connections at the beginning of the session, the client didn’t actually inform the server of the destination of a given forwarding until the connection was actually established. Furthermore, this destination information could change from TCP session to TCP session, with one listener being redirected, through the SSH tunnel, to several different endpoints. If only there was a simple way for applications to dynamically inform SSH of where they intended a given socket to point to, the client could create the appropriate forwarding on demand—enter SOCKS4… .

An ancient protocol, the SOCKS4 protocol was designed to provide the absolute simplest way for a client to inform a proxy of which server it actually intended to connect to. Proxies are little more than servers with a network connection clients wish to access; the client issues to the proxy a request for the server it really wanted to connect to, and the proxy actually issues the network request and sends the response back to the client. That’s exactly what we need for the dynamic directing of SSH port forwards—perhaps we could use a proxy control protocol like SOCKS4? Composed of but a few bytes back and forth at the beginning of a TCP session, the protocol has zero per–packet overhead, is already integrated into large numbers of pre–existing applications, and even has mature wrappers available to make any (non–suid) network–enabled application proxy–aware.

It was a perfect fit. The applications could request and the protocol could respond—all that was needed was for the client to understand. And so we built support for it into OpenSSH, with first public release in 2.9.2p2 (only the client needs to upgraded, though newer servers are much more stable when used for this purpose)—and suddenly, the poor man’s VPN was born. Starting up a dynamic forwarder is trivial; the syntax merely requires a port to listen on: ssh –Dlistening_port user@host. For example:

effugas@OTHERSH0E –/.ssh

$ ssh [email protected] –D1080

Enter passphrase for key ‘/home/effugas/,ssh/id_dsa’:

Last login: Mon Jan 14 12:08:15 2002 from localhost.localdomain

[effugas@loca1 host effugas]$

This will cause all connections to 127.0.0.1:1080 to be sent encrypted through 10.0.1.10 to any destination requested by an application. Getting applications to make these requests is a bit inelegant, but is much simpler than the contortions required for static local port forwards. We’ll provide some sample configurations now.

Remote Port Forwards

The final type of port forward that SSH supports is known as the remote port forward. Although both local and dynamic forwards effectively imported network resources—an IRC server on the outside world became mapped to localhost, or every app under the sun started talking through 127.0.0.1:1080—remote port forwards actually export connectivity available to the client onto the server it’s connected to. Syntax is as follows:

ssh –R 1istening_port:destination_host:destination_port

user@forwarding_host

It’s just the same as a local port forward, except now the listening port is on the remote machine, and the destination ports are the ones normally visible to the client.

One of the more useful services to forward, especially on the Windows platform (we talk about UNIX style forwards later) is WinVNC. WinVNC, available at www.tightvnc.com, provides a simple to configure remote desktop management interface—in other words, I see your desktop and can fix what you broke. Remote port forwarding lets you export that desktop interface outside your firewall into mine.

Do we have the VNC server running? Yup:

Dan@EFFUGAS –

$ telnet 127.0.0.1 5900

Trying 127.0.0.1…

Connected to 127.0.0.1.

Escape character is ‘^]’.

RFB 003.003

telnet> quit

Connection closed.

Connect to another machine, forwarding its port 5900 to our own port 5900.

Dan@EFFUGAS –

$ ssh –R5900:127.0.0.1:5900 [email protected]

[email protected]‘s password:

FreeBSD 4.3–RELEASE (CURRENT–12–2–01) #1: Mon Dec 3 13:44:59 GMT 2001

Test if the remote machine sees its own port 5900 just like we did when we tested our own port:

$ telnet 127.0.0.1 5900

Trying 127.0.0.1…

Connected to localhost.

Escape character is ‘^]’.

RFB 003.003

Note that remote forwards are not particularly public; other machines on 10.0.1.11’s network can’t see this port 5900. The GatewayPorts option in SSHD must be set to allow this—however, such a setting is unnecessary, as later sections of this chapter will show.

Crossing the Bridge: Accessing Proxies through ProxyCommands

It is actually a pretty rare network that doesn’t directly permit outgoing SSH connectivity; when such access isn’t available, often it is because those networks are restricting all outgoing network connectivity, forcing it to be routed through application layer proxies. This isn’t completely misguided, proxies are a much simpler method of providing back–end network access than modern NAT solutions, and for certain protocols have the added benefit of being much more amenable to caching. So proxies aren’t useless. There are many, many different proxy methodologies, but because they generally add little or nothing to the cause of outgoing connection security, the OpenSSH developers had no desire to place support for any of them directly inside of the SSH client. Implementing each of these proxying methodologies directly into SSH would be a Herculean task.

So instead of direct integration, OpenSSH added a general–purpose option known as ProxyCommand. Normally, SSH directly establishes a TCP connection to some port on a given host and negotiates an SSH protocol link with whatever daemon it finds there. ProxyCommand disables this TCP connection, instead routing the entire session through a standard I/O stream passed into and out of some arbitrary application. This application would apply whatever transformations were necessary to get the data through the proxy, and as long as the end result was a completely clean link to the SSH daemon, the software would be happy. The developers even added a minimal amount of variable completion with a %h and %p flag, corresponding to the host and port that the SSH client would be expecting, if it was actually initiating the TCP session itself. (Host authentication, of course, matches this expectation.)

A quick demo of ProxyCommand:

The most flexible ProxyCommand developed has been Shun–Ichi Goto’s connect.c. You can find this elegant little application at www.imasy.or.jp/˜gotoh/connect.c, or www.doxpara.com/tradecraft/connect.c. It supports SOCKS4 and SOCKS5 with authentication, and HTTP without:

No Habla HTTP? Permuting thy Traffic

ProxyCommand functionality depends on the capability to redirect the necessary datastream through standard input/output—essentially, what comes from the “keyboard” and is sent to the “screen” (though these concepts get abstracted). Not all systems support doing this level of communication, and one in particular—nocrew.org’s httptunnel, available at www.nocrew.org/software/httptunnel.html —is extraordinarily useful, for it allows SSH connectivity over a network that will pass genuine HTTP traffic and nothing else. Any proxy that supports Web traffic will support httptunnel—although, to be frank, you’ll certainly stick out even if your traffic is encrypted.

Httptunnel operates much like a local port forward—a port on the local machine is set to point at a port on a remote machine, though in this case the remote port must be specially configured to support the server side of the httptunnel connection. Furthermore, whereas with local port forwards the client may specify the destination, httptunnel’s are configured at server launch time. This isn’t a problem for us, though, because we’re using httptunnel as a method of establishing a link to a remote SSH daemon.

Start the httptunnel server on 10.0.1.10 that will listen on port 10080 and forward all httptunnel requests to its own port 22:

[effugas@loca1 host effugas]$ hts 10080 –F 127.0.0.1:22

Start a httptunnel client on the client that will listen on port 10022, bounce any traffic that arrives through the HTTP proxy on 10.0.1.11:8888 into whatever is being hosted by the httptunnel server at 10.0.1.10:10080:

effugas@UTHERSHOE –/.ssh

$ htc –F 10022 –P 10.0.1.11:8888 10.0.1.10:10080

Connect ssh to the local listener on port 10022, making sure that we end up at 10.0.1.10:

effugas@OTHERSH0E –/.ssh

$ ssh –o HostKeyAlias=10.0.1.10 –o Port=10022 [email protected]

Enter passphrase for key ’/home/effugas/.ssh/id_dsa’

Last login: Mon Jan 14 08:45:40 2002 from 10.0.1.10

[effugas@localhost effugas]$

Latency suffers a bit (everything is going over standard GETs and POSTs), but it works. Sometimes, however, the problem is less in the protocol and more in the fact that there’s just no route to the other host. For these issues, we use path–based hacks.

Show Your Badge: Restricted Bastion Authentication

Many networks are set up as follows: One server is publicly accessible on the global Internet, and provides firewall, routing, and possibly address translation services for a set of systems behind it. These systems are known as bastion hosts—they are the interface between the private network and the real world.

It is very common that the occasion will arise that an administrator will want to remotely administer one of the systems behind the bastion. This is usually done like this:

effugas@OTHERSHOE –

$ ssh effugas&lO.O.l.ll

[email protected]’s password:

FreeBSD 4.3–RELEASE (CURRENT–12–2–01) #1: Mon Dec 3 13:44:59 GMT 2001

$ ssh rootelO.O. 1.10

[email protected]’s password:

Last login: Thu Jan 10 12:43:40 2002 from 10.0.1.11

[root@loca!host root]#

Sometimes it’s even summarized nicely as ssh [email protected] “ssh [email protected]”.However it’s done, this method is brutally insecure and leads to horribly effective mass penetrations of backend systems. The reason is simple: Which host is legitimately trusted to access the private destination? The original client, generally with the user physically sitting in front of its CPU. What host is actually accessing the private destination? Whose SSH client is accessing the final SSH server? The bastion’s! It is the bastion host that receives and retransmits the plaintext password. It is the bastion host that decrypts the private traffic and may or may not choose to retransmit it unmolested to the original client. It is only by choice that the bastion host may or may not decide to permanently retain that root access to the backend host. (Even one time passwords will not protect you from a corrupted server that simply does not report the fact that it never logged out.) These threats are not merely theoretical—major compromises on Apache.org and Sourceforge, two critical services in the Open Source community, were traced back to Trojan horses in SSH clients on prominent servers.

These threats can, however, be almost completely eliminated.

Bastion hosts provide the means to access hosts that are otherwise inaccessible from the global Internet. People authenticate against them so as to gain access to these pathways. This authentication is completed using an SSH client, against an SSH daemon on the server. Because we already have one SSH client that we (have to) trust, why are we depending on someone else’s as well? Using port forwarding, we can parlay the trust the bastion has in us into a direct connection into the host we wanted to connect to in the first place. We can even gain end–to–end secure access to network resources available on the private host, from the middle of the public Net!

Like any static port forward, this works great for one or two hosts when the user can remember which local ports map to which remote destinations, but usability begins to suffer terribly as the need for connectivity increases. Dynamic forwarding provides the answer: We’ll have OpenSSH dynamically specify the tunnels it requires to administer the private hosts behind the bastion. Because OpenSSH lacks the SOCKS4 Client support necessary to direct its own Dynamic Forwards, we’ll once again use Goto’s connect as a ProxyCommand—only this time, we’re bouncing off our own SSH client instead of some open proxy on the network.

Access another host without reconfiguring the bastion link. Note that nothing at all changes except for the final destination:

Still, it is honestly inconvenient to have to set up a forwarding connection in advance. One solution would be to, by some method, have the bastion SSH daemon pass you, via standard I/O, a direct link to the SSH port on the destination host. With this capability, SSH could act as its own ProxyCommand: The connection attempt to the final destination would proxy through the connection attempt to the intermediate bastion.

This can actually be implemented, with some inelegance. SSH, as of yet, does not have the capacity to translate between encapsulation types—port forwarders can’t point to executed commands, and executed commands can’t directly travel to TCP ports. Such functionality would be useful, but we can do without it by installing, server side, a translator from standard I/O to TCP. Netcat, by Hobbit (Windows port by Chris Wysopal), exists as a sort of “Network Swiss Army Knife” and provides this exact service.

effugas@OTHERSHOE ˜

$ ssh –o ProxyCommand=“ssh [email protected] nc %h %p“ [email protected]

[email protected]’s password:

[email protected]’s password:

Last login: Thu Jan 10 15:10:41 2002 from 10.0.1.11

[root@localhost root]#

Such a solution is moderately inelegant—the client should really be able do this translation internally, and in the near future there might very well soon be a patch to ssh providing a –W host:port that does this translation client side instead of server side. But at least using netcat works, right?

There is a problem. Some obscure cases of remote command execution have commands leaving file descriptors open even after the SSH connection dies. The daemon, wishing to serve these descriptors, refuses to kill either the app or itself. The end result is zombified processes—and unfortunately, command forwarding nc can cause this case to occur. As of the beginning of 2002, these issues are a point of serious discord among OpenSSH developers, for the same code that obsessively prevents data loss from forwarded commands also quickly forms zombie processes out of slightly quirky forwarded commands. Caveat Hacker!

Network administrators wishing to enforce safe bastion activity may go to such lengths as to remove all network client code from the server, including Telnet, ssh, even lynx. As a choke point running user–supplied software, the bastion host makes for uniquely attractive and vulnerable concentration of connectivity to attack. If it wasn’t even less secure (or technically infeasible) to trust every backend host to completely manage its own security, the bastion concept would be more dangerous than it was worth.

Bringing the Mountain: Exporting SSHD Access

A bastion host is quite useful, for it allows a network administrator to centrally authenticate mere access to internal hosts. Using the standards discussed in the previous chapter, without providing strong authentication to the host in the middle, the ability to even transmit connection attempts to backend hosts is suppressed. But centralization has its own downsides, as Apache.org and Sourceforge found—catastrophic and widespread failure is only a single Trojan horse away. We got around this by restricting our use of the bastion host: As soon as we had enough access to connect to the one unique resource the bastion host offered—network connectivity to hosts behind the firewall—we immediately combined it with our own trusted resources and refused to unnecessarily expose ourselves any further.

End result? We are left as immune to corruption of the bastion host as we are to corruption of the dozens of routers that may stand between us and the hosts we seek. This isn’t unexpected—we’re basically treating the bastion host as an authenticating router and little more. Quite useful.

But what if there is no bastion host?

What if the machine to manage is at home, on a DSL line, behind one of LinkSys’s excellent Cable/DSL NAT Routers (the only devices known that can NAT IPSec reliably), and there’s no possibility of an SSH daemon showing up directly on an external interface?

What if, possibly for good reason, there’s a desire to expose no services to the global Internet? Older versions of SSH and OpenSSH ended up developing severe issues in their SSH1 implementations, so even the enormous respect the Internet community has for SSH doesn’t justify the risk of being penetrated?

What if the need for remote management is far too fleeting to justify the hardware or even the administration cost of a permanent bastion host?

No problem. Just don’t have a permanent server. A bastion host is little more than a system through which the client can successfully communicate with the server; although it is convenient to have permanent infrastructure and user accounts set up to manage this communication, it’s not particularly necessary. SSH can quite effectively export access to its own daemon through the process of setting up Remote Port Forwards. Let’s suppose that the server can access the client, but not vice versa—a common occurrence in the realm of multilayered security, where higher levels can communicate down:

# 10.0.1.11 at work here

bash–2.05a$ ssh –R2022:10.0.1.11:22 [email protected]

[email protected]’s password:

[effugas@localhost effugas]$

So even though the host at work that we are sitting on is firewalled from the outside world, we can SSH to our box at home, and give it a local port to connect to, which will give it access to the SSH daemon on our work machine.

Echoes in a Foreign Tongue: Cross–Connecting Mutually Firewalled Hosts

Common usage of the File Transfer Protocol among administrators managing variously firewalled networks involves the host that can’t receive connections always generating outgoing links to the host that can, regardless of the eventual direction of data flow. (FTP itself, a strange protocol to say the least, needs to be put into something called Passive Mode in order to keep its connections ordered in the same direction. Passive Mode FTP involves the server telling the client a port that, if connected to, will output the contents of a file. By contrast, Active Mode involves the client, which had earlier initiated an outgoing connection to the server, now asking the server to make an outgoing connection back to the client on some random port in order to deposit a file. Since the direction of the session changes, and the ports vary unpredictably, firewalls have had great difficulty adjusting to what otherwise is one of the grand old protocols of the Internet.) Both Napster and Gnutella have systems for automatically negotiating which side of a transaction can’t receive connection requests, and having the other one create the TCP link. Upon an establishment of the link, the file is either pushed (with a PUT) or pulled (with a GET) onto the host that requires the file.

Works great when one side or the other can receive connection requests, but what if neither side can? What if both hosts are behind home NAT routers, and even have the exact same private IP address? Worse, what happens when both hosts are running behind a hardcore Cisco corporate firewall layer, and there’s a critical business need for the two to be able to communicate? Generally, management orders both IT staffs to fight it out over which one has to pop a hole in their firewall to let the other side through. Because the most paranoid members of IT are necessarily the ones who manage the firewall, this can be a ludicrously slow and painful process, completely impossible unless the need is utterly undeniable—and possibly permanent.

Sometimes, a more elegant (if maverick and possibly job–threatening—Caveat Hacker Redux) solution is in order. The general purpose solution to a lack of direct network connectivity is for a third host, called a Connection Bouncer, to receive outgoing connections from both hosts, then bounce traffic from the first to the second and vice versa.

Proxy servers in general are a form of connection bouncer, but they rarely do any gender changing—an outgoing connection request is forwarded along for an incoming connection response from some remote Web server or something of that sort. That’s not going to be useful here. There are small little applications that will turn a server into a bouncer, but they’re slightly obscure and not always particularly portable. They also almost universally lack cryptographic functionality—not always necessary, but useful to have available.

Luckily, we don’t need either. If you look, we first described a system by which a client, unable to initiate a link directly with a server, instead authenticated itself to a bastion host and used the network path available through that host to create an end–to–end secure SSH link. Then, we described a system where, there being no bastion host for the client to connect to, the server itself initiated its own link to the outside world, exporting a path via a remote port forward for the client to tunnel back through. Now, it just so happened that this path was exported directly onto the client—but it didn’t need to be. In fact, the server could have remote port forwarded its own SSH daemon onto any host mutually accessible to both itself and the client; the client would merely then have to treat this mutually accessible host as the bastion host it suddenly was. Combining the two methods:

Standard File Transfer over SSH

The standard tool for copying files inside of an SSH tunnel is Secure Copy (scp). The general syntax mirrors cp quite closely, with paths on remote machines being specific by user@host:/path. For example, the following copies the local file dhcp.figure.pdf to /tmp on the remote host 10.0.1.11:

Much like cp, copying a directory requires the addition of the –r flag, ordering the tool to recursively travel down through the directory tree. Scp is modeled after rcp, and does the job, but honestly doesn’t work very well. Misconfigured paths often cause the server side of scp to break, and it is impossible to specify ssh command–line options. That doesn’t mean it’s impossible to use some of the more interesting tunneling systems; scp does allow ssh to be reconfigured through the more verbose config file interface. You can find the full list of configurable options by typing man ssh; the following specifies a HostKeyAlias for verifying the destination of a locally forwarded SSH port:

Now, we’re getting root access to 10.0.1.10, and it’s being piped through 10.0.1.11. What if 10.0.1.11, instead of respecting our command to forward packets along to another host’s SSH daemon, sent them off to its own? In other words, what if the server was corrupted to act as if it had been issued – L2022:127.0.0.1:22 instead of –L2022:10.0.1.10:22? Lets try it:

There is a major caveat to this: It is very important to actually manage identity keys for SSH! It is only because a valid key was in the known_hosts2 file in the first place that we were able to differentiate the SSH daemon that responded when we were negotiating with the correct host versus when we were negotiating with the wrong one. One of the biggest failings of SSH is that, due to some peculiarities in upgrading the servers, it’s a regular occurrence for servers to change their identity keys. This trains users to accept any change in keys, even if such change comes from an attacker. Dug Song exploited this usability pitfall in his brilliant sniffing package, dsniff, available at www.monkey.org/˜dugsong/dsniff/, and showed how users can be easily tricked into allowing a “monkey in the middle” to take over even a SSH1 session.

Incremental File Transfer over SSH

Though only a standard component of the most modern UNIX environments, rsync is one of the most highly respected pieces of code in the Open Source constellation. rsync is essentially an incremental file updater; both the client and the server exchange a small amount of summary data about the file contents they possess, determine which blocks of data require updating, and exchange only those blocks. If only 5MB of a 10GB disk have changed since the last rsync, total bandwidth spent syncing the client with the server will be only little more than five megs.

You can find rsync at http://rsync.samba.org, which is unsurprising considering that its author, Andrew Tridgell, was also responsible for starting the Samba project that allows UNIX machines to participate in Windows file sharing.

The tool is quite simple to use, especially over ssh. Basic syntax closely mirrors scp:

dan@OTHERSHOE –

$ rsync –e ssh dhcp.figure.pdf [email protected]:/tmp

[email protected]’s password:

Unlike scp, rsync is rather silent by default; the –v flag will provide more debugging output. Like scp, –r is required to copy directory trees; particularly on the Windows platform, there is a significant delay for directory scanning before any copying will begin.

rsync has a nicer syntax for using alternate variations of the ssh transport; the – e option directly specifies the command line to be used for remote command execution. To force use of not only SSH but specifically the SSH1 protocol, simply use the following command:

dan@OTHERSHOE –

$ rsync –e “ssh −1” dhcp.figure.pdf [email protected]:/tmp

[email protected]’s password:

rsync is an extraordinarily efficient method of preventing redundant traffic, and would be particularly well suited for efficient updates to the type of dynamic content we see regularly on Web sites. A recent entry on the inimitable Sweetcode (www.sweetcode.org) described Martin Pool’s rproxy, an interesting attempt to migrate the rsync protocol into HTTP itself. It’s a good idea, elegantly and efficiently implemented as well. Martin reports “An early implementation of rproxy achieved bandwidth savings on the order of 90 percent for portal Web sites.” This is not insignificant, and certainly justifies additional processing load. Though it remains to be seen how successful his effort will be, rsync through httptunnel’d SSH works quite well. (Again, httptunnel is available from the folks at nocrew; point your browser at www.nocrew.org/software/httptunnel.html). To wit:

Start the httptunnel server:

[effugas@localhost effugas]$ hts 10080 –F 127.0.0.1:22

Start a httptunnel client:

effugas@OTHERSHOE –/.ssh

$ htc –F 10022 –P 10.0.1.11:8888 10.0.1.10:10080

Rsync a directory, local port 10001, verifying that the tunnel terminates at 10.0.1.11. Show which files are being copied as we copy them by using the –v flag:

CD Burning over SSH

The standard UNIX method for burning a set of files onto a CD–ROM disc uses two tools. First, mkisofs (Make ISO9660 File System) is invoked to pack a set of files into the standard file system recognized on CD–ROMs. Then, the resulting “ISO” is sent to a separate app, cdrecord, for burning purposes. The entire procedure usually proceeds as follows:

Then, we select a directory or set of files we wish to burn, and have mkisofs attach both Joliet and Rock Ridge attributes to the filenames—this enables longer filenames than the standard ISO9660 standard supports. It’s also often useful to add a –f flag to mkisofs, so that it will follow symlinks, but we’ll keep it simple for now:

If you notice, we had to sit around and wait while a bunch of disk space got wasted. A much more elegant solution is to take the output from mkisofs and stream it directly into cdrecord—and indeed, this is how most burning occurs on UNIX:

Once again, the important rule to remember is that almost any time you’d use a pipe to transfer data between processes, SSH allows the processes to be located on other hosts. Because file system creation and file system burning are split, we can create on one machine and burn onto another:

The speed and reliability of the underlying network architecture is critical to maintaining a stable burn; an excessive period of time without updated content to send to the disc leads to nothing being written at all—the disc is left wasted (unless your drive supports a new and useful technology called BurnProof, which most do not). If a burn needs to be executed over a slow or unreliable network, we can take advantage of SSH’s ability to remotely execute not just one but a sequence of commands—in this case, to retrieve the ISO, burn it, then delete it after. The following formatting exists for readability only; the only thing necessary to execute multiple commands using a single invocation of ssh is a semicolon between commands.

Acoustic Tubing: Audio Distribution over TCP and SSH

Occasionally, you need to do something just because, well, it’s actually cool. Although copying files all around is useful, it’s not necessarily entertaining. Using a FreeBSD machine hooked up to your stereo system as output for Winamp in your lab/office/living room—now that’s entertainment! How can it work? Winamp has a plug–in, called the SHOUTcast DSP, built for streaming the output of the player to an online radio station for redistribution to other players. They encapsulate whatever comes out of Winamp in a compressed fixed–bitrate MP3 stream and expect to send it off to the radio server. I see a general purpose encapsulator for Winamp sound, and have a better idea:

“My son, you’ve seen the temporary fire and the eternal fire; you have reached the place past which my powers cannot see. I’ve brought you here through intellect and art; from now on, let your pleasure be your guide; you’re past the steep and past the narrow paths. Look at the sun that shines upon your brow; look at the grasses, flowers, and the shrubs born here, spontaneously, of the earth. Among them, you can rest or walk until the coming of the glad and lovely eyes–those eyes that, weeping, sent me to your side. Await no further word or sign from me: your will is free, erect, and whole–to act against that will would be to err: therefore I crown and miter you over yourself.” — [Virgil’s last words to Dante as he gives Dante the power to guide himself. Canto XXVII, Purgatorio (IGD Solutions)]

 Privacy (“Where Is My Traffic Going?”)

 Routability (“Where Can This Go Through?”)

 Deployability (“How Painful Is This to Get Up and Running?”)

 Flexibility (“What Can We Use This for, Anyway?”)

 Quality (“How Painful Will This System Be to Maintain?”)