Ensures communication security between clients and servers

OpenSSH provides a complete set of tools to ensure secure communication between clients and servers. These tools allow users to create secure channels for communication between clients and servers, this includes checking/sending emails or Web browsing.

OpenSSH

When you log on to a remote system over the Internet, there is always a risk that if your password is transmitted in plaintext, attackers may intercept and abuse byte streams. Most users are aware of this risk and mitigate it by using the so-called secure shell program, this Secure Shell Program is designed to encrypt certificates before users transmit digital certificates over the Internet. Currently, OpenSSH is the most popular and common type of programs. It is an OpenBSD project.

However, many OpenSSH users do not realize that this program not only allows users to encrypt their (remote login) telnet sessions, but also provides a complete set of tools to ensure Client/Server Communication Security, in addition, users are allowed to create a secure "Channel" for any type of C/S communication, including checking/sending emails or Web browsing. Using these channels can greatly improve the security of the system, especially when confidentiality becomes a key factor.

This article uses a specific example to show you how to create an encrypted channel through OpenSSH to check a POP3 mailbox, so that we can further understand and master the Secure Channel features of OpenSSH.

Step 1: download and install OpenSSH

You can download the source code from http://www.openssh.com/and select the desired region from multiple platforms. Its files have been digitally signed to avoid compromising user security. In this example, OpenSSH 4.3 is used.

Once the user downloads the package, it is removed to a temporary directory and the standard "configuration-generate-install" cycle is executed:

Shell> tar-xzvf openssh-4.3p2.tar.gz
Shell> cd openssh-4.3p2/
Shell>./configure
Shell> make
Shell> make install
 

Step 2: generate the host key and start the OpenSSH Process

The last step in the installation process is to generate a pair of host keys, that is, the unique identifier of a specific system. These keys contain a private key and a public key, respectively stored in files such as/etc/ssh_host_key and/etc/ssh_host_key.pub:

Shell> make install
...
Generating public/private rsa1 key pair
Your identification has been saved in/etc/ssh_host_key
Your public key has been saved in/etc/ssh_host_key.pub
...
Generating public/private dsa key pair
Your identification has been saved in/etc/ssh_host_dsa_key
Your public key has been saved in/etc/ssh_host_dsa_key.pub
...
Generating public/private rsa key pair
Your identification has been saved in/etc/ssh_host_rsa_key
Your public key has been saved in/etc/ssh_host_rsa_key.pub
 

Once the key is created, Run "sshd" to start the OpenSSH process: (as a Super User ):

Shell>/sbin/sshd
 

Open a Telnet connection to port 22 to confirm that the service is running:

Shell> telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.3
 

Step 3: create a secure channel to your POP3 server

Now let's assume that the user's local system is named localbox, and the host name of the target POP3 mailbox of the competent user is remotebox. The next step is to create an encrypted SSH channel between port 110 (Standard port for POP3 connection) on the remotebox host and an unused port on the localbox computer. This process is called TCP forwarding. It is quite simple to use OpenSSH to complete this operation. You only need to run the following command:

Shell> ssh-L 2110: localbox: 110 remotebox
Root @ localboxs password :****
 

This command means that all connections on port 2110 of localbox are forwarded to POP3 port 110 on remotebox and encrypted on the channel. The result of this command is that all connection attempts to port 2110 on localbox are automatically encrypted and sent to port 110 on remotebox.

Now, If you enable telnet on localbox to connect to port 2110, for example:

Shell> telnet localbox 2110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+ OK DPOP ready
 

The user's connection is automatically forwarded to port 110-POP3 mail service on remotebox, and high-quality encryption is added to ensure that no one can "intercept" the data communication between the user and the remote server.

Pay attention to two important issues: if you are using a privileged port, you must have the superuser permission on the forwarding port. In addition, you should not try to use a port that is already in use.

Step 4: Change your POP3 client settings

Once your security channel is operational, You need to inform your email client of the changes you have made. For forward channel, your email client may be directly connected to remotebox to retrieve emails-a client needs to be configured as follows to allow a user's email password to be transmitted along the line in a non-encrypted format:

Server: remotebox
Port: 110
User: john
Password: guessme
 

For the Back-to-channel, your mail client should be reset, directly connect to port 2110 on the local system, use OpenSSH to forward the connection to a remote server and implement line encryption. The new settings should look like the following:

Server: localbox
Port: 2110
User: john
Password: guessme
 

After these four steps of installation and setup, you already have a secure channel between the mail client and the mail server. your password and data will be invisible to others. Obviously, this is just an example. It can be said that it only shows the tip of the iceberg about the powerful functions of OpenSSH. You can also set up OpenSSH to encrypt connections to SMTP, FTP, IRC, or any type of client/server, or create an encrypted channel through the firewall. For the security of your data transmission, use OpenSSH to protect your transmission!