DISQUS

Zaphu Forum: Use SSH to Create Secure Tunnels for File Transfers (SFTP), Remote Desktop (VNC), Subversion (SVN), and Firefox Traffic

  • Sam · 1 year ago
    Great tutorial! Thanks so much. Works like a charm. It would be cool to see a tutorial for automator to connect via SSH to VNC. any suggestions?
  • Franklin · 1 year ago
    @Sam - Did the VNC over SSH section above not work for you? An automator action might be difficult due to the password required for the SSH tunnel. You might be able to use ssh-keygen to avoid this, I'll think on it. If you just want to automate the VNC part, you could do a 'Run Applescript' action containing the following,

    tell application "Finder"
    open location "vnc://127.0.0.1:1024"
    end tell
  • Sam · 1 year ago
    yeah, i ran ssh-keygen and have the keys on both computers. so the password isnt the problem. it'd be nice to have one thing to click and would run ssh and vnc. thanks so much!
  • Brandon Wardlaw · 1 year ago
    Pretty elementary stuff, but important to have out there for people to learn about.

    My school blocks access to blogs fairly indiscriminately, so I'm only able to read this during my lunch hour today by using Portable PuTTY and Portable Firefox running off a USB drive to tunnel through to my linux box at home.

    It would be helpful to post instructions for that here for Windows users. Shoot me an e-mail if you'd like for me to write up instructions / provide screenshots to post here.
  • Greg · 1 year ago
    Good tips, although very much Mac-centric (not that that's a bad thing - I've been a Mac owner/programmer since 1985!). As you mention, the above will work on OS X or a Linux box, but needs slight modification on a Windows machine (no built-in SSH!). I'd recommend downloading the PuTTY package, along with Plink (the PuTTY CLI component). That way, all of your instructions will apply to Windows users as well (make sure the PuTTY binaries are in your PATH system variable).

    Another thought - why mess with doing the WhatIsMyIp when you can use Dynamic DNS (www.dyndns.org). You can get yourself a free account with a quasi-unique canonical URL. If your router doesn't support it natively, there are plenty of clients available for Mac, Windows, or Unix/Linux machines that will update your account whenever your external IP changes. So - all you then have to remember is the canonical name (e.g., "smithfamily.homeip.net") instead of the IP. I've found that the IP can change on you when you're on a trip - what if there's no one at home to tell you what it's changed to?

    Anyway - still a very great/useful article. Thanks for the time it took to create!
  • Mark · 1 year ago
    There's no need to use an SSH tunnel with subversion, just use the built in svn+ssh handler.

    svn checkout svn+ssh://USER@SERVER/path/to/svnrepository

    git has this feature as well :)
  • Franklin · 1 year ago
    @Brandon - A windows guide would be great, I'll be in touch.
  • Franklin · 1 year ago
    @Greg - Good point about Dynamic DNS, I wasn't aware it was free.
  • Franklin · 1 year ago
    @Mark - I had trouble figuring out how to specify a specific port number with svn+ssh. I have to poke through a firewall to reach the svn server. If you know of a solution please let me know.
  • Greg · 1 year ago
    Yes, Dynamic DNS is free...
    http://www.dyndns.com/services/dns/dyndns/
    ...as long as you use one of their canned domains (a decent-sized collection now):
    http://www.dyndns.com/services/dns/dyndns/domai...

    They link to a number of update clients should your router not support DynDNS (my Netgear does so I'm golden):
    http://www.dyndns.com/support/clients/

    I actually wrote my own Perl script to do this - I'll have to dig it out and post it if anyone prefers that to the larger clients.
  • Phillip Wills · 1 year ago
    @Franklin

    svn+ssh uses port 22... It's basically svn over a ssh tunnel but built into the client.
  • Jojo · 1 year ago
    Although the secure web traffic using proxies will work, it does not mask the actual sites visited as the DNS lookups by the client are still made the whatever local repository is available. So people will know which web pages you are visiting, although they will not be able to see the content.
  • Sniper Fox · 1 year ago
    CAREFUL with dynamic port forwarding (Secure Web Traffic when Traveling).

    This setup will send all DNS look ups TO YOUR LOCAL SERVER, not over the SSH tunnel. Only the actual data for your web requests will go over the SSH tunnel.

    For a more secure approach, set up an HTTP proxy (apt-get install tinyproxy) on the other end of the SSH tunnel. This will end-to-end secure your web connection without leaking DNS requests.
  • Franklin · 1 year ago
    @Philip - Thanks, however, if someone is using port forwarding (i.e., a port other than 22) to get through a firewall I don't think svn+ssh will work. If anyone knows of how to specific a port number in the svn+ssh command let me know.
  • Franklin · 1 year ago
    @Sniper Fox - Very very good point. I guess I am most concerned about securing traffic such as banking and email when in a hotspot (e.g., starbucks, panera). If someone is concerned about an outside party knowing which sites they are visiting they should use a HTTP poxy as you suggest.
  • Mark · 1 year ago
    http://svn.haxx.se/users/archive-2004-09/0574.s...
    Seems you can do alternate SSH ports with svn+ssh:// by either adding an appropriate stanza to ~/.ssh/config or within your svn config (somewhere, it's kinda vague)

    git uses the obvious ssh://HOST:PORT/path/to/gitdb
  • Gene Mosher · 1 year ago
    We use SSH tunnels with X forwarding to do graphical touchscreen point of sale. X11 is both a network protocol and a graphics protocol.

    The new devices from ThinLinx allow us to build vertical market solutions which can provide remote users with access to the software even if they don't have computers. All the administration of apps & storage is centralized and costs go way down.

    We don't even need VNC but NX really speeds things up.
  • vic · 1 year ago
    Hi,

    please stop hotlinking images from my website, or at least credit me for it ...
  • Franklin · 1 year ago
    @vic - link removed, my apologies
  • stoops · 1 year ago
    Make sure to change "network.proxy.socks_remote_dns" to true in the about:config page for Firefox to prevent DNS leakage.
  • Jack Willard · 1 year ago
    For Safari you may set up a socks proxy as described here:

    http://textsnippets.com/posts/show/1326
  • Marcus · 5 months ago
    first we have to determine the IP address of our home server.. This can be done on a Mac by going to System Preferences .. many short cuts available for that.. to Get the Most from StumbleUpon is good tip among all..
    FTP service