This document describes how to encrypt ftp or pop3 password info with ssh (ssh-win by Cedomir Igaly). ftp://ftp.hh.schule.de/pub/win3/tcpip/ssh/ssh-port-forwarding.txt Document version 1.3 Oliver Gerschewski - 09.01.00 As I have switched to TeraTerm with the ssh plug-in, this is the final version.... Re-use of this document is encouraged! 1. Intro 2.1 ssh-win settings 2.2 WS_FTP settings 2.3 what's happening 3.1 Netscape mail 3.2 Eudora Light 3.2.1 Eudora and Windows NT 1. Intro ssh is capable of encrypting other protocols' communication . Ftp, POP3, and X11 are just some examples that work. This can be done not only with Unix-type ssh clients, but also with the free Windows version of the client. In our environment, people use ftp most often. So, we wanted to encrypt the username and password information when using ftp, without requiring our user to change his ftp client. (AFAIK, there is no ssh ftp client, neither commercial nor free, available yet. I don't even know if the ssh protocol allows an ftp connection without a prior ssh connection.) So, here is a brief description of how to secure WS_FTP (by John A. Junod). This should work with any ftp client that is capable of choosing an alternate ftp port and can do PASV transfers. (Of course, your ftp server has to support PASV mode, too; wu_ftpd works fine.) 2.1 ssh-win Settings As I'm using Win3, the following describes the 16-bit version of ssh-win. The 32-bit version seems very similiar; some dialogs are slightly changed. When starting the ssh client, it pops up an options window, which can be seen in ssh.jpeg. After filling in the host and username stuff, you click the "Local Forwards" button. Then, you get a new window with three fields to fill out: Local Port: If you run other local daemons, enter some value over 1023. (I prefer 4711. :-) Host: The remote ftp host name (preferably the same server where the ssh daemon runs). You are limited to 14 characters, so you might have to enter the IP address, instead of the hostname. Remote Port: 21 The actual version (1.98) is now able to save this settings, so click the save button. This will cause trouble when opening another connection to the same host. If you want another connection, you have to make another profile without the local forward stuff to the same host. Now make your ssh connection as usual. (You have to connect over ssh, prior to using the ftp connection.) That's all there is to do, with the ssh-client. 2.2 WS_FTP Settings Next is WS_FTP. Start the program, and create a new profile. Name it whatever you like. Now fill in the other fields: Hostname: localhost. (Works with Trumpet Winsock; when using Novell TCP/IP, localhost won't work. Enter 127.0.0.1, instead.) username: Your remote username. password: I leave this blank, so WS_FTP always asks me for my password on the remote machine. Now, click the "Advanced ..." button. Fill in "Remote Port" field: 4711 (or whatever you entered, above). Check the "Passive Transfer" option box. Click "OK", and save your entry. Now you are ready to open a ftp session, where your username and password get encrypted by the ssh client. If you like, I'll try to explain it to the best of my knowledge... 2.3 What's Happening. The ftp client tries to connect to your local machine on port 4711. This port is redirected by the ssh client to the remote machine you mentioned above. As I said, the data is encrypted, so it's not possible to hand it directly to the remote ftp port. Instead, it is handed to the remote ssh daemon (usually on port 22), which decrypts the information and now _locally_ hands it to the ftp port (21). Even if you don't connect to an ftp server on the same host, using ssh to encrypt your userinfo might be an advantage: Imagine you trust your local PC, you trust your remote network, but you don't trust the net that connects these two. Using ssh, your data goes encrypted trough the untrusted net and is forwarded decrypted in your remote network. After successfully logging in, data is transfered over separate connections. As the ports for the data connections are opened randomly, it's not possible to redirect them, so data gets transferred unencrypted. (Always keep this in mind, e.g., when wanting to transfer ~/.ssh/identity or other secret information. I don't know if the username is echoed locally or by the ftp server. If so, it would be visible with a packet sniffer; I have to try it....) 3.1 Netscape Mail In the way described abova, it is also possible to secure POP3 connections. Netscape Mail is an example of an POP3 client that is able to connect to different ports. Just enter a second "Local Forward" within the ssh client. (ssh-win seems to become "unstable" when entering a second redirect. Sometimes it works, sometimes it crashes ssh-win....) Local Port : 4712 Host : your POP3 server Remote Port: 110 Within Netscape Mail, click "Options - Mail and News Preferences - Servers". In "Incoming Mail(POP3)Server", enter: localhost:4712 Your next connection will be over ssh. 3.2 Eudora Light Eudora Light is harder to convince: I have been told that you might add to the EUDORA.INI [Settings] section "POPPort=4711" "SMTPPort=4712", but Eudora ignores this settings. One way out is to change your "services" file. Depending on your TCP/IP stack, this might be \windows\services (MS TCP/IP) or \trumpet\services (Trumpet Winsock). or something like \network\etc\services (Novell TCP/IP). This file usually contains a line like this: pop3 110/tcp postoffice change it to pop3 4711/tcp postoffice This change might affect other programs that read the port info from the services file. Keep this in mind. The second thing to change is the "POP account" within Eudora. Select "Tools -> Options -> Personal Info", and change the POP Account to yourname@localhost. If you made the appropriate entries within ssh-win, your next mail poll will be encrypted. Eudora reads the services file at startup, so you might have to start it over. 3.2.1 Eudora and Windows NT Create a local forward within ssh, as described above. Then, set the POP3 port in c:\winnt\system32\drivers\ec\services to the _same_ port as in the forward, then edit EUDORA.INI to have POP3Port=, using that same number. Pegasus Mail Haven't found a way.... That's it. Use the above information at your own risk. Oliver Gerschewski - gersch@hh.schule.de thanx to Stefan Weber, Uni Freiburg SOMOGYI Péter