Posted on | October 9, 2007 | 1 Comment
I use free software and have SSH
Traveling can be a major pain in the derrier when you are security paranoid. Almost every single thing that I can access via the Internet that relates to money has been set to allow only certain IP addresses. Managing your life while on the road can be a pain, especially if you travel globally.
Currently, I use a wireless broadband provider in Asia, I’m just not comfortable NOT using some kind of secure tunnel while beaming my vitals out into the either. I like SSH, I want my data encrypted until it reaches ‘home base’, then it can go out to the site that I am visiting via http/https (whichever I enter). Here’s what I do:
You’ll need access to a computer at home that is running the OpenSSH server. This could be a cheap computer in your basement, or a web hosting account that gives you SSH access. I (exclusively) use the Ubuntu GNU/Linux operating system on every computer that I own. If you use Windows, fear not, SSH comes in that flavor too. I’m assuming you have ssh installed and available.
This is not a mandatory step, but I highly recommend it. You’ll want to setup a key pair so that you can access SSH on the remote computer without entering a password each time. This means, generating a SSH key that has no password, which does present some interesting risks:
- Anyone who gets access to your account on your computer can ssh their way to screwing up everything that your key allows them to access.
- If they are smart enough to do this, they are smart enough to use the remote host to do bad things.
In light of the above concerns, only setup a password-less key on a computer that is secure. I do this on my very heavy, clunky desktop that is surrounded by locked doors and guards that have guns at the building entrance. Doing this on a laptop might not be the best idea, user discretion is advised!
Generate your keys as such:
ssh-keygen -t dsa -f ~/.ssh/my_key.dsa
Now, install them on the remote host:
scp ~/.ssh/my_key.dsa email@example.com:~/.ssh/my_dsa_key.pub
cat my_dsa_key.pub >> authorized_keys2
chmod 0640 authorized_keys2
rm -f my_dsa_key.pub
Its important to change the permission of the authorized_keys2 file, likely every new file that you make allows the world to read it (by default). The cat command adds your new key to the existing file if it exists, else it creates the file and puts your new key in it.
Great, almost done. You now need to setup a simple SOCKS proxy that Firefox can use for its outgoing connections. You can do this ‘on demand’, or write a simple shell script to set it up for you, completely up to you. I use gzip compression, so its included in the command below. Ready, set, type:
ssh -CND 8185 firstname.lastname@example.org >/dev/null 2>&1 &
keyed-domain.com is obviously the domain you had in mind when setting up the key-pair. Place the above line in a shell script to start your tunnel when you need it, if you like. Now, we have to setup Firefox to use this marvel of technology, which brings us to step 3:
Now, we configure Firefox to use what we’ve just created:
- Go to : Edit -> Preferences -> Advanced
- Click the “Settings” button under Connections
- Where it says SOCKS host, put in localhost, port 8185 (or whatever port you used)
- Re-start Firefox
Your done, and now surfing from home base. Students, sorry, but this is not a great way to get to Myspace from school. School admins, do the following to ensure that ssh is not used to circumvent filtering (the above also lets them browse porn from their web host’s IP):
note, those are
back ticks usually on the same key
that "~" is found
This causes the ‘ssh’ program to be available only to root. It should come installed owned by root, but issue both commands to be safe. Unless students need to make outgoing SSH connections, this might be a sensible thing to do.
Web hosts – this is one of the 840928349328749832479 reasons that you should not hand out SSH access to every single customer that signs up. Demand a photo ID prior to giving anyone access to SSH, it can be used to do interesting things. Make SURE that your client is who (and where) they say that they are. Check out ‘netstat’, learn it, live it, love it, scrape it – and make sure the scraper sends you alerts for abnormal http/https activity Filtering egress on port 80/443 can be rather difficult, be certain that you trust those who get shell accounts with their hosting package.