-1

I'm setting up a server application which requires to establish a secure connection over SSH2, e.g. a client must open SSH2 connection to the server to reach specific application:

% ssh -s -p5000 my.server.com app

I want to understand, what exactly is happening after this command has completed? How client/server know that they have to run over SSH secure channel? Is this called ssh tunneling, or it has different name for it?

Thanks.

Mark
  • 249
  • 1
  • 5
  • 13

2 Answers2

6

You're connecting to tcp my.server.com:5000, it runs ssh subsystem "app" there. What is being performed is defined by that subsystem (in the ssh server config file). That subsystems could transfer data forth and back, via stdin and stdout. External adversary sees tcp connection, sees that this is ssh session and nothing more. This is not called "ssh tunneling".

Tunneling is when you forward some TCP socket like this: ssh firewall -L 12345:system-behind:54321, then locally connect to localhost:12345 and it works like you are sitting on firewall and connecting to system-behind:54321 from there. You "tunnel" tcp connection via ssh. By adding -g you can allow anybody in your network to connect to you:12345 and be like connected to system-behind:54321 from firewall.

For example, consider Linux firewall doing NAT and with ssh server, and some windows server behind, which has firewall, that allows connections only from local network. You could connect there like this: ssh firewall -L 13389:windows-server-address:3389 and then xfreerdp /v:localhost:13389; server will see connection from local address of firewall, not from your internet address.

You could do this in reverse way with ssh remote -R 12345:system-near-you:54321. Then you open socket on remote, and someone sitting on remote could connect to localhost:12345 and end up connected like they are sitting on your machine and connecting to system-near-you:54321. This is reverse tunneling. Again, -g allows this not only to those who sits directly on remote, but to anyone who could connect to remote:12345.

There is also ssh ip tunneling, when you create virtual tunnel interfaces both on server and client, assign there ip addresses and connect them with ssh. This is called VPN, but when doing it with ssh machinery is not very convenient, and I've never seen this in use.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
2

% ssh -s -p5000 my.server.com app connects to my.server.com, then it runs "app" subsystem in my.server.com

How client/server know that they have to run over SSH secure channel?

SSH secure channel is a bit confusing: SSH is already secure. A secure channel could be a VPN.

Note that SSH tunneling and VPN aren't the same things:

  • VPN works on the transport level (connecting networks) while SSH tunnel works on an application level (connecting hosts).
  • VPN can be hardware or software-implemented while ssh tunnel is always software.
  • You can run ssh inside a VPN.
Ra_
  • 677
  • 4
  • 9
  • 1
    VPN in the form of peer-to-peer IP tunnel could be created using SSH tunnel: https://help.ubuntu.com/community/SSH_VPN . So that is not "one versus other". SSH is more general thing. – Nikita Kipriyanov Dec 17 '15 at 13:07
  • 1
    There are many types of Virtual Private Network: http://techpp.com/2010/07/16/different-types-of-vpn-protocols. You also can implement a VPN using SSH, but itsn't mandatory. SSH is not a more general thing than VPN: they are just different concepts. – Ra_ Dec 17 '15 at 14:32