A dialog box should appear stating "<ulink url="tunnelconfirm.jpg">The
tunnel is now open and operational</ulink>". <emphasis>(Note: If you
select a port that is already open an error message will appear stating "
<ulink url="tunnelerror.jpg">
Could not open tunnel. Error creating tunnel. Error setting up local forward on port XXXX, Address in use.</ulink>)</emphasis>
Click <command>OK</command> and the tunnel configuration should appear in the box now. Click <command>Close Dialog</command>. Open up your email client's options or preferences menu. We'll use Netscape Messenger for this example.
</para>
<orderedlist>
<listitem><para>Open up Netscape</para></listitem>
<listitem><para>Click on <command>Edit -> Preferences</command>.</para></listitem>
<listitem><para>On the left column click on <command>Mail " Newsgroups</command>, if the contents aren't already displayed.</para></listitem>
<listitem><para>Click on <command>Identity</command> and type your information in each box.</para></listitem>
<listitem><para>Click on <command>Mail Servers</command> in the left column. The default install of Netscape has "mail" in the
box underneath Incoming mail servers.</para></listitem>
<listitem><para>Click on <command>mail</command>.</para></listitem>
<listitem><para>Click <command>Edit</command> to the right of that box and a dialog box should appear.</para></listitem>
<listitem><para>If POP is not already selected in that drop down box, select it now.</para></listitem>
<listitem><para>In the Server Name box type <command>localhost:2010</command> <emphasis>(remember we chose that local port in the
MindTerm tunnel creation menu to forward to the remote servers POP (110) port)</emphasis> and then
your username. Set any other options as you see fit.</para></listitem>
<listitem><para>You should then be prompted for your password. Type your password and hit enter. If you
have mail you should now be able to read it.</para></listitem>
</orderedlist>
<para>
As long as you have a MindTerm ssh session open, this should work with most email clients.
Remember that the remote server name or POP server name will be "<emphasis>localhost:</emphasis>". If you are asked for
the POP server and port seperately then add it accordingly. Any connections to the local port 2010, in
this example, will be forwarded to the remote hosts' port 110. If you configure an ftp client to connect
to the localhost port 2010, right now it wouldn't work. Why? The POP protocol doesn't understand ftp
protocol. Only POP clients can be forwarded to the localhost port 2010 for the tunnel to be effective.
A POP server isn't any good if you don't have an smtp server. If you have a mail program like Postfix (
<ulink url="http://www.postfix.net">www.postfix.net</ulink>), Qmail (<ulink url="http://www.qmail.org">www.qmail.org</ulink>), or Sendmail (<ulink url="http://www.sendmail.org">www.sendmail.org</ulink>) then a secure tunnel can be created to it, as well.
</para>
<para>
With the MindTerm client still running click on Tunnels again then Basic and add these settings.
</para>
<itemizedlist>
<listitem><para>Local Port: <command>2025</command><emphasis>(just type over the settings set from what we did previously)</emphasis></para></listitem>
Then click <command>OK</command> on the confirmation menu. Now smtp should be added to the list underneath the
settings for POP. In the Netscape Messenger mail server settings add: <command>localhost:2025</command> as your
<emphasis>Outgoing mail (SMTP) server</emphasis>.
All email you send to the remote host will be encrypted. However, if you send mail to someone outside
of the remote host's mail server, your email will be encrypted only from your local machine to your
remote smtp server. From the remote smtp server to any other host, will not be encrypted, unless
you've configured a tunnel to the other hosts.
</para>
<para>
To enable encrypted ftp sessions add these settings to a new tunnel.
</para>
<itemizedlist>
<listitem><para>Local Port: <command>2021</command> <emphasis>(just type over the settings set from what we did previously)</emphasis></para></listitem>
Then click <command>OK</command> on the confirmation menu. Now ftp (see the
<ulink url="leech.jpg">leech ftp example</ulink>
and wsftp--
<ulink url="wsftp.jpg">picture 1</ulink> and
<ulink url="wsftpadvanced.jpg">picture 2</ulink>)
should be added to the list underneath the settings for SMTP.
</para>
<para>
Imap settings:
</para>
<itemizedlist>
<listitem><para>Local Port: <command>2043</command> <emphasis>(just type over the settings set from what we did previously)</emphasis></para></listitem>
Then click <command>OK</command> on the confirmation menu.
</para>
<para>
Open up your web browser and in the location bar type: <command>http://localhost:2080</command> You should now see
the network stats page for ntop (see the ntop man pages to add password protected access to the ntop
display). Similarly, if you want to install a web server so you can use web-based applications to control
your server or firewall, then just create a tunnel to port 80. You don't have to open up a port on the
public interface. Simply bind the webserver to the local interface and create a tunnel to the remote
hosts' port 80. For Apache, edit the <filename>httpd.conf</filename> file and change the <emphasis>BindAddress *</emphasis> option to
<command>BindAddress 127.0.0.1</command>. Then add <command>localhost</command> to the <emphasis>ServerName directive</emphasis>: <command>ServerName localhost</command>. Finally, change the <emphasis>Listen</emphasis> directive to: <command>Listen 127.0.0.1:80</command>
As you can see by now MindTerm can secure almost any TCP service. It can be used on a remote
administer your servers. It comes with its own perl-based webserver and listens on port 10000 by
default. Simply create a tunnel to it using MindTerm and it should work without any changes to the
Webmin application or your local web browser. The MindTerm download zip file contains many
useful examples, such as using it from the command line and an explanation of all the menu options.
MindTerm has more features than outlined in this tutorial but the tunnel option is well worth
spending time focusing on.
</para>
</sect1>
<!-- Section1: creating-tunnels: END -->
<!-- Section1: mindterm-web -->
<sect1 id="mindterm-web">
<title>MindTerm over the web</title>
<para>
MindTerm can be used over the web as well. Users don't have to download the application. Simply copy the <filename>mindtermfull.jar</filename> file to a directory into a web directory and the users can simply use it as a built-in application or as a stand-alone java applet. For example, create a folder named <filename class=directory>mindterm</filename> under your web directory. Copy the <filename>mindtermfull.jar</filename> file, that was used above, into the web directory folder <filename class=directory>mindterm</filename>. Then add the file <filename>index.html</filename> to the directory with the following content (snipped from the <filename>README</filename>):
MindTerm 2.0 is now available. The argument to start the web applet has changed slightly. Instead of the applet parameter above, and the code example below, change the line:
Browse to the location of the directory in your web browser <emphasis>(http://<yourserver name>/mindterm/index.html)</emphasis>, be sure to have Java enabled in your browser and you should be able to login into the server now.
</para>
<para>
In order to create tunnels the most recent version of MindTerm has to be downloaded from the MindBright website, version 1.99. That archive contains a signed applet by MindBright that can be used in your web page to create tunnels as explained above.
After you have downloaded the latest version, add the <filename>mindterm_ns.jar</filename> file to the <filename class=directory>mindterm</filename> directory under your webserver. Now add a file named <filename>standapplet.html</filename> to the <filename class=directory>mindterm</filename> directory and add the following code to start MindTerm as a separate client to create tunnels. (<emphasis>NOTE: The archive contains an applet for both netscape and Explorer</emphasis>)
<param name=sepframe value="true"><!-- wheter to run in a separate frame or not -->
<param name=autoprops value="both"><!-- enable/disable automatic save/load of settings -->
</applet>
</body>
</html>
</emphasis>
</literallayout>
<para>
Now browse to the location of the directory in your web browser <emphasis>(http://<lt;yourserver name>/mindterm/standapplet.html)</emphasis>. This will start MindTerm as a standalone java applet, the same as if it was started from the commandline. Tunnels can be created using the applet tags so that users don't have to do anything but browse to the page and then login. Then they would access their services just as explained in the above examples. They can, however, create their own tunnels or new tunnels from the <emphasis>Tunnels</emphasis> menu as explained above. The <filename>README</filename> that comes with the MindTerm zip archive has many more applet parameters that can be added. As you create tunnels you can then click on <command>File</command> and then <command>Save</command> so it keeps the tunnels that you have created when you log in again.
</para>
<para>
A couple of security notes here are you can't connect to another server using the initial login applet. You can only login to the server where the applet is located. However, after you have logged in successfully you can then log in to other servers from the command line. Also, this MindTerm applet is signed by MindBright so you need to contact the <ulink url="mailto:sales@mindbright.se">sales department</ulink> at MindBright to obtain a crytographic signature for your organization. That is, if it is needed.
</para>
</sect1>
<!-- Section1: mindterm-web: END -->
<!-- Section1: security -->
<sect1 id="security">
<title>Security considerations</title>
<para>
When an ssh session starts, the public-keys are being sent over an insecure connection until the
authentication process is established.. This allows a person to intercept an ssh session and place their
own public key in the connection process. SSH is designed to warn the user if a public-key has changed
from what exists in their known_host file. The warning that is given is quite noticeable and ssh will
drop the connection if the public keys are different, but user's may still trust the certificate because
they may think that their company has changed the server's public key. This kind of attack isn't
difficult because the dsniff package mentioned earlier contains the tools to perform it. This attack is
more commonly called a <emphasis>"man-in-the-middle attack" (The End of SSL and SSH)</emphasis>.
</para>
<para>
A temporary and easy fix for this is to first teach the user's how to recognize the signs that the host
key has changed and what to do to get the proper host(s) public key. Second, post the public key for the
ssh server(s) on a website, ftp server, or distribute it some other way so that users have access to it at
all times.
</para>
</sect1>
<!-- Section1: security: END -->
<!-- Section1: conclusion -->
<sect1 id="conclusion">
<title>Conclusion</title>
<para>
SSH and MindTerm together can provide local and remote users with a high-level of security with a
simple and small drop-in application. It can also be used from nearly any platform available. Java was
chosen because of its cross-platform compatibility. If there is a JRE available for a platform that
someone uses then they can use the MindTerm application to communicate securely over long
distances. Since ssh is becoming the standard for remote administration and logins, soon nearly all
platforms will be able to run an ssh server. MindBright is currently working on a Java SSH server.
</para>
<para>
This tutorial also shows how someone can tunnel through a firewall. This is by no means the intention
of this paper. It is hoped people will use it for a secure, quick, and free drop-in VPN-like replacement
for remote administration, traveling business people, and a hope that other sectors can see the
usefulness in this excellent program. As long as you are allowed to make ssh connections then you can
tunnel services through to a remote machine. System and Security Administrators should establish
policies against tunneling through firewalls because that can cause internal security breaches if used
improperly. Remember that the communication is secured but the commands and files that you access
and/or download are still being executed on your local and remote machines. Also, any commands you
type on most servers are being logged as well. SSH will protect the data over the network or the
Internet but what is done on the remote machines can be logged. SSH and MindTerm will not protect
against someone gaining access to a remote user's computer and installing key logging programs or
other snooping devices.
</para>
<para>
It is very simple and quick to set up secure communications but the only way to increase the use of
secure communication is for users to encourage their company, financial institutions, health care
providers, and other businesses to offer secure services.
</para>
</sect1>
<!-- Section1: conclusion: END -->
<!-- Section1: references -->
<sect1 id="references">
<title>References</title>
<para>
Broadband Access to Increase in Workplace. 25 Jan. 2001. CyberAtlas. 12 Mar. 2001