LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/text/MindTerm-SSH-HOWTO

803 lines
40 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Encrypted Tunnels using SSH and MindTerm HOWTO
Duane Dunston
           duane@duane.yi.org
        
Revision History
Revision 1.01 2001-06-13 Revised by: PDD
Changed date format (YYYY-MM-DD)
This document describes how to use SSH and the Java-based program MindTerm to
create quick, secure, and reliable VPN-like tunnels over insecure networks.
-----------------------------------------------------------------------------
Table of Contents
1. Introduction
1.1. Copyright Information
1.2. Disclaimer
1.3. New Versions
1.4. Credits
1.5. Feedback
2. Before we start
2.1. Mindterm and SSH Introduction
2.2. MindTerm and SSH
2.3. How MindTerm and SSH work together
3. Software Installation
4. Server and Client Configurations
4.1. Server Configuration
4.2. Client Configuration
5. Creating the tunnels
6. MindTerm over the web
7. Security considerations
8. Conclusion
9. References
10. Frequently Asked Questions
1. Introduction
For various reasons this brand new release is codenamed the release release.
New code names will appear as per industry standard guidelines to emphasize
the state-of-the-art-ness of this document.
This document was written when I read a feedback asking for a template to
fill in to make new HOWTOs. This template was initially made by extracting
the skeletal structure of the Multi Disk HOWTO which is a rather large HOWTO.
It then went through extensive editing.
Stating the background is a simple way to getting started writing the intro.
First of all we need a bit of legalese. Recent development shows it is quite
important.
-----------------------------------------------------------------------------
1.1. Copyright Information
This document is copyrighted (c) 2001 Duane Dunston and is distributed under
the terms of the Linux Documentation Project (LDP) license, stated below.
It's requested that corrections and/or comments be forwarded to the document
maintainer.
Unless otherwise stated, Linux HOWTO documents are copyrighted by their
respective authors. Linux HOWTO documents may be reproduced and distributed
in whole or in part, in any medium physical or electronic, as long as this
copyright notice is retained on all copies. Commercial redistribution is
allowed and encouraged; however, the author would like to be notified of any
such distributions.
All translations, derivative works, or aggregate works incorporating any
Linux HOWTO documents must be covered under this copyright notice. That is,
you may not produce a derivative work from a HOWTO and impose additional
restrictions on its distribution. Exceptions to these rules may be granted
under certain conditions; please contact the Linux HOWTO coordinator at the
address given below.
In short, we wish to promote dissemination of this information through as
many channels as possible. However, we do wish to retain copyright on the
HOWTO documents, and would like to be notified of any plans to redistribute
the HOWTOs.
If you have any questions, please contact <duane@duane.yi.org>
-----------------------------------------------------------------------------
1.2. Disclaimer
No liability for the contents of this documents can be accepted. Use the
concepts, examples and other content at your own risk. As this is a new
edition of this document, there may be errors and inaccuracies, that may of
course be damaging to your system. Proceed with caution, and although this is
highly unlikely, the author(s) do not take any responsibility for that.
All copyrights are held by their by their respective owners, unless
specifically noted otherwise. Use of a term in this document should not be
regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before major
installation and backups at regular intervals.
-----------------------------------------------------------------------------
1.3. New Versions
This has undergone many revisions as this began as my final project for SANS
GIAC certification.
The latest version number of this document can be gleaned from the main Linux
Documentation Project homepage or the [http://cfcc.net/ddunston/
mindterm.html] authors page.
If you have the capability, it would be nice to make the HOWTO available in a
number of formats.
-----------------------------------------------------------------------------
1.4. Credits
In this version I have the pleasure of acknowledging:
Patti Pitz for her editing and help with organizing the paper. Doug Eymand
for his technical editing.
-----------------------------------------------------------------------------
1.5. Feedback
Feedback is most certainly welcome for this document. Without your
submissions and input, this document wouldn't exist. Please send your
additions, comments and criticisms to the following email address : <
duane@duane.yi.org>.
-----------------------------------------------------------------------------
2. Before we start
2.1. Mindterm and SSH Introduction
Businesses, schools, and home users need more secure network services now
more than ever. As online business increases, more people continue to access
critical company information over insecure networks. Companies are using the
Internet as a primary means to communicate with travelling employees in their
country and abroad, sending documents to various field offices around the
world, and sending unencrypted email; this communication can contain a wealth
of information that any malicious person can potentially intercept and sell
or give to a rival company. Good security policies for both users and network
administrators can help to minimize the problems associated with a malicious
person intercepting or stealing critical information within their
organization. This paper will discuss using Secure Shell (SSH) and MindTerm
to secure organizational communication across the Internet.
Home users and business travelers are accessing company resources and sending
sensitive data over insecure networks. This opens up a whole new area of
security issues for System Administrators (Securing the home office sensible
and securely), especially since the number of corporate users from home with
high-speed access is expected to "more than double from 24 million in 2000 to
55 million by 2005" (Broadband Access to Increase in Workplace). The increase
in the number of airports and hotels offering internet access, especially
high-speed access, is increasing and is expected to grow in the future
(Broadband Moving On Up). This can also leave a door wide open for a
malicious person to hijack or view a person's Internet traffic and access
their companies. The malicious person may not be interested in the work the
employee is doing but just want access to a high-speed server to launch
attacks, store files, or other uses. Business people are really at high risk
because they don't know who's monitoring their Internet connection in the
hotel, airport, or anywhere in their travels. Users of the new high-speed
connections are usually not taught proper security protocols and some
companies don't have the staff to help the home user and business traveler
set up secure communication. Individual users and, surprisingly, some
companies have a mentality that "I don't have anything people want". This is
very disturbing considering the amount of sensitive information that travels
across the Internet from an employee's home or from travelers. What's more
disturbing is the availability of free software to perform these kinds of
attacks and the software's ease of use. Dsniff ([http://www.monkey.org/
~dugsong/dsniff/] http://www.monkey.org/~dugsong/dsniff/) is a freely
available program that has utilities that can allow anyone with a networked
computer to highjack a local network and monitor what others are doing and
grab passwords and other sensitive data. In his book Secrets and Lies:
Digital Security in a Networked World, Bruce Schneier states that Technique
Propagation is one of the main threats to network security: "The Internet
is...a perfect medium for propagating successful attack tools. Only the first
attacker has to be skilled; everyone else can use his software" (Schneier).
The purpose of this paper is not how to secure computers but how to set up
virtual tunnels to perform secure communication, whether sending documents or
sending email. Business travelers should read [http://www.sans.org/infosecFAQ
/travel/travel_list.htm] Jim Purcell, Frank Reid, and Aaron Weissenfluh's
articles on travel security. Home users with high-speed access should read
Ted Tang's [http://www.sans.org/infosecFAQ/start/free.htm] article for
information on how to secure your computers with high-speed access. I'd
recommend the many resources available on [http://www.sans.org] www.sans.org,
[http:// www.securityfocus.com] www.securityfocus.com, or [http://
www.securityportal.com] www.securityportal.com for tutorials on how to secure
your computers and servers.
The way to ensure that sensitive data is transmitted securely and quickly is
to use encrypted methods of data delivery. This can be by way of encrypted
email, using secure web-based email services, or establishing encrypted
tunnels between two computers. Also, easy to setup and reliable software need
to be used in order to allow the inexperienced users the ability to quickly
establish secure communication channels. Taten Ylonen 's [http://www.ssh.com]
Secure Shell and [http://www.mindbright.se] MindBright Technology's MindTerm
are a quick, easy to use, and reliable solution for securing communication
over the Internet.
-----------------------------------------------------------------------------
2.2. MindTerm and SSH
SSH (Secure Shell) is a secure replacement for remote login and file transfer
programs like telnet, rsh, and ftp, which transmit data in clear,
human-readable text. SSH uses a public-key authentication method to establish
an encrypted and secure connection from the user's machine to the remote
machine. When the secure connection is established then the username,
password, and all other information is sent over this secure connection. You
can read more details of how ssh works, the algorithms it uses, and the
protocols implemented for it to maintain a high level of security and trust
at the ssh website: [http://www.ssh.com] www.ssh.com. The OpenBSD team has
created a free alternative called OpenSSH available at: [http://
www.openssh.com] www.openssh.com. It maintains the high security standards of
the OpenBSD team and the IETF specifications for Secure Shell (see the [http:
//www.ietf.org/ids.by.wg/secsh.html] Secure Shell IETF drafts, except it uses
free public domain algorithms. SSH is becoming a standard for remote login
administration. It has become so popular that there are many ports of ssh to
various platforms and there are free clients available to login to an ssh
server from many platforms as well. See [http://linuxmafia.com/pub/linux/
security/ssh-clients] http://linuxmafia.com/pub/linux/security/ssh-clients
for a list of clients and Securityportal.com has an excellent two-part
article on ssh and links to ports for different platforms available at [http:
//www.securityportal.com/research/ssh-part1.html] http://
www.securityportal.com/research/ssh-part1.html. There are programs that also
use an ssh utility called Secure Copy (scp) in the background that provide
the same functionality of a full ftp client, like [http://winscp.vse.cz]
WinSCP and the [http://www.isnetworks.com/ssh/] Java SSH/SCP Client, which
has a modified scp interface for MindTerm. Please read the licenses carefully
to determine if you are legally allowed to download ssh in your country. SSH
is free for academic institutions please. Please read the licenses available
at the ssh.com website.
MindTerm is an ssh client written entirely in Java by MindBright Technology.
One of the key practices of developing security software is proper
implementation of the underlying algorithms and protocols it uses. MindBright
Technology has implemented the ssh protocol very well in this small
application file. It is a self-contained archive that only needs to be
unzipped into a directory of your choice and it is ready to be used. It can
be used as a standalone program or as a web page applet or both. It is
available at: [http://www.mindbright.se/download/] http://www.mindbright.se/
download/. MindTerm is an excellent and inexpensive client to secure
communication to and from a local and remote location. The MindTerm program
located at the download address above is available free for non-commercial
and academic use, commercial use is available on a case to case basis.
However, the modifications made by the [http://www.isnetworks.net] ISNetwork
"is based on the MindTerm 1.21 codebase, which MindBright released under the
GPL [General Public License -- see http://www.gnu.org]. Since our version is
released under the GPL you can use it commercially for free" (Eckels).
ISNetwork's implementation has all the features of MindBright's MindTerm
except it has a nicer scp interface for more user-friendly file transfers.
MindTerm does have some drawbacks in that it doesn't support UDP tunneling.
In order to secure UDP traffic, a program called Zebedee ( [http://
www.winton.org.uk/zebedee/] http://www.winton.org.uk/zebedee/) will work
nicely. Zebedee's server and client program is available for Windows and
Linux platforms. It is freely distributed under the GPL License too. You can
connect to either Windows or Linux machines using Zebedee. MindTerm will not
check to see if your system is secure. It is up to the administrators and
users to take care of securing the computer systems. It is easy to implement
and it is very effective at maintaining the high level of security
implemented in the ssh protocol. This paper will show how easy it is to set
up and establish secure communication channels for almost any user and by
almost any user. Documents, email, and other data communication can be easily
and securely sent to users a few feet away or around the world.
-----------------------------------------------------------------------------
2.3. How MindTerm and SSH work together
SSH and MindTerm will work together to use a technique called port
forwarding. Port forwarding is forwarding traffic from one host and a given
port to another host and port. In other words, the MindTerm application will
open a port on the client's machine (local machine) and any connection to
that local port is forwarded to the remote host and its listening port over
an encrypted ssh session. Whether or not the connection is accepted depends
on the type of request you are sending to the remote host. For example, you
wouldn't forward POP requests to a remote host listening on port 21 because
port 21 is reserved for ftp requests. Port forwarding is also used to allow
connections to a server that is behind a firewall and/or has a private IP
address. Essentially this is creating a Virtual Private Network (VPN). A VPN
is "a private data network that makes use of the public telecommunication
infrastructure, maintaining privacy through the use of a tunneling protocol
and security procedures" ( [http://www.whatis.com] www.whatis.com ). The
port-forwarding can only be done with TCP services.
-----------------------------------------------------------------------------
3. Software Installation
In order to follow along with this tutorial you will have to install a few
packages. This tutorial assumes you have ssh already installed on your server
or workstation. If not then you can read the documentation that comes with
the ssh or the OpenSSH package for installation instructions for your
platform. For the examples that follow, OpenSSH was installed on a RedHat 7.0
server and workstation. OpenSSH was installed on RedHat 6.0- 7.0 and worked
the same. The client machine used in the following tutorial is a Windows 2000
machine. Windows 95/98, NT 4.0, NT 5.0, RedHat 6.0-7.0 workstation were all
tested as client machines and worked the same. On a side note, the exact same
MindTerm jar archive was used on all client systems tested.
  * SSH or Openssh
  * MindTerm
  * FTP Client - Any ftp client should work for this tutorial. Ws-FTP and
Leech-ftp are the two most popular for Windows.
  * Netscape Communicator - or any other mail client should work.
  * Optional: [http://www.ntop.org] NTOP
  * Optional: [http://www.redhat.com/swr/src/vlock-1.3-3.src.html] vlock
-----------------------------------------------------------------------------
4. Server and Client Configurations
4.1. Server Configuration
First, make sure that your server is secure. Though traffic is encrypted as
it travels over the Internet, it can be sniffed if someone has root access on
the local machine and uses a program like ngrep to sniff traffic on a local
machine. For example, in conjunction with the dsniff program mentioned above,
the following command could sniff all traffic on the local interface network:
ngrep -d lo. Securing the server is, however, beyond the scope of this paper.
We'll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual
Network Computing) (5901+), and NTOP (default port 3000) services for this
example. All traffic will be forwarded to each service's respective port on
the remote host running the ssh server. All services listening on the remote
host listen on all interfaces, unless the service binds to a specific port by
default or if manually configured. In order to show how effective this
technique of tunneling over ssh is, we will only allow particular services to
listen on the local interface.
You don't have to change your current security configurations, however. We
will use tcp_wrappers, that is installed by default with RedHat 7.0 (and
previous versions), to connect to the network services. In the /etc/
hosts.deny file add the following line:
ALL : ALL
And in your /etc/hosts.allow file add the following lines:
sshd : ALL
in.ftpd : 127.0.0.1
ipop3d : 127.0.0.1
imapd : 127.0.0.1
This sets sshd (the ssh server) to allow connections from anywhere any IP
address. The other services only allow connections from the local interface.
You can verify this by configuring a mail client to connect to your remote
pop or imap server and/or an ftp client to connect to your ftp server, right
now. It won't allow you to connect. You'll also need to set up any user
accounts to allow access to these services. (Note: The setup above is only
useful if the services are only for internal use and remote users need to
access the internal services to send and receive email or transfer files. The
services can be available for public use and be encrypted with ssh and
MindTerm.) If MindTerm will be used over the web to create tunnels or use the
secure copy GUI features then a Java Runtime Environment (JRE) will need to
be installed on the server running SSH as well.
-----------------------------------------------------------------------------
4.2. Client Configuration
The only client configuration that is needed is to be sure that a JRE is
installed for your platform. Windows and MacOS 8 and later have a JRE already
installed. It is recommended to install Sun's JRE on Windows. IBM has a list
of ports of JRE's to various plaforms: [http://www-105.ibm.com/developerworks
/tools.nsf/dw/java-devkits-byname] http://www-105.ibm.com/developerworks/
tools.nsf/dw/java-devkits-byname as well as Sun: [http://java.sun.com/cgi-bin
/java-ports.cgi] http://java.sun.com/cgi-bin/java-ports.cgi. (You don't need
the entire Java package with the debuggers and compilers you just need the
Java Virtual Machine to run java applications.) Also, for the tutorial that
follows, unzip the MindTerm archive, MindBright's or ISNetwork's
implementation, archive into c:\mindterm for windows.
-----------------------------------------------------------------------------
5. Creating the tunnels
MindTerm can be started a few ways. If you have the JRE installed then you
can double-click on the mindtermfull.jar application file. Another way is to
open up a dos-shell and type the command:
jview -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
or
javaw -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
or
java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
(jview is used if you are using Windows and you don't download the JRE. Javaw
comes with the Windows JRE download and is used because a dos-shell box won't
be needed in order to run MindTerm so there is one less window open)
MindTerm 2.0 is now available. The argument to start it has changed slightly.
Instead of the command above:
java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
this will start MindTerm from the commandline:
java -cp c:\mindterm\mindtermfull.jar com.mindbright.application.MindTerm
Only the "com." was added to the applet parameter.
This will start the MindTerm program and you can then type the server name
when prompted and it will prompt you to " [minddialog.jpg] Save as Alias".
You can type a short server name so when you start the applet again you can
simply type the Alias you created. You will then be prompted for your login
name. After you type it, hit enter and a dialog box will appear informing you
that the host doesn't exist and prompt you to create it. Click Yes. Another
dialog will appear prompting you if you want to add that host to your
known_host file. Click Yes. Then you are prompted for your password. Type
your password and hit enter. If you supplied the proper username and password
then you should be at a command line on the server you specified.
We'll create a tunnel to the POP and SMTP server, first. After you have
successfully logged in (and optionally enabled vlock) click on
[tunnelmenu.jpg] Tunnels on the menu and then click [tunnelmenubasic] Basic.
A dialog box will appear. Add the following settings to each box,
respectively:
  * Local port: 2010
  * Remote Hosts: Your remote host (this should be the server running the
sshd server).
  * Remote port: 110
Now click Add. A dialog box should appear stating "The tunnel is now open and
operational". (Note: If you select a port that is already open an error
message will appear stating " [tunnelerror.jpg] Could not open tunnel. Error
creating tunnel. Error setting up local forward on port XXXX, Address in
use.) Click OK and the tunnel configuration should appear in the box now.
Click Close Dialog. Open up your email client's options or preferences menu.
We'll use Netscape Messenger for this example.
1. Open up Netscape
2. Click on Edit -> Preferences.
3. On the left column click on Mail " Newsgroups, if the contents aren't
already displayed.
4. Click on Identity and type your information in each box.
5. Click on Mail Servers in the left column. The default install of Netscape
has "mail" in the box underneath Incoming mail servers.
6. Click on mail.
7. Click Edit to the right of that box and a dialog box should appear.
8. If POP is not already selected in that drop down box, select it now.
9. In the Server Name box type localhost:2010 (remember we chose that local
port in the MindTerm tunnel creation menu to forward to the remote
servers POP (110) port) and then your username. Set any other options as
you see fit.
10. Click OK.
11. In the box Outgoing mail (SMTP) server type your smtp server name and
underneath that type your Outgoing mail server user name.
12. Click OK. (Don't do anything to the Use Secure Socket Layer (SSL) or TLS
for outgoing messages option).
13. Now click on Communicator on the menu.
14. Click Messenger.
15. You should then be prompted for your password. Type your password and hit
enter. If you have mail you should now be able to read it.
As long as you have a MindTerm ssh session open, this should work with most
email clients. Remember that the remote server name or POP server name will
be "localhost:". If you are asked for the POP server and port seperately then
add it accordingly. Any connections to the local port 2010, in this example,
will be forwarded to the remote hosts' port 110. If you configure an ftp
client to connect to the localhost port 2010, right now it wouldn't work.
Why? The POP protocol doesn't understand ftp protocol. Only POP clients can
be forwarded to the localhost port 2010 for the tunnel to be effective. A POP
server isn't any good if you don't have an smtp server. If you have a mail
program like Postfix ( [http://www.postfix.net] www.postfix.net), Qmail
([http://www.qmail.org] www.qmail.org), or Sendmail ([http://
www.sendmail.org] www.sendmail.org) then a secure tunnel can be created to
it, as well.
With the MindTerm client still running click on Tunnels again then Basic and
add these settings.
  * Local Port: 2025(just type over the settings set from what we did
previously)
  * Remote Host: Your remote smtp server.
  * Remote Port: 25
Click Add. Then click OK on the confirmation menu. Now smtp should be added
to the list underneath the settings for POP. In the Netscape Messenger mail
server settings add: localhost:2025 as your Outgoing mail (SMTP) server. All
email you send to the remote host will be encrypted. However, if you send
mail to someone outside of the remote host's mail server, your email will be
encrypted only from your local machine to your remote smtp server. From the
remote smtp server to any other host, will not be encrypted, unless you've
configured a tunnel to the other hosts.
To enable encrypted ftp sessions add these settings to a new tunnel.
  * Local Port: 2021 (just type over the settings set from what we did
previously)
  * Remote Host: Your remote ftp server.
  * Remote Port: 21
Click Add. Then click OK on the confirmation menu. Now ftp (see the
[leech.jpg] leech ftp example and wsftp-- [wsftp.jpg] picture 1 and
[wsftpadvanced.jpg] picture 2) should be added to the list underneath the
settings for SMTP.
Imap settings:
  * Local Port: 2043 (just type over the settings set from what we did
previously)
  * Remote Host: Your remote imap server.
  * Remote Port: 143
Click Add. Then click OK on the confirmation menu. Now ftp should be added to
the list underneath the settings for POP.
All these settings can be automated in a batch file. Simply add the following
to a startup script to automatically create a tunnel to your pop server after
authentication:
jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
-server -local0 2010:localhost:110
Here is an example based on what we've done above. Add the following to a
file in an editor:
jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
-server -local0 2010:localhost:110 -local1 2025:localhost:25 -local2 /ftp/2021:localhost:21
-local3 2043:localhost:143
now save it with a .bat extension. Double-click on it. You should be prompted
for your login name when MindTerm starts up then type your password. After
you are authenticated click on the Tunnels menu and click Basic. You should
see the tunnels in the box that opens up. This is an easy way to allow remote
users to start up the tunnels without many configurations on their part. They
only need to click the .bat file and type their username and password and
optionally run vlock. Their client software can be pre-configured for remote
profiles that connect to the tunnels automatically.
When you are finished using the MindTerm, be sure to close all applications
that are using a tunnel. If you forget to close the programs using the
tunnels, MindTerm will display a message when you attempt to exit from the
console or quit the program.
What about VNC and NTOP? These services work the same way. Here the VNC
server was running on a RedHat 7.0 workstation. When you start the VNC
server, it first listens on port 5901 and each server after that increments
up 1 port so the second instance of VNC will listen on port 5902, and the
third 5903, etc.. On Linux, you can run multiple VNC servers and people can
connect to each VNC server as well. In MindTerm you can simply add a VNC
tunnel with the following settings:
  * Local Port: 2001
  * Remote Host: Your remote VNC server host name.
  * Remote Port: 5901 (If this is the first server instance running)
Click Add. Then click OK on the confirmation menu.
Run the vncviewer application on your local machine and type: localhost:2001,
and then the password, when prompted, for the VNC desktop and you have an
encrypted VNC session.
Ntop works the same way. If you want to run ntop in web mode as a network
monitor, you can tunnel connections to your local machine and view the stats
in your local browser, without having to install a webserver or opening port
3000 on your remote server. By default, ntop in web mode listens on port 3000
and waits for an http connection to display network stats. Simply create a
tunnel to the server running the ssh server and ntop. First run ntop in web
mode: ntop -d -w 3000 Then add the settings to the MindTerm tunnel:
  * Local Port: 2080
  * Host: Server running ntop.
  * Remote Port: 3000
Click Add. Then click OK on the confirmation menu.
Open up your web browser and in the location bar type: http://localhost:2080
You should now see the network stats page for ntop (see the ntop man pages to
add password protected access to the ntop display). Similarly, if you want to
install a web server so you can use web-based applications to control your
server or firewall, then just create a tunnel to port 80. You don't have to
open up a port on the public interface. Simply bind the webserver to the
local interface and create a tunnel to the remote hosts' port 80. For Apache,
edit the httpd.conf file and change the BindAddress * option to BindAddress
127.0.0.1. Then add localhost to the ServerName directive: ServerName
localhost. Finally, change the Listen directive to: Listen 127.0.0.1:80 As
you can see by now MindTerm can secure almost any TCP service. It can be used
on a remote server to run [http://www.webmin.com/webmin] Webmin, which is an
excellent web-application to administer your servers. It comes with its own
perl-based webserver and listens on port 10000 by default. Simply create a
tunnel to it using MindTerm and it should work without any changes to the
Webmin application or your local web browser. The MindTerm download zip file
contains many useful examples, such as using it from the command line and an
explanation of all the menu options. MindTerm has more features than outlined
in this tutorial but the tunnel option is well worth spending time focusing
on.
-----------------------------------------------------------------------------
6. MindTerm over the web
MindTerm can be used over the web as well. Users don't have to download the
application. Simply copy the mindtermfull.jar file to a directory into a web
directory and the users can simply use it as a built-in application or as a
stand-alone java applet. For example, create a folder named mindterm under
your web directory. Copy the mindtermfull.jar file, that was used above, into
the web directory folder mindterm. Then add the file index.html to the
directory with the following content (snipped from the README):
<html> <head></head> <body> <applet archive="mindtermfull.jar" code=
mindbright.application.MindTerm width=700 height=400> <param name=server
value="<yourserver name>"> <param name=port value="22"> <param name=cipher
value="blowfish"> <param name=te value="xterm-color"> </applet> </body> </
html>
MindTerm 2.0 is now available. The argument to start the web applet has
changed slightly. Instead of the applet parameter above, and the code example
below, change the line:
<applet archive="mindtermfull.jar"
code=mindbright.application.MindTerm width=700 height=400>
to:
<applet archive="mindtermfull.jar"
code=com.mindbright.application.MindTerm width=700 height=400>
Only the com. needs to be added to the applet parameter code=. So the code
below will be changed to:
<applet archive="mindterm_ns.jar" code=com.mindbright.application.MindTerm.class width=1
height=1>
Browse to the location of the directory in your web browser (http://<
yourserver name>/mindterm/index.html), be sure to have Java enabled in your
browser and you should be able to login into the server now.
In order to create tunnels the most recent version of MindTerm has to be
downloaded from the MindBright website, version 1.99. That archive contains a
signed applet by MindBright that can be used in your web page to create
tunnels as explained above. After you have downloaded the latest version, add
the mindterm_ns.jar file to the mindterm directory under your webserver. Now
add a file named standapplet.html to the mindterm directory and add the
following code to start MindTerm as a separate client to create tunnels. (
NOTE: The archive contains an applet for both netscape and Explorer)
<html> <head></head> <body> <applet archive="mindterm_ns.jar" code=
mindbright.application.MindTerm.class width=1 height=1> <param name=server
value="<yourserver name>"> <param name=port value="22"> <param name=cipher
value="blowfish"> <param name=sepframe value="true"><!-- wheter to run in a
separate frame or not --> <param name=autoprops value="both"><!-- enable/
disable automatic save/load of settings --> </applet> </body> </html>
Now browse to the location of the directory in your web browser (http://<lt;
yourserver name>/mindterm/standapplet.html). This will start MindTerm as a
standalone java applet, the same as if it was started from the commandline.
Tunnels can be created using the applet tags so that users don't have to do
anything but browse to the page and then login. Then they would access their
services just as explained in the above examples. They can, however, create
their own tunnels or new tunnels from the Tunnels menu as explained above.
The README that comes with the MindTerm zip archive has many more applet
parameters that can be added. As you create tunnels you can then click on
File and then Save so it keeps the tunnels that you have created when you log
in again.
A couple of security notes here are you can't connect to another server using
the initial login applet. You can only login to the server where the applet
is located. However, after you have logged in successfully you can then log
in to other servers from the command line. Also, this MindTerm applet is
signed by MindBright so you need to contact the [mailto:sales@mindbright.se]
sales department at MindBright to obtain a crytographic signature for your
organization. That is, if it is needed.
-----------------------------------------------------------------------------
7. Security considerations
When an ssh session starts, the public-keys are being sent over an insecure
connection until the authentication process is established.. This allows a
person to intercept an ssh session and place their own public key in the
connection process. SSH is designed to warn the user if a public-key has
changed from what exists in their known_host file. The warning that is given
is quite noticeable and ssh will drop the connection if the public keys are
different, but user's may still trust the certificate because they may think
that their company has changed the server's public key. This kind of attack
isn't difficult because the dsniff package mentioned earlier contains the
tools to perform it. This attack is more commonly called a "man-in-the-middle
attack" (The End of SSL and SSH).
A temporary and easy fix for this is to first teach the user's how to
recognize the signs that the host key has changed and what to do to get the
proper host(s) public key. Second, post the public key for the ssh server(s)
on a website, ftp server, or distribute it some other way so that users have
access to it at all times.
-----------------------------------------------------------------------------
8. Conclusion
SSH and MindTerm together can provide local and remote users with a
high-level of security with a simple and small drop-in application. It can
also be used from nearly any platform available. Java was chosen because of
its cross-platform compatibility. If there is a JRE available for a platform
that someone uses then they can use the MindTerm application to communicate
securely over long distances. Since ssh is becoming the standard for remote
administration and logins, soon nearly all platforms will be able to run an
ssh server. MindBright is currently working on a Java SSH server.
This tutorial also shows how someone can tunnel through a firewall. This is
by no means the intention of this paper. It is hoped people will use it for a
secure, quick, and free drop-in VPN-like replacement for remote
administration, traveling business people, and a hope that other sectors can
see the usefulness in this excellent program. As long as you are allowed to
make ssh connections then you can tunnel services through to a remote
machine. System and Security Administrators should establish policies against
tunneling through firewalls because that can cause internal security breaches
if used improperly. Remember that the communication is secured but the
commands and files that you access and/or download are still being executed
on your local and remote machines. Also, any commands you type on most
servers are being logged as well. SSH will protect the data over the network
or the Internet but what is done on the remote machines can be logged. SSH
and MindTerm will not protect against someone gaining access to a remote
user's computer and installing key logging programs or other snooping
devices.
It is very simple and quick to set up secure communications but the only way
to increase the use of secure communication is for users to encourage their
company, financial institutions, health care providers, and other businesses
to offer secure services.
-----------------------------------------------------------------------------
9. References
Broadband Access to Increase in Workplace. 25 Jan. 2001. CyberAtlas. 12 Mar.
2001 <[http://cyberatlas.internet.com/markets/broadband/article/
0,,10099_570571,00.html] http://cyberatlas.internet.com/markets/broadband/
article/0,,10099_570571,00.html>.
Broadband Moving On Up. 10 Jan. 2001. CyberAtlas. 12 Mar. 2001. <. http://
cyberatlas.internet.com/markets/broadband/article/0,,10099_556391,00.html>.
Connolly, P.J. "Secure the home office sensible and easily" Infoworld. 8 Mar.
2001. 22 Mar. 2001. <[http://www.infoworld.com/articles/tc/xml/01/03/12/
010312tcsoho.xml] http://www.infoworld.com/articles/tc/xml/01/03/12/
010312tcsoho.xml>.
Eckels, Josh. "Commercial Use" E-mail to Josh Eckels. 13 Mar. 2001
MindTerm: README. MindBright Technology. 3 March 2001 <. http://
www.mindbright.se/documentation/README>. Schneier, Bruce. Secrets and Lies:
Digital Security in a Networked World. New York:Wiley & Sons, 2000.
Seifried, Kurt. "The End of SSL and SSH" 18 Dec. 2000. SecurityPortal. 12
March 2001 <[http://www.securityportal.com/cover/coverstory20001218.html]
http://www.securityportal.com/cover/coverstory20001218.html>.
virtual private network: [Definition]. 6 Oct. 2000. Whatis.com. 15 Mar. 2001.
<[http://whatis.techtarget.com/definitionsSearchResults/
1,289878,sid9,00.html?query=virtual+private+network] http://
whatis.techtarget.com/definitionsSearchResults/1,289878,sid9,00.html?query=
virtual+private+network>.
-----------------------------------------------------------------------------
10. Frequently Asked Questions
Nothing yet.
Reference in New Issue View Git Blame Copy Permalink