{"id":238,"date":"2011-07-06T09:00:16","date_gmt":"2011-07-06T16:00:16","guid":{"rendered":"http:\/\/35.225.155.113\/blog\/index.php\/2011\/07\/06\/establish_and_maintain_an_ssh_tunnel_between_linux_and_windows\/"},"modified":"2019-10-09T18:31:45","modified_gmt":"2019-10-10T01:31:45","slug":"establish-and-maintain-an-ssh-tunnel-between-linux-and-windows","status":"publish","type":"post","link":"https:\/\/www.weinstein.org\/blog\/index.php\/2011\/07\/establish-and-maintain-an-ssh-tunnel-between-linux-and-windows.html","title":{"rendered":"Establish and Maintain an SSH Tunnel between Linux and Windows"},"content":{"rendered":"

The Situation<\/strong><\/p>\n

Over the years, I’ve worked in numerous computing environments and have come to appreciate heterogeneous systems. In my mind, all
\nsystem administrators should experience how different platforms solve similar problems, just as all programmers should be exposed to different programming languages.<\/p>\n

Of course this means being able to play well with others. Sometimes, that’s easier said than done.<\/p>\n

A recent project requirement stipulated being able to connect a public web server with a private database system. Not an uncommon requirement, but it did place a hurdle immediately in the way. The web application, developed with the Linux, Apache, MySQL and PHP (LAMP) stack, needed a method to connect to the private database system securely, which, for fun was not MySQL but instead Microsoft’s SQL Server.<\/p>\n

The Problem<\/strong>
\nThe initial requirement called on connecting to the SQL Server using Microsoft’s virtual private network (VPN) solution, Microsoft Point-to-Point Encryption<\/a> (MPPE). Not impossible, since support for MPPE on any
\nLinux distribution simply requires modifying the Linux kernel and recompiling the kernel in Linux is usually a non-issue.<\/p>\n

However, in this case the web application would be running on a basic virtual private server<\/a> (VPS) and a Linux VPS doesn’t run its own kernel. Instead Linux VPSes run on a shared kernel used by all the different virtualized servers running on the same hardware.<\/p>\n

Net result, no modification of the Linux kernel would be possible on the VPS.<\/p>\n

One alternative to this hurdle would have been to switch from a Linux VPS to a Windows VPS. This would have been technically possible since Apache, MySQL and PHP have viable Windows ports. Alas, the hosting provider in question didn’t yet offer Windows VPSes. They would shortly, but couldn’t guarantee that their Windows VPS solution would be available in time for this particular project’s deadline.<\/p>\n

A second alternative could have been to upgrade from a virtualized server to a dedicated server. But that would have added more computing resources than what was required. From a business perspective, the added monthly cost wasn’t justifiable. Not when a third alternative existed.<\/p>\n

A Workable Solution<\/strong>
\nVPN is one of those terms that can refer to something generic as well as something very specific1<\/a><\/sup>. This distinction setups up alternative number three. The secure network connection requirement would remain, the implementation could simply change2<\/a><\/sup>.<\/p>\n

Specifically the secure connection would be implemented via SSH instead of via MPPE.<\/p>\n

With SSH an encrypted tunnel through an open port in the private network’s firewall can be established. This tunnel forwards network
\ntraffic from a specified local port to a port on the remote machine, securely.<\/p>\n

Most Linux distributions these days install OpenSSH<\/a> as part of their base system install. OpenSSH is a free and open version of the SSH protocol and includes client and server software. For those distributions that
\ndon’t install it by default installing OpenSSH is usually a trivial matter via the distribution’s package manager.<\/p>\n

Windows, on the other-hand, has no such base installation of
\nan SSH implementation. There are a number of free software versions for Windows. For the case at hand, freeSSHD<\/a> was selected to provide a free, open
\nsource version of the SSH server software.<\/p>\n

Configuring freeSSHD<\/i> to enable tunneling requires the
\nfollowing steps:<\/p>\n

    \n
  1. Click on the “Tunneling” tab<\/li>\n
  2. Check to enable port forwarding and apply the
    \nchange<\/li>\n
  3. Click on the “Users” tab<\/li>\n
  4. Create or edit a user and enable tunnel access<\/li>\n<\/ol>\n

    Once the firewall has been configured to allow SSH traffic
    \non port 22, establishing the tunnel from the Linux client to the Windows server is as simple as typing the following at the Linux command-line:<\/p>\n

    \nssh -f -N -L 127.0.0.1:1433:192.168.1.2:1433 username@example.org<\/div>\n

    In which ssh <\/i>will create and send to the background a ssh
    \ntunnel (-f option) without executing any remote commands (-N option) that begins at the localhost port 1433 (127.0.0.1:1433) terminates at the remote address and port (192.168.1.2:1433) and authenticates using the remote username at the remote location (the public IP address or domain name for the private network).<\/p>\n

    But Wait There’s More<\/strong>
    \nThere is however a minor problem with this SSH tunnel. As
    \ndescribed, the establishment of the SSH tunnel is an interactive process. The command needs to be executed and the password for the user provided for authentication. In most cases a simple shell script, executed by cron would solve this minor issue. However, for the sake of security OpenSSH doesn’t provide a command-line option for providing passwords.<\/p>\n

    This authentication step can be managed in one of two ways.
    \nOne is the use of a key management program such as     ssh-agent<\/a>. The second, more common option is to create a passphrase-less key.<\/p>\n

    The first step in creating a passphrase-less key is to first
    \ngenerate a private\/public key pair>sup>    3<\/a>.
    \nIn Linux this is done by issuing the command:<\/p>\n

    \nssh-keygen -t rsa<\/div>\n

    Which generates a private\/public key pair based on either
    \nthe     RSA<\/a> or DSA<\/a> encryption algorithm, depending on what is provided in the command-line option.<\/p>\n

    When prompted to enter a passphrase for the securing of the
    \nprivate key simply press enter. To confirm the empty passphrase simply press enter again.<\/p>\n

    The next step, after copying the public key onto the Windows
    \nserver, is to enable the use of the public key for authentication. In freeSSHD<\/i>the steps are:<\/p>\n

      \n
    1. Click on the “Users” tab<\/li>\n
    2. Select a user and click on “Change”<\/li>\n
    3. Select “Public Key” from the “Authorization” drop-down<\/li>\n
    4. Click on “OK” to save changes to users<\/li>\n
    5. Next click on the “Authentication” tab<\/li>\n
    6. Using the browse button, select the directory with the users public key are kept<\/li>\n
    7. Enable public-key authentication by choosing the “Allowed” button under “Public-Key Authentication”<\/li>\n
    8. Click on “OK” to save the changes to authentication<\/li>\n<\/ol>\n

      With the passphrase-less keys in place, the last step is to
      \nautomate the tunnel itself. In this case, instead of a shell script, I opted to use program called       autossh<\/a>.<\/p>\n

      autossh<\/i> is a program that can start a copy of ssh and
      \nmonitor the connection, restarting it when necessary. All autossh <\/i>needs to know is what local port to monitor, so our one-time initial startup of ssh tunnel looks similar to the previous example, but with autossh and the addition of the -M option<\/p>\n

      \nautossh -M 1433 -f -N -L 127.0.0.1:1433:192.168.1.2:1433
      \nusername@example.org<\/div>\n
      \n
      \n
      \n

      [1]<\/span><\/span><\/span><\/span><\/a>
      \nThis means alas, it is also one of those terms that can cause confusion, especially between technical and non-technical people, if not defined at the outset.<\/p>\n<\/div>\n

      \n

      [2]<\/span><\/span><\/span><\/span><\/a> This is one of those places where knowledge of different solutions solving a similar problem becomes handy.<\/p>\n<\/div>\n

      \n

      [3]<\/span><\/span><\/span><\/span><\/a>
      \nFor user authentication SSH can either be password-based or key-based. In key-based authentication, SSH uses public-key cryptography where the public key is distributed to identify the owner of the matching private key. The passphase is in this case is used to authenticate access to the private key.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

      The Situation Over the years, I’ve worked in numerous computing environments and have come to appreciate heterogeneous systems. In my mind, all system administrators should experience how different platforms solve similar problems, just as all programmers should be exposed to different programming languages. Of course this means being able to play well with others. Sometimes, […]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,92,82],"tags":[12,285,6,181,334,43,331,335,333,332,182],"_links":{"self":[{"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/posts\/238"}],"collection":[{"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=238"}],"version-history":[{"count":1,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":327,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions\/327"}],"wp:attachment":[{"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.weinstein.org\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}