Secure SHell is usually seen as a secure alternative to old telnet and other unencrypted sysadmin tools. But when it comes to break rules set by over-annoying sysadmins, it appears to be quite useful too. It basically establishes an encrypted connection between two hosts, but once this connection made, it gets easy to include any kind of TCP packets on it, and why not? IP packets as well.
Usecase One: I am using web services which may not be secure
I just want to set online a proof of concept about a Web service. But this service is not secure and does require extra protection. Maybe I don’t want to bother with apache authentication or whatever, just install the service, and set it online. If I have a firewall between this service and the Internet (the service is then in a DMZ), here is what is possible to do:
1 2 3 4 5
All I have to do is launching this command on my laptop, and get my browser to https://localhost:8000. I chose a port number higher than 1024, to avoid launching my browser as root. I am the only one then to connect to this service, whithout having to think to extra web based protection.
An other use case is when the web server is behing a cache server. I don’t want to reset cache. Just to have a look as if there would not be any cache. This way lets us connecting to the web server directly.
Yet an other use case is when I have services known to be unsecure and still necessary. For instance, web servers on PDU powering servers. Sometimes, these devices can only be managed to the web interface, and connecting to them directly (with a HTTP session) would let BoB listens the login and password. Of course, this would securize traffic between client and firewall, and not between firewall and service. Too bad, failed attempt to securize HTTP or Telnet still in use to manage network equipements.
Usecase Two: Daddy needs this access, but not from work
Ok, things are going good when I am at work, having management access to the servers I’m working on, but its sometimes comfortable to work from home. Or from wherever I want to. But things are, the Sysadmins don’t let me in. Whatever; If he(she?) forgets to block outcoming access, here is what I can do. At work, I draw a connection from the target server to my private server, opening a incoming connection to the inside. Once at home, I connect as usually to this private server, and get back to the office station through this preview connection.
1 2 3
An other use case is when I put some servers to a strongly securized DMZ (highly important, or vulnerable). And I don’t want to give these servers any access but SSH for administrative tasks. Well, I still need updates on these servers.
On this isolated server, I set localhost:1080 on /etc/apt/sources.list file. This is the same spirit as earlier. The SSH command, instead of forwarding port from the isolated_server to localhost, continues until the update server, through localhost (my admin PC).
Usecase Three: Bypass firewall to access blacklisted web sites
Once again, the sysadmin is a BOFH, but he didn’t think outcoming access are as dangerous as incomming ones. So, let’s access Facebook from office.
From my office station:
I then need a SOCKS proxy to let my web-browser use this tunnel. On Firefox,
Configure proxy manually (host: localhost, and port: $chosen_port), of course, no proxy for localhost. Then, surf the Internet as you would to from your server.
What about security?
Well, this is a question one should ask to himself before doing anything stupid. Of course, to protect access to unsecure services, SSH tunneling can help. But you should think twice when it comes to break rules, especially those established to protect inside network from outside.