Port forwarding feature of ssh and sshd allows any TCP or UDP application be made secure by passing their data over the secure ssh-sshd session without any changes to the application. This creates a secure network environment just by using ssh technology. The diagram below shows its use where ftp, smtp and pop3 traffic is passed through via ssh-sshd session.
Using Pragma Fortress installed on the same machine with a firewall that only allows ssh access, would guarantee that any supported protocol entering/leaving the network would be encrypted.
To use port forwarding, the client must be configured to monitor multiple ports and which port to forward to on the server, then a Fortress SSH session should be initiated. Initiate the alternate protocol on the port being monitored by the client. The SSH client creates a local instance of the protocol daemon on the client port. The client becomes a configured protocol daemon. All secure connections to the remote daemon should actually be made to the local monitored port.
To use FTP over a ssh-sshd secure session, the ftp client must support passive mode for data transfer. Linux ftp and Pragma FTP Client, included with Pragma Fortress, support passive mode. Most Windows ftp clients available in the market commercially or as freeware, support passive mode. However, the ftp command line client that Microsoft bundles with Windows, does not support passive mode.
Example of Securing Email Traffic
Using Pragma Console SecureShell Client, configure the client to monitor the email ports and connect to Pragma Fortress:
ssh -L 110:mail.domain.com:110 -L 25:mail.domain.com:25 sshd.domain.com
NOTE: Typing the above command at the prompt will connect with the username that is being used to log on to the machine. To connect with a different username, type the following:
ssh -L 110:mail.domain.com:110 -L 25:mail.domain.com:25 username@sshd.domain.com
For more information on ssh commands, click here.
On the client machine, configure the mail server as localhost. To receive mail, the client will connect to localhost, port 110, which will be redirected through the Fortress session to port 110 on mail.domain.com, the actual mail server. The email data received will be full encrypted.
Example of Securing Telnet Traffic
Using Pragma Console SecureShell Client, configure the client to monitor the telnet ports and connect to the Pragma Fortress:
ssh -L 1923:telnetserver:23 sshd.domain.com
NOTE: Typing the above command at the prompt will connect with the username that is being used to log on to the machine. To connect with a different username, type the following:
ssh -L 1923:telnetserver:23 username@sshd.domain.com
For more information on ssh commands, click here.
On the client machine, connect to localhost on port 23. The telnet session will be fully encrypted.
If a session must be initiated from server side use remote port forwarding. For remote port forwarding, configure the client for remote port forwarding, then initiate the alternate protocol sessions from the server side in the ssh session.
Using Pragma Console SecureShell Client, configure the client to monitor the telnet ports and connect to the Pragma Fortress:
ssh -R 1923:telnetserver:23 sshd.domain.com
NOTE: Typing the above command at the prompt will connect with the username that is being used to log on to the machine. To connect with a different username, type the following:
ssh -R 1923:telnetserver:23 username@sshd.domain.com
For more information on ssh commands, click here.
In the ssh session, on the server side, connect to localhost on port 1923. The telnet client is the Fortress server. The telnet session will be fully encrypted.
Example of Securing FTP Traffic
To use FTP through a Fortress session, using Pragma Console SecureShell Client, configure the client to monitor the ftp ports and connect to the Pragma Fortress:
ssh -g -L 21:telnetserver:21 sshd.domain.com
NOTE: Typing the above command at the prompt will connect with the username that is being used to log on to the machine. To connect with a different username, type the following:
ssh -g -L 21:telnetserver:21 username@sshd.domain.com
For more information on ssh commands, click here.
On the client machine, connect to localhost on port 21, using a client that supports passive mode. After connection, passive mode must be set before any other commands. The ftp session will be fully encrypted. See Pragma FTP Client for information about setting passive mode.
Here is a simple pragmaftp session.
pragmaftp localhost
>passive
>get filename
>put filename
>quit