I got up to clicking on "manage" under My Computer, but there's no "Local Users and Groups" section. I'm definately logged in as an administrator (only one login for this compter), just don't see that section.

It shows up for me on XP and 2000 professional. What version of windows are you running? It should be under the "System Tools" node in the expandable tree that comes up when you click "Manage" under "My Computer".

But there are other ways to get there. Try going to the control panel and looking for "User Accounts" or "Users and Groups" or something similar. You might have to poke around a bit, but the process of creating a new user isn't super-complex. With a little investigation you'll probably be able to find it. Let me know if you have any luck; if not, tell me your specific OS version and I can try to find better instructions.

Matt, Local Users and Groups should be located under System Tools. Expand that and you should see it there.

Woops, Tom beat me to it while I was typing up my post!

Alright, I got everything set up and it seems to be working. Only slight hangup is getting into the router for port forwarding, my brother was fiddling with it a while ago and has the username and password, so when he gets me those I can finish it all up I imagine.

Just as a double check, when I connected through PuTTY, it took me to c:\Program Files\OpenSSH>

I assume this means everythings working correctly so far. Thanks.

yup, that sounds right! glad to hear it's working, and thanks for trying this out.

Using port 443 is even nicer due to the fact that it is normally used for https, which is encryped in the same way as ssh. Then it's even easier to spot.

Also 443 is normally open through a company firewall (internet banking, most web sites which you need to log on to), and it doesn't use up port 80 on your home network.

If anyone's interested in a howto for linux click my name. The page is not as pretty as this one ;-) but works for me.

Ive using a ssh tunnel for a while.. I work at a school, and all of our traffic is filtered at the other end of the WAN. I guess its like a transparent proxy on the wan gateway. Anyway I would suggest using a non-standard port for ssh unless you want to get pounded by brute forcing asian kids every single day from 6:00PM-6:00AM.
-UbelDucky

good tip about port 443. I'll probably make that switch shortly. I haven't been discovered by the brute forcers yet, but I wouldn't be surprised if it happens. 443 seems less likely to be a problem.

What about the DNS? is that also tunnelled? I noticed i still can't get to sites that my work has blocked (microsoft for example) I've seen our monitoring software, it grabs site names during the DNS request and logs them.

I *believe* that DNS requests are tunnelled when using an HTTP proxy. At least in firefox.

I confirmed this with ethereal a moment ago after someone gave what I believe is incorrect information on the hackaday comment thread. SOCKS4 leaks DNS information; SOCKS5 usually leaks DNS information; SOCKS4A and HTTP proxies, however, do the DNS resolution at the proxy server. This is my understanding, anyway. I'm having a hard time finding a reference source on this, and I'm not a pro at ethereal (although this is a pretty straightforward case -- DNS requests are bright blue, and I made sure to confirm against traffic from my non-proxied MSIE install).

If you're worried about it, though, I'd suggest downloading ethereal and seeing it for yourself. I have no explanation for why you can't access blocked sites. Maybe your browser is leaking info, or maybe you don't have the proxy configured properly. Here's one surefire test: try logging into your router's admin interface from work using its local IP (e.g. 192.168.1.1). If you can pull it up, then your traffic is going out through the proxy. If not, then you're probably not using the SSH tunnel or proxy server properly, and your traffic is going out over the internet the same way as it normally would.

Love the tutorial, just wanted to point out one little error that cost me some time and frustration.

In order to change the port number, you need to change the file sshd_config, and not ssh_config as your tutorial says. You can comfirm this in the OpenSSH readme file.

Thanks for all the hard work, and keep it up!

I've made the change. Thanks for the correction, I appreciate it.

Hey, nice tutorial! I've been doing something similar at work as well, but in my case, instead of SSHing to my home computer, I've been using Tor (http://tor.eff.org/) and Privoxy. This setup only works if they're not blocking ports, of course, but otherwise it's pretty nice. Since Tor is an ever-shifting network of computers doing the traffic rerouting and redirecting, they don't see you always connecting to the same IP every day, instead, they see different connections to different servers. A bit less likely to draw attention than them noticing at the end of the month that your computer's logged 240 of straight up traffic to myl33tproxy.homeip.net. :) Works pretty well, and I cover my tracks even further by only browsing from my TrueCrypt encrypted USB 2.0 external drive using Portable Firefox with the ProxySwitch extension. So almost no traces left behind on the computer itself as well. :)

Of course, if they're blocking random ports, however, then SSH is totally the way to go. Surfing from an TrueCrypt encrypted partition on a USB key with Portable Firefox, however, is a good idea no matter what method you use. Fewer traces left on the machine (though you might find it hard to explain away the Privoxy and Tor installations, I'll admit.. but you can always claim to have been doing some sort of research on encryption methods. :) )

I'm a Mac user so what can you provide me with as far as links for "SSHirking work"?

Thanks

Maybe I'm a little dense, but I'm not a programming geek AT ALL. OpenSSH warns you right up front to create a passwd file before you run the program. The problem is, I have NO idea how. Thru a command prompt? All the readme says is "The steps to creating proper group and passwd files is outlined below" and as an example, this: mkgroup -l >> ..\etc\group (local groups) or mkgroup -d >> ..\etc\group (domain groups).
Please help!

Looks like this might be useless to me??? I cannot install programs on my Work PC. Its running Win 2000 and the IT dept has it set up so that we cannot install anything (this includes browser plugins we have no access to the control panel).

Never mind...I'm a moron.

Laurie: glad you figured it out. Let me know if you have more problems.

Mac user: I'll try to put up a version with alternate instructions for you as a new post tonight. However, I haven't got a Mac, so it might be a bit sketchier in details than the PC one -- sorry about that. It may be mostly a link to other tutorials.

Brecourt Manner: you shouldn't have to install anything on the client machine. PuTTY doesn't require an install; if you can run strange executables (say, from a thumb drive) you should be able to establish the SSH tunnel. If your OS blocks user-launched apps from opening ports, well, that'll be a problem. But I don't think it will.

But you'll still have to modify the proxy settings of your browser, which you probably can't do. So why not use portable firefox? Install it on a thumbdrive at home and configure the proxy there. Then you should be able to run it, without installation, from your work PC.

I can't swear this'll work, but it should. I'd be curious to hear whether it does or not.

I was able to successfully stablish a VPN using OpenVPN. This one uses SSL to encrypt data, which is another security layer standard. The good thing is that with OpenVPN you can set up the office PC to route transparently the traffic to the tunnel, without the need of a proxy. Also, it runs in many platforms, *nix, windows, mac. www.openvpn.net

OK, is this possible from a Win XP Pro (No admin rights) at work to a PowerBook (Mac OS X 10.4.2) at home?

Leo: yup, openVPN is great. I use it for work all the time. Really, a very slick solution. But its setup is definitely a bit more involved than establishing an SSH tunnel. It's also a bit slower, I believe.

starbird: yes, that should be possible. I'm working on a Mac post now. Check the main page or the tech category (or, you know, our RSS feed) for it when it goes up. As I said above, it probably won't be as detailed since I'm not a mac owner.

Why does PuTTY keep asking for a password when I didn't configure anything with one? Is there something I need to fix or change with the mkpasswd command line?

Brecourt Manor

Don't install anything then. Just get Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) on a USB key (or CD) and run it from there, setting up the tunnel. All of the stuff to install goes on your home machine.

The admin rights are an issue... :( But it would probably work fine win mac, as I did it with linux-windows pair...

This is a great method if your locked down behind a work firewill, but it's even better to use this when your on an untrusted network like a public hot spot.

I wrote up a real quick tutorial on using Dynamic ports with putty. It's a better way to proxy traffic as it is protocol independent.

You can find my post at http://www.w00ttech.com/node/5

thanks for the reply and link, snuggles. users should know, however, that using PuTTY's dynamic ports feature leaks DNS requests, so snoopers/bosses can tell what domains you're visiting, although not the specific content of the pages you're viewing. the privoxy method conceals the DNS requests, keeping this information private.

I'm confused as to what I type in after I I run CMD
I type cd\Program Files\OpenSSH\Bin
thats successful But I cannot get the mkgroup command to work, When I type mkgroup-|>>..\ect\group it says the syntax is incorrect but if I substitue the -| for either -l or -I it says It cant find the file, Any tips?

I've tested ssh using localhost successfully and forwarded the port, but when I try to connect from outside my network, it just times out. Any ideas or things I should check?

I just followed the tut step by step. it seams tht the only way i can connect using th proxy is if privoxy is o nthe client machine. both computers are on the same network does that have snything to do with it?

here is what i have installed on each machine and please correct me if im wrong

SERVER:
DynDNS updater
Putty(to test connection form tut)
Privoxy
OpenSHH

Client(remember o nthe same network)
Firefox with proxy plugin
putty
and privoxy

how can i test if its working right from the same network (server is wired and client is wireless laptop

i got it ^^^^^

Dare: it sounds like either

a) you aren't using the right IP address to connect to your home network. Remember that your server has an IP on your LAN, but a different one representing it on the internet. You need the latter, which is what that link to broadbandreports.com/tools is for.

b) if you are connecting to the correct IP, then the problem is almost certainly your port forwarding setup on your router. Either that, or you've got a software firewall running on your server like zonealarm or windows firewall. Double-check for installed firewall software, then make another visit to portforward.com. You can use Shields Up! to test that you've properly opened your SSH port.

To the poster before Dare: you're entering the command wrong. You need spaces in there. And it's not -| (vertical pipe) it's -l (L). Try highlighting and copying the text from the article -- you can then paste it into your DOS window by right clicking in the window.

"look up instructions on how to forward whatever port you're using (22, 80, or whatever) to the server machine. You'll need to look up the server's IP as well — portforward.com should have instructions, but the short version is start|run, "cmd.exe" then "ipconfig"."

What servers IP, and what server machine? Are you talking about the server that I want to access from at work? and how do I find that out?

yes, the server you want to access from work. and as I said, if it's a windows machine go to start | run, type "cmd.exe" and hit enter, then type "ipconfig" and hit enter. You should see the machine's IP address among the other data that's displayed.

Hi again,
I'm the Mac user that posted above. Before you go through all the work Tom a few things about my home setup. I have an AirPort Extreme, a Linky router and cable. Will any of these or a combo of these pose a problem with setiing up SSHirking? Or can I work around that setup?

Thanks

tbone: there shouldn't be any problem with that setup, so far as I know. you'll have to make sure the machine has a static IP address, though -- if you're on a wireless connection and a router, it'll be dynamic by default.

It's me again, I am on a Mac and i have configured my SSH to work and my Privoxy. In SSH I have used the port 443 and privoxy is using 8118. When forwarding the ports on my router. what do I need to forward? is it the 443 to 8118? or the other way around? and at work what port would I put in the browser for proxy server (im guessing 443)?

Thanks alot

you need to forward the ssh port through your router -- in this case, it's 443.

you need to point your browser's proxy settings at the port of the ssh tunnel -- if you follow the directions, that will be port 8118.

So, your browser submits a request on 8118. That gets sent out by SSH over port 443. At the server it is received on 443, decrypted and redirected to the server's port 8118. Make sense?

Forward the port 443 to what? to 443???

Thanks

yes. assuming you're trying to contact the server via PuTTY with 443, and the server is running on 443, then you should forward 443 to 443 across your router.

what IP shall I put when it is asking me during port forwarding?

thanks

the local (LAN) IP address of the server. which can be found out using the information in the article.

Really though, I can't walk you through port forwarding... portforward.com does a much better job of that.

What the corn?!?!?!?

Windows XP SP2

Once I install OpenSSH for Windows, I don't have an OpenSSH service. I added it manually using cygrunsrv but it then cannot start. So, I'm stuck...

Why did it not install the service automatically?

I'm confused! where is the IP of my http server being supplied?? because otherwise how does it know to which server to connect to??

Thanks

steve: I have no idea. are you installing the windows binary, or some other version of openssh? are you logged in as an administrator?

if you can't get openSSH installed, you'll have to consult that project's documentation and/or forums.

I setup everything and can connect to my computer from work, however when attempting to surf I keep getting errors that the document contains no data. Any ideas?

kalzanth: generally this means your pointing at a nonexistent proxy server -- or your proxy server can't reach the internet. Doublecheck the ports you're using in the tunnel and in your proxy settings, doublecheck that privoxy is running on the server, and doublecheck that you can browse to the internet from the server machine.

ok I found the problem there, now I'm getting connection refused messages.

keep looking. still sounds to me like something is pointing at a nonexistent port or address. you should also make sure you don't have a firewall turned on on either machine.

Been an interesting read, Thanks!
I've been using Linux for my server and PuTTY for the last 6 months and all works rather well. I use it mainly to read my personal mail at work as they block POP and SMTP ports. (and occasionally when I want to look at some webpage that they block )
Question that I have(as I have a dynamic IP served from my ISP):
Is there a way for my Linux box to get the IP that is currently served to my connection.
The idea is that when it changes, Linux can then send me the updated IP.(At the moment, when the IP changes, I have to wait till I'm home to find out what my new IP is. :-(
(I also don't think I want to work with DynDNS yet.)

You really do want a dynamic DNS service. That's what I'm using... there's a well-written perl script available at dyndns.org in the linux update client section (under support) that grabs your current IP and updates the dyndns service with it. If for some reason you really wanted to avoid the service I suppose you could rewrite it to email you your IP... but really, if you get the script working up to that point, you might as well go all the way and use the dyndns service. It really does make things a lot easier.

Thank you.. I've been looking for an easy to understand SSH tunneling tutorial for a while.

What I don't understand is.. from my perspective, I want to tunnel for security purposes. To have my normal "plain to see" internet usage data encrypted to that my browsing experience is as secure as it possibly can be.

SSH seems to offer this. But, if I tunnel from work to home.. all my transmitted data is sent from the home PC out into the world with all the same security problems as before. Do I understand this correctly?

Yes, you do. It's a question of who you want to hide it from. This setup hides it from your boss and coworkers, who are the most likely to be snooping. Your home connection is hidden from other users of your ISP (pretty well, at least). But invariably, if the other participant in an internet conversation isn't using encryption, then at some point the message will be visible to people who have access to the line (datacenter and ISP employees, etc).

If you're just looking for anonymity, rather than security (e.g. someone can read the message but not tell who it's from) you might want to look into the Tor project.

I should add that Tor uses encryption as well (until your message gets to the end of the chain of proxies that Tor creates, and leaves through an "exit node"). But there's still no getting around the fact that both parties must be using encryption for an exchange of data to be secure at every point between the sender and receiver.

hey i have a Airlink Airlink101 AR410W and am tring to forward a port say 80, how do i forward it. I am have cable modem which is pluged into the router then my computer. So im not wireless, i am new so do i have to forward please help

Yes, you need to forward a port, and no, I can't help you with that. I'm not an airlink specialist, and this isn't a port forwarding tutorial. I'd suggest finding a real-life friend to help you, or consulting portforward.com, which is devoted to this purpose and was linked in the article.

After setting up the OpenSSH server, when I try to connect to localhost with PuTTY, I get the following:

sshuser@localhost's password:
Last login: Thu Sep 8 23:24:14 2005 from localhost
Could not chdir to home directory /home/sshuser: No such file or directory
/bin/switch: No such file or directory

Then the PuTTY window closes or becomes inactive.

Rilla: sounds like either a) you're using linux with a new user for which you haven't created a home directory or b) you've got a windows install that for some reason is using unix-style home directories.

If the directory /home/sshuser exists, make sure sshuser has full rights to it. If not (and you're on windows), I would try uninstalling then reinstalling OpenSSH, making sure that you're doing so as an administrator.

Ok, Here's a question. Is it possible to combine the two - the tunnel and TOR. Can I create a tunnel back to my "home" pc from a "work" pc and then implement TOR?
I like the ability to surf while on the "work" pc, but I also like the randomness of the nodes you're connecting to via TOR.
I would like to appear that I'm browsing different sites instead of hitting the same one all day...

P.s. great walkthrough. I was successful in creating the tunnel and have started to implement Portable Firefox and PuTTy on my USB drive...nice!

Thanks
Another Tom

Yes, you could run Tor at home and point privoxy at it, then connect to privoxy from across the SSH tunnel (as in the tutorial). But this wouldn't reduce the appearance of your work machine generating a lot of traffic to your home address -- prior to getting spread out by Tor, all your traffic would still go through the SSH tunnel to your machine at home.

If you want to avoid your IT department catching on, you'll need to eschew the at-home server and SSH tunnel, and instead install Tor and Privoxy on your machine at work (as the instructions at tor.eff.org explain how to to do).

I've got WinXP Home; it came preinstalled on a Dell laptop. It uses the standard "Documents and Settings" path for users' directories, but for some reason the output of the mkpasswd command is:
sshuser:unused_by_nt/2000/xp:1012:513:sshuser,U-DELLTOP\sshuser,S-1-5-21-1234882595-3808953565-41403056-1012:/home/sshuser:/bin/switch
Thanks!

I am in the IT department...
Thanks for the tips...

Another Tom

rilla: sounds like perhaps you didn't create the "sshuser" user properly. Are you sure you followed the directions to add it to the computer properly?

When I click 'manage' on My Computer, there's no provision to add users - must be due to XP Home. I created the user in control panel 'User Accounts' section. Running mkpasswd on other user accounts shows similar /home/name structure. Can I edit the 'passwd' file to use 'documents and settings' instead of '/home/sshuser'? What is it supposed to look like?

Great help, wanted this for a while. Thanks for taking the time to respond to these, I have a problem connecting to my home server:
I can't get to my home server IP address, it keeps timing out. I can do a web-based ping and it works, but when I try using putty or a ping from a CMD prompt it times out. I've tried configuring Putty to use my work proxy, but that gives me a 'forbidden' error. One thing I have noticed is that my work blocks https sites, and as I have set port 443 I suspect this is the problem. Is there a way for me to find an open port I can use? I use a webserver at home so don't want to use 80.

enzoweb: hmm. pinging doesn't necessarily mean anything -- it could be your router responding to the ping. Unless you're using NMAP or a similar program to specify the port, you can't be sure that it's properly opened.

However, if you're running a personal website, it's probably safe to assume that you know how to open ports. So let's proceed under the assumption that everything is set up properly but your work is blocking traffic. First, the proxy "forbidden" is suspicious. Perhaps you need a username and password? Maybe you could try to befriend an IT guy at work and explain that you want to run a gmail notifier (or something else innocuous) over the proxy.

Worst case scenario: port 80 is the only one open, and you can't use it because your website is already running on it. If that's the case, you have two options.

One: find a computer somewhere on the internet that can take a request on port 80, then send it out on a different port to your home computer. Socat is the tool you'd likely use to do this (not sure about that).

Two: a better solution would be to install Squid instead of Privoxy on the server machine. Change the http server's port to something else (say, 81). Then see here for info on squid's "accelerator mode" which (I believe) allows it to accept proxy requests AND web server requests; it forwards the latter to the web server running on a different port.

I haven't used either of these setups myself, though, so I'm afraid you're kind of on your own w/r/t getting them to work.

Thanks for the advice - I used my user/password when setting up the proxy, but still got the forbidden message. Also, they use Webwasher here, which may be interfering.
I'll look at squid.
Thanks again

I have tried running putty on the local machine and it works (when I put the hostname as localhost but not when I put in my IP address). Now when I go to work, and run putty from there I get a time out error, so I am thinking something is wrong with the ip stuff.

\ Back at home later at night
I then tried to ping myself using 24.239.145.185 through dos-command screen and it worked. However when I tried the web based trace route at network-tools.com for 24.239.145.185 it times out!!!

On top of that, when I go into my netgear router and look at the IP address it says: 192.168.15.100

Does that mean my ISP is preventing me from doing this? What should I do? MANY THANKS IN ADVANCE.

enzoweb: best of luck. sounds like your work may be looking for ssh traffic. sorry I can't offer more help.

juiceman: first things first. If you are on a NAT network (which you are when you're at home), you have one public IP representing all machines on your network -- in this case, 24.239.145.185.

Odds are that your ISP is not blocking anything. You must open a port (e.g. 443) on your router. Then you must connect on that port, at the IP 24.239.145.185 (or whatever), using PuTTY, from a location outside of your home network. I suspect you're not using the right IP from work. You have to use your home network's external IP. You can get that by visiting (from your home network) the link to network-tools.com that's included in the article.

I follow the article but want to know how I would do things if they were like this:

home comp---netgear----vonage router---cable modem box

thanks

I don't have vonage, so I can't imagine what their router might do. Okay, I can imagine -- it probably does QoS scheduling to ensure call quality, and lets all other traffic pass transparently. If that's right, then you just use the same setup.

If that's wrong, then I have no idea what you'd have to do. Give it a shot, see if it works.

Let me start over:

Before doing anything I get my IP address from network-tools.com and then do a ping/traceroute on that address. The results time out! Does that mean I am behind another router from my ISP? My address is 24.239.169.84 and it always times out here 24.29.100.54 / pos1-0-nycmnys-ubr6.nyc.rr.com.

Thanks

btw my router is directly connected to the cable box.

a ping or tracert to your public IP won't work from behind that IP. Just trust the IP address that network-tools.com tells you you have.

You should be able to ping or tracert that address from work, though.

tom thanks for the help thus far. I tried from work and it still stops and times out at the same point. You can also try using sshuser.gotdns.org (i got this through dyndns.org).

I've read a lot about using OpenSSH via the Cygwin package. You don't comment on this? Is it necessary? Pros and cons? thank you.

juiceman: didn't respond to a port scan. are you sure it's up, and the port is properly opened on your router? pinging won't work if your router is set to "discard ICMP pings" or something similar (this is done frequently for security reasons).

jason: you can run ssh via cygwin, but if you run the server that way you have to work w/ the package to get sshd to run even when the cygwin environment isn't. It's possible to do this, but the native win32 OpenSSH is much easier to deal with, in my opinion. Personally I've got a linux box and use sshd on it as my server.

I am at work and they use websense. At work what I do is plug my router into the wall and set it up to resolve IP via Host name. Then I jack into the router via my laptop and I am online. However, I get websensed. All the restrictions as a normal workstation here expect I am admin privleges on my machine so I am free to install software, etc. I previously could use a VPN from like findnot.com or use http-tunnel to use messanger and play games. None of that works now. I rent a 100mbit server running windows 2003 so I set up an SSH server on there. I can connect via putty just fine, and get the cmd prompt. Privoxy seems to be working just fine as well, but I am still getting websensed. Any idea's? Please email me @ dmanz013@gmail.com

I'm not familiar with websense, but I assume it's blocking some web requests but not others. If you can establish an SSL tunnel past it, it sounds like you're not directing your browser traffic through the tunnel properly. Make sure you've configured your proxy settings properly. You can be sure this is working correctly by going to the network-tools.com page that shows your IP address. If your traffic is going through the tunnel properly, it should show the IP address of the SSH/privoxy server rather than the IP address of your work connection.

Ok, I guess that would be my problem. Port 8118 is in use on the server. So I edited in the config file in Privoxy to use port 10002. So I open up Privoxy. Then I open Putty after changing the tunneling option to 127.0.0.1:10002. I can connect to the server using putty and when I try to change my proxy in firefox to use 127.0.0.1 port 10002 and try to load a webpage I get the error "This document contains no data". I am running a shoutcast server on port 8118 on my server and I cannot change this for the time being :-( Any suggestions?

Yes. What port are you putting into PuTTY's "Local Port" box? That is the port that your proxy server needs to point to. It sounds like maybe you're running a tunnel that takes local traffic from port 8118 and tunnels it to 10002 on the server, but you're pointing your browser at 10002 (the "document contains no data" is an indication that you've got your browser pointed at a nonexistent proxy). Instead it should be pointed at 127.0.0.1:8118 (assuming youve still got 8118 in PuTTY's local port box).

i run puTTY but whenever i type in my username, and the type in password text comes up, i can't type. and the session ends up timing out

keeps saying access denied

midnite: just because the characters don't show up doesn't mean they aren't registering. they aren't displayed for security reasons. when the password prompt appears, type the password in carefully and hit enter. it should work.

i keep putting it in correctly, but it's still not working, should i go in under that account and manually change that password to something else?

nevermind, i fixed it, found out i messed up while i had to do that dos prompt thing while setting up

I am having a problem with the whole LOCALHOST thing

When I connect I get the account username so I type in the username then the password comes up and I type it and a error message comes up saying

SETGID:INVALID ARGUMENT

What does this mean and how can I fix it

it probably means that you didn't correctly execute the dos-window commands involved in setting up openSSH. Give them another close try, copying and pasting them if necessary.

I have fixed it know I had to configure the passwd file

Hi guys,

just one remark
You can use port 563 if your 443 at "home" PC is used. Usually most of the "web content" systems allow HTTPS to port 563. I already passed through a very strict proxy (which uses "Surf control").

Good luck.

I have a problem. I have a desktop at home which is running the SSH and privoxy. Then I have a laptop running putty and firefox. Last night, I set up the desktop to run the servers and then VPN'd to my school's VPN. Normally when I do this, the school's site blocker still applies. But it worked!

Now I'm at school and putty says the connection timed out. What gives?

I now found that I can't ping the address but I can tracert it until the last few steps.

are you using a dynamic dns service? or just your router's IP? If the latter, it may have changed. Or perhaps your desktop has crashed.

I got the SSH installed last night and setup a DynDys account. I unfortunately didn't go through the portforwarding part yet, but when I tried Putty at work this morning, it sees the connection, but times out. I think it will all work when I get the portforwarding added to the router tonight.

Reviewing the portforwarding instructions -- it says to disable anonymous internet requests and the corresponding image shows the firewall is turned off on the router, but that's not specified in the instructions. My question is this -- Do I need to disable the firewall on the router to make this work? If yes, then I presumably will need to install firewall software on the computers on the network which, good or bad, I've relied on the router for.

PS Thanks for putting the tut together -- really looking forward to getting this running.

it's hard for me to know exactly what your router means by "firewall". A normal consumer router will use something called NAT forwarding, which works as an excellent firewall: for ports that have not been explicitly opened, traffic will not be allowed in unless a client on the LAN side of the router has recently contacted that host. So long as you leave the "DMZ" option turned off, you shouldn't need additional firewall protection -- the nature of NAT routing (which normally can't be turned off, except w/ the DMZ) will keep you safe.

So yes, I'd say follow the portforward.com instructions: go ahead and turn off the firewall, and don't worry about installing a software one (in my experience they cause more problems than they solve, provided you have a router providing hardware-based security). If you feel nervous about this, I suggest visiting Shields Up! to confirm that your machine is secure.

my ISP hasn't been reliable lately, it probably was down. Everything works perfectly now. Thanks, Tom. Is there any way to minimize putty to the system tray instead of the taskbar?

yup. Check out TrayIt -- it's a very small download, and works great.

Thanks, Tom -- btw I have a Linksys WRT54GS running Sveasoft Alchemy.

I got the portforwarding details in and made the other adjustments -- I was just able to connect remotely via Putty. Very cool.

hey, i have some problem with Putty
after i clicked open button a kinda dos screen comes up and wanna me to log in...
i log in as "sshuser" and then and a long usage warning thingy... in the last line
there is a problem i cant type password
i can press enter and get a warning "access denied"

what is the matter with putty?

nothing is the matter with putty. Just because your password doesn't show up when you type it doesn't mean it isn't being received -- that's just the way that unix and linux systems traditionally behave when you're logging in, rather than printing out asterisks in place of each character the way windows does. Just type your password carefully then hit enter and everything should work.

thanks i found the answer in comments a little while ago you replied me =) thanks anyway
but once i jump to next step i have new problems :/

here is the last situation:
sshuser@localhost's password:
Could not chdir to home directory /home/sshuser: No such file or directory
Microsoft Wind 1985-2001 Microsoft Corp.
(C) Telif Hakk
C:\OpenSSH>

Nuri: see my responses to Rilla above. I'm not sure we resolved his problem, but you should still try to steps I suggested.

It looks like you're getting a command prompt via PuTTY, though. If that's the case, it's working. It shouldn't matter if it can't find your home directory or not.

C:\Server\OpenSSH\bin>mkgroup -l C:\Server\OpenSSH\bin\etc\serverx
mkgroup: A domain name is only accepted when `-d' is given.

Laurie B asked about this then figured it out, but didn't post the fix. I'm guessing it's simple but maybe I'm either too tired or putting too much thought into it? Any help would be appreciated.

is "mkgroup -l C:\Server\OpenSSH\bin\etc\serverx" what you're typing in? If so, why? It doesn't match the instructions. Please reread that portion and enter the text exactly.

I used @theOffice (http://attheoffice.trispen.com) to tunnel my traffic.

It's quite user friendly and easy to setup.

I have XP home and I have seen several of the problems I'm having listed :(

There is not a groups/users option when you manage. I did add a SSHUSER with passowrd through control panel, however, There is no OpenSSH Service. Did anyone ever come up with an answer to this?

I'm sorry to say that I don't have an install of XP Home available, so it'll be difficult for me to help you. But I'm very surprised to hear that it didn't install as a service -- I'd try running the installer again. I should note, though, that OpenSSH for Windows isn't specifically supported on XP Home. I'm sure it's possible to get it working, though -- perhaps you could ask the folks on their mailing list.

ssh = traffic encrypted
ssh + privoxy = encrypted and anomous (not really)
ssh + privoxy + tor = :))

good luck and enjoy

Cool tutorial!
I love this!

I am also getting the "document contains no data" error message, but I am not so lucky as to be able to figure the problem out. I am not sure what ports and such I need to change on the settings in PuTTY. Currently, I am trying to go through port 443 in PuTTY and I changed the settings in the OpenSSH file that I neeeded to, but I don't know if I need to change any other settings such as the ones under the "tunneling" tab.

Also, my DHCP lease renews every day, so every day I must chage the IP address to be able to connect with PuTTY. Is there a way to make the lease renew at some other rate?

If you can give me some of your time and give me some more in depth answers please, please e-mail me at lwalker1202@sbcglobal.net. I need some good help.

Kicker: I'm sorry to hear that you're having trouble. your problem is that you've got your browser proxy pointed at the wrong port (it needs to be pointed to the "local" port set in the PuTTY tunnel dialog). start over and follow the instructions. they've worked for many people.

Re: your dynamic IP problem. Please see the above mention of dynamic dns alias services like dyndns.org. Go to their site for more information. To answer your specific question, no, you can't change your lease time, although you may be able to alter how rapidly your router renews it. A dynDNS alias is a better solution, though.

I'm afraid I don't have the time to help people by email. My preference is to do it in comments so that others can benefit from it. But your issues have been addressed previously when other people had them. Please reread everything carefully. Good luck.

Thanks for the help. I plan on reinstalling everything and starting over agian. If anyone has any more help please submit it.

tom,
Appreciate greatly what you're trying to explain here. Don't get angry when I say I too have the same sort of problems as john26 and tdz above even after your response. I've been trying hard to get to grips with tunnelling, SSH etc (even reading the o'reilly book!)
I have a simple setup at home - a macmini with ssh server running (as default on port 22). I've punched holes for ports 80 and 443 in the firewall and port forwarded 443 to 22.
From a friends house I can see the default web server page on 80 and I can ssh to my unix prompt specifying port 443. This part I understand and all is hunky dory.
Now, from work! call me thick and stupid but my brain cannot understand the puTTY setup. I use it everyday as part of my work (!) to connect to servers on our lan but I cannot get further.
Question: What is supposed to go in the host name field of session tab? Home wan address? and what port/protocol? tried most combos - nothing works - get Network error. Connection timed out.
Question: How can I tell what kind of proxy work uses? it requires authentication, does this mean socks? and really, should I care?
Question: on the tunnel tab, why create a tunnel from a local port to what is effectively (here's where I probably don't get it) itself? My brain says to me that this tunnel is going nowhere (well, it's chasing it's own tail).
What's really frustrating is that using a browser at work, I can see my web site AND I get an ssh protocol error if I browse to port 443. So I know the ssh server is trying to serve my connection but I can't get out from a terminal.
Sorry for the long winded post but I feel I'm soooo close.
Thanks

taking your questions in order:

Q1: yup, your home WAN IP goes there. protocol should be SSH. port should be whatever you opened on your router/whatever your SSH server is running on (generally 22 or 443, under this tutorial).

Q2: I can't help you with your work proxy. I'd poke around your IE and network settings, ask the IT guys, and google for proxy discovery tools. This is probably where you're running into trouble. Sorry I can't be more helpful.

Q3: it's not actually pointing at itself. Remember: the local port is from the machine running PuTTY's perspective. The remote info is from the perspective of the machine to which you're connecting. So "localhost" in the remote section refers to the server, not to the client.

I am using XP pro SP2, I have been able to follow all the steps except the OpenSSH service. In the Services area, OpenSSH isn't there. Is there a way to add this? Or am I using the wrong install?
This was the setup file I DLed.

setupssh381-20040709

Yup, that's the one. Are you logged in as an administrator when you try to install it? Have you rebooted since installing? Tried reinstalling?

Yes, I've tried all that. I'll try reinstalling under my admin specific though.

sigh, still no good. Is there a way to fix this?

I'm afraid I haven't run into this problem. I'd try the mailing list for the OpenSSH project -- see if anyone there has any ideas.

Another possibility is that the service name has been altered for some reason. Have a closer look, keeping an eye out for anything with "SSH" in its name.

I'm getting undeliverable responses from the mailing list. It could be down...

I rechecked the Services menu, nothing that has SSH in it.

I wish I had more ideas for you. Sounds like it's something weird with your computer, since others aren't having any problems.

Did you install while logged on as an administrator? Try that, ie. reinstall
over the original installation while logged on as an administrator. Don't
use "Run as" while logged on as a limited user. By the way that distribution
of "OpenSSH for Windows" has not been updated in over a year. I recommend
using CopSSH as an alternative. CopSSH is being actively maintained and
updated when OpenSSH is updated.

http://tinyurl.com/5sfzf

Lastly you may be interested in yet another tutorial...:-)

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Alternative help...

http://www.broadbandreports.com/faq/vnc

Later...

Al

I got everything working, thanks for the article.

Only issue is for some reason gmail fails to load (which sucks because getting at gmail from work was my motivation for setting this up). any ideas why? I can get everywhere else, but when I login into gmail I get past the login page to where it says "Loading..." and then stalls with no error. It seems I have everything setup correctly as if I put http://192.168.1.1 in a browser it brings up my home router configuration page (nice!).

the other problem I've ran into is my ssh connection drops a lot? any ideas?

trav: can't say I've got a ton of ideas. Sounds like you've got a bad connection. Perhaps your router is being flaky about forwarding traffic -- you might try making the SSH server the DMZ host for your network, although that had obvious security implications.

I think the issue I mentioned above about my ssh connection dropping is due to my router (linksys). I think it is dropping idle connections at 5 minutes.

I set the keepalive option in putty with 60 second interval and now the connection is staying up.

I still can't figure out why gmail (web) won't load???

I've had the same issue with gmail (although only occasionally). Refreshing usually fixes it. You might also try it in a different browser.

But mostly, just don't worry about it. If it's an issue, just use gmail in an un-tunneled IE -- but be sure to change the URL to https://. You'll still be secure, and everything should work fine (unless your school/employer filters gmail, for some reason).

oh yeah! You should also try clearing out your cookies. Gmail can get stupid about that -- if it fails partway through loading your cookies, it can remain screwed up until you clear them.

gmail is working now, not sure what did the trick??? one thing was I recently installed cygwin and switched to the version of openssh that comes packaged with it. after that gmail started working, but I am not sure if it was really due to that or not.

thanks again for the article and great tips!!!

Great right up. I am having a slight problem though if you or anyone can help. It seems that when I login into openssh through putty it accepts my login but then i can't do anything. A couple times it allowed me cd into different directories, but most of the time all i can do is login and then nothing. My other problem is I lose the connection. Meaning after a while I can pin point how long if i were to leave and come back to the pc i'm loging into openssh with I get an access denied. I have to reboot both the server and the client. This is all local at the momment as I haven't opened it up the public yet. Setup 1. Server running latest openssh using port 443
2. Client running Xp serv pack 1 using putty
3. Linksys wireless router with ports setup correctly
4. Currently local setup only not open to the public

sounds like it might just be the spottiness of your connection. doublecheck that windows firewall is off and maybe try putting your server in the router's DMZ. good luck.

Hello, one question.

cd \Program Files\OpenSSH\bin
mkgroup -l >> ..\etc\group
mkpasswd -l -u sshuser >> ..\etc\passwrd

is sshuser = the username you explain below?
is passwrd = the password you explained below?

should it be

mkgroup -l >> ..\etc\group
mkpasswd -l -u myusernamegoeshere >> ..\etc\mypasswordgoeshere

We'll do this by adding one to your windows machine. Make sure you're logged in as an administrator, right click on "My Computer" and choose "Manage". Expand "Local Users And Groups", right-click on "Users" and choose "New User". Enter a username — I'll assume "sshuser", but you can use whatever you'd like — and enter a good password

Well i read more of the documentation (wich is should of done before posting) and i understand now that

cd \Program Files\OpenSSH\bin
mkgroup -l >> ..\etc\group
mkpasswd -l -u sshuser >> ..\etc\passwd

sshuser = the username (i used sshuser to be safe)

I am still comming up with the error

sshuser@localhost's password:
Last login: Sun Dec 18 13:28:00 2005 from localhost
Could not chdir to home directory /home/sshuser: No such file or directory
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

should i be using a username that i use to log into windows? I thought that since i made a new "user" under managment named sshuser that i shouldnt have to.....

bert: it doesn't matter if it can't find the directory. That's just because XP doesn't use home directories in the way that Linux does. I think your SSH installation is probably working -- try using the privoxy install.

Hey, I have a quick question.

I've got the openssh running fine on my home PC, and a bunch of us here at work are using it to get around our company firewall using socks.

But is there anyway to see who is connected to my ssh server at home? I remote desktop to my home pc, so I can run something on there and see it from work, if that makes it easier.

enter "net session" at the command line in windows (via PuTTY). That should at least tell you how many users are connected. You might also try this.

On Linux machines, the command is "users".

Hey,

I have a quick question.

I have openssh set up on my home PC, and a bunch of us here at work are connecting to it, using putty/socks, to get past the company firewall.

Is there anyway to see who is connected to my home PC through SSH? I also remote desktop through vnc to my home PC from work, so if I have to run something on the home pc to see who is connected I can do that from work. Is there a command or something?

Ugh posted twice, thought my first post didn't go through.

Sorry! Ignore first post, thanks for the quick reply :) That's what I was looking for!

When I use the net session command in putty, I get the following message:

C:\OpenSSH>net session
System error 5 has occurred.

Access is denied.

I guess I have to change the permissions of users somewhere and allow this. Any idea where I go to do this?

Thanks again for all your help!

How can i configure my router to route port 443 to the computer where the SSH server is running?

fake: as the article instructs, please go to portforward.com. They'll help you out. Port forwarding is not difficult, but it's a potentially lengthy topic, and a sufficiently boring one that I'm not going to get into it here.

dermot: you might try making the ssh user an administrator -- although this could have security implications. If you're really going to be running a multi-user setup, I'd suggest setting up a linux machine. if you're just concerned about security, google for how to use SSL certificates with SSH -- that's practically unbreakable security (sorry, but I can't help you set that up).

Tom, Awesome Tutorial!! I have been frustrated by WebSense at work for months. I followed step by step, and everything worked perfectly.

One thing that I do see, however, is that on some sites, I will see random numbers -- well, maybe not so random, but I don't know -- that show up when certain pages load, and the page gets completely unformatted. For example, when I try to compose an email with yahoo mail, everything gets skewed to the right, and I lose my text box completely, so I have nowhere to type. IE complains of "errors on page", and that is it.

For other sites, I don't have any issues. I assume that this will be an issue with browser settings, but I am unsure. I tried a few things, but don't really know where to start.

Any thoughts?

Thanks!

I want to set up a secure tunnel with an existing proxy server service (by subscription) - privacy.li I easily configured the connection using putty under Win98. Now I've switched to Mac OS X 10.3.9 which comes loaded with an open ssh program installed. It is a text-only based program (like DOS programs) I've tried to configure this several times unsuccessfully. The folks at privacy.li are not Mac users and haven't offered any workable solutions. I use Opera 8.5 and also have configured it to use a Privoxy-Tor network, but I find it slow. The secure tunnel with privacy.li servers is stable, fast, and flexible. They use standard ports (22 for server connection, 119 for usenet, 80 for internet, etc.) Any suggestions?

Try SSHKeychain. If it's just an SSH connection, though, the command line utility should work fine. Reread the man pages.

How do I run the setupssh381 files? They are .nsi extensions?

are you sure it's .nsi? or is it .msi? That's a newer windows installation package format. You need to either upgrade windows via windows update, or google for 'msi installer' to find the software necessary to run msi packages.

narcissist

Hey guys, im just a lowly 19 year old kid. However, im a young technician working for a small company right now. Im not required to do any advanced networking, just custom PC work etc.

Well, heres my dilemma. I decided to use 443 as my port, (isnt 563 also SSL? Just not for http)I set it up in a breeze, the walkthrough was more than enough for me.......HOWEVER.

Problem 1: Once I set up 443, I checked from home, from a neighbors, and from a friends across town. ALL successfully conected, and i am using portable firefox as my browser. I checked my mail etc. So its working. yay. BUT at my work, which uses port 8080 on its proxy, my connection times out before I can reach my SSH server and logon. So PuTTy is as far as I get.

Problem 2: Just for troubleshooting purposes, I decided when I got home to give port 80/8080/563 a try. But heres my new problem, even at HOME, on the same machine...only 443 is working for me now. I tried changing to 80 --- changed it in the sshd_config / windows firewall / router. Nothing. I changed everything back to 443, walla it works again.

So. ports 80 and 8080 and 563 arent working for me. Id at least hope port 80 would. But nope. Lastly, port 443 DOES work, but not at my job, which is running behind 8080...im just guessing 443 is blocked? Or is there more for me to do at work?

Thanks ahead of time

I don't really want to debug problem 2 -- you're probably just not restarting something, or you're trying to send traffic to privoxy on a non-http port (and it's ignoring it). Let's stick with 443: the solution to not being able to connect to the SSH server is to set up putty to use your work's proxy. The proxy may filter SSH content, though, even if you're using its port. If that's the case you're SOL, I'm afraid.

"to set up putty to use your work's proxy"

I figured that would be it. But I will take a look around PuTTy and see if I can figure out how. Any hints on how to go about doing it though? thnx

Problem 2 isnt really a concern, as I prefer 443. It just sparked curiousity in what I was doing wrong. I suppose if I uninstalled and started over with 80 or something it would work...but since im on Cable I would rather not open port 80 anyways...since my cable company has given me trouble before.

Im young, so i dont know all the rules im afraid, but I try to make sure what im doing isnt illegal or anyhting before I do it. But I cant even do my job at work sometimes because of our proxy. Any help would be lovely, thanks

~Brennen (sorry for the novel)

don't sweat it. 19's plenty old enough to learn about network (said the ancient 25 year-old). putty's proxy options should be pretty easy to find and set. if it doesn't work after that, then the proxy is finding and filtering the ssh traffic.

Hey guys...not sure where my posts went. But I got it working, Tom was right, I simply needed to add the proxy to PuTTy. That, and switch it from auto to http. I must have missed that part in the tut. Either way, it's up and running smoothly now, although gmail did have a problem loading, but im sure I can figure that one out.

I love reading these blogs and playing around with stuff. Thanks a million.

~Brennen

Oh --- apparently my work browser wasnt showing the refreshed page, so I couldnt see any newer posts...which coincedently are mine (most likely due to me visiting this site a few days ago at work. Need to flush c00kies >.

So, i couldnt see my posts. Thankyou much!!

On Windows XP Home you can't access Local Users and Groups. Because of this I can't get very far with this. Please help!

Correct me if im wrong, but I believe all you really need to do is create a new administrator account named in the tut's case "SSHUSER" and give it a password. Then continue installing OpenSSH and changing the directory to that user account.

Again, I could be wrong but im pretty sure the only reason he had us use Local Users and Groups was because its quicker, and you can set it up so that the password cannot be changed, and wont prompt you for a different password.

Hope that helps
-Brennen

Brennen is right (thanks for the help). You just need to create a user account (doesn't have to be an admit). I don't have a copy of XP home handy, so I'm not sure how you do that. But if you can figure it out, things ought to work.

Its simple.

Start > Control Panel > User Accounts > Create a New Account
BAM

Hi i got a porblem with Putty. The thing is when im trying to connect to my server, i cant type in password after i typed in my User name (sshuser).
The only thing i can do is to press Enter and get "wrong password".

kristoffer: I'm guessing that you're not familiar with logging into unix-style systems. just because no letters or asterisks appear doesn't mean that the keys you type at the password prompt aren't being captured. enter your password carefully, then hit return.

i am getting a "Connection Refused" error, even when using localhost itself (on the same machine). Any idea?
Also, do I have to be logged in using the sshuser account in XP to the PC to run OpenSSH or any account would do? I tried both and getting connection refused.

Never mind, edited the ssh_config file instead of sshd_config to change the port.

It's far more easier to use online tools like Anonymouse.org

This one can be used everywhere, everytime in just a few secs.

Hey, i've gone through the set up a few times now and i can't seem to get past the step where you go to control panel, administrative tool, services and then open up openssh server properties.

whenever i click on start i get an error:
"could not start the OpenSSHService on local computer.
Error 1069: The service did not start due to alogon failure."

any ideas?

thanks

After following the tutorial (WONDERFULLY DONE...thank you) when using PuTTY I'm getting an "access denied" error when I try to enter the password. This is on a Windows 2003 server that is a domain controller. I've tried adding the SSHUSER with the -d command and even didn't use the -u switch so that it added everyone (as per their readme file) and same problem. I repeated the whole process on an XP machine with SP2 and it worked fine...any ideas? Thanks

Hmm. If server is running server, it may be trying to authenticate against active directory, or something wacky like that. I'm not really sure -- if I were in your shoes, I might check into the sshd config file's documentation and see if it can be made to allow users on a basis that's not tied to windows authentication. If that's not available, I'd try adding the ssh user to either the AD, or to the local machine accounts, whichever one it's not currently in. Good luck; sorry I can't offer more definitive advice.

I'm curious once the SSL connection is made with Putty from "work", how much Upload traffic will be generated from my Cable Modem. Just the SSL part.
I recently had my upload speed capped due to the periodic peer-to-peer downloading I do.
They reset it back normal but I don't want to trigger it again.

Oh yea...
To Gerry above.
Anonymouse was recently blocked at my job so it does not work everywhere. ;-)

That's why this looks to be a good solution.

Gerry: the upload traffic will be equivalent to the download traffic, plus some small overhead for SSH. So if you're downloading lots of videos, it might be a problem. If you're just browsing the web, I think you'll be fine.

Actually the Upload Traffic question was mine.
What about the SSH just sitting there connected but idle (No browsing or DL'ing).

The network people at my provider stated that even a continuous 1K upload stream could trigger the cap again.

Basically, can I leave the SSH connection on for several hours during work (only browsing every so often) without getting capped again for "continuous upload traffic".

I have no idea, John. But that's a totally unreasonable requirement by your ISP -- even being signed on to several IM services at once could produce that amount of traffic.

If you can safely use IM, videoconferencing, VoIP, or pretty much any non-web technology without getting capped, SSH should be fine.

Thanks Tom, I was just getting on to post the fix and you beat me to it (yes, I put the SSHUSER in the Domain Admin group and prob solved) so you were right on the money. Obviously it was a rights issue, at some point I'll try to figure out what the minimum rights should be, for that's for another time.

Thanks again.

OK...I've gotten the SSH and the Proxy to work fine from work. (Awesome!!!)
Have you written anything to show how now to configure VNC?
I was using VNC through port 443 before setting this up but now with the port being used I can't get in.

What do I set the VNC server and client with to connect using the SSH

I haven't written anything specifically for VNC, but it should be pretty easy. If you're running VNC on the SSH server, just configure a tunnel that works the same way as the port 80 tunnel, except on ports 5900 and 5901 (the ports used by VNC's first session by default -- only one is actually used, but which one varies w/ distribution and OS, so safest to forward em both). Then point your VNC client (on the machine running putty) at localhost. That should be it!

(when I say 'point at', I mean 'use it to connect to' -- in other works, put 'localhost' or '127.0.0.1' in the field in your VNC client where you specify the VNC server's address.)

I set the VNC Server (tightVNC actually) to a port of my choosing...10166
I figured I'd be using the 127.0.0.1 address on the client so I used 127.0.0.1:10166.
I'm getting this error:
"unable to connect to host: Connection refused(10061)"

I'm at work now so I can't see it but I thought I remember seeing some check box that mentioned something about "localhost".
Would something need to be enabled withing the VNC server to allow a localhost connection?

no, don't worry about localhost -- it's the same as 127.0.0.1.

So, just to clarify: the VNC server is running on 10166. You've set up an SSH tunnel that forwards local traffic on 10166 to 127.0.0.1:10166 on the server. And then you're telling your VNC client on the putty-running machine (with the tunnel already established) to connect to 127.0.0.1:10166, but it's not working?

Ah HAH!!! DOH!!
"You've set up an SSH tunnel that forwards local traffic on 10166 to 127.0.0.1:10166 on the server."

Nope...Forgot/I needed to to that (Brain Fart)

OK..I've Added a tunel config to Putty:
Source Port 10166
Destination 127.0.0.1:10166.
It connects but says:
"Local loop-back connections are disabled." (Hand hits forehead)
I'll have to enable that when I get home. /sigh

I figured it out:
I configured Putty like this:
Source port: 10166
Destination: (My router External IP):10166 (port was already configured for this anyway).
Hence bypassing the "loopback" address.
The VNC connects now. :-)

Hmm. Well, I'm glad it's working, but that's somewhat weird behavior on your router's part. Definitely not a normal configuration. When you have a chance, I'd suggest enabling loopback connections -- you might get better performance. As things stand, your server is getting traffic over the tunnel, trying to send it to your router's external IP, and then the router is somehow forwarding it properly, despite it coming from the LAN-side. Very weird. But as I said, as long as it works...

Yea...I will enable the loopback connection when I get home.
Basically I thought about it like this.
If I was home and I wanted to connect to my VNC server what address would I use to connect to it (besides the loopback). Realizing that everything going through the tunnel would behave as if I was doing it on the PC running the SSH Server.

I'm learning as I go with this but it's all starting to make sense.

Now I just have to figure out how to connect to my FTP server running on my file server at home using the SSH/Proxy.
I think I have an idea.

Tom,
Can u help me, can't setup a connection with SockxCap.
I want to play World of Warcraft on my worklaptop, installed everything like you said! (Great expl. BTW)
But how can u tunnel WoW?
I have a working SSH connection..

Sorry PlzHelp, I don't play WoW so I couldn't really tell you. I'd post on whatever SocksCap forums you can find. Also check out the other post in this tutorial -- someone in comments there just recently reported success with a WoW/SSH setup.

John D: good luck with the FTP setup. I'm afraid I'm not optimistic, though: I spent this morning trying and failing to tunnel FTP (I'm trying to use FTP through a text editor, though, so it may be a special case). Just keep in mind that FTP uses both port 21 and 20. My suggestion would be to find a SOCKS-capable FTP client and use SSH as a SOCKS proxy, rather than trying to establish specific tunnels for ports 20 and 21.

Thanx for your quick resp. but if i want to use a program where i can't configure a proxy how must i do that? I will also check the other tut. on this site. Thanx

you need something "socksify" your WoW client. I don't know much about these programs, but I know they exist. Google around and you should be able to find something.

How do I go about hanging the permissions on the user so they have the ability to upload files?

This solution really isn't designed for that, although once you have an SSH server, you should be able to use SCP. I suggest googling for how to use that program. Another option would be to run VNC over SSH (as detailed elsewhere -- sorry, that's beyond what I want to get into here) and email yourself the file from point A, then retrieve it at point B.

I have used SSH Secure Shell to download files from the SSH server, but it errors when I try to upload them. Is there something special you have to do on the server end to allow a user access to upload files?

Well, you might try granting full control to "everyone" on that particular directory on the server (assuming it's windows). That's eliminate permissions as a potential problem.

Thanks for hsaring the info ;)

Hey there.
Everythings working great for me.
Even managed to make a tunnel for the Remote Desktop Connection so I can control some servers of mine from work.
Question though.
Can you forward a UDP port through the tunnel?
I was trying to forward TeamSpeak (VIOP program for Gaming) but it uses a UDP Port.

Sorry, SSH can't handle UDP. You need a genuine VPN solution to do that. You might have a look at OpenVPN. Been a while since I used it, but it can definitely forward your UDP traffic (no guarantees as to performance, however).

Hi
I've set up a putty tunnel n port 5900 as that's the only open port I could use and privoxy on 8100.I can connect to my SSH server with putty and when I changed the proxy setting on IE browser (HTTP 127.0.0.1 8100),it just reverts back to my work proxy script.

http://localhost:9100/proxy.pac

I also tried Firefox and I get an error message that page not found.

Any ideas what's wrong ? Or what proxy setting do I need to put into my browser setting ?

Thanks

reread the instructions. you don't point IE at the privoxy port, you point it at the tunnel's intake port. that traffic goes out over ssh on the ssh port (the one going through your firewall-- 5900 in this case, I believe), then is sent locally to the privoxy port (if you've configured everything correctly).

i need some help guys cause i'm using remote control desktop and i used my ip address to connect to my pc at home but my problem is my ip address and username is left on the program meaning whenever i open the program it automatically displays the ip address and username to my home how do i remove it?

that's a bit outside the scope of this tutorial, redeemer, but my immediate suggestion is that when you're done connecting to your home PC, you should change the username and IP and try connecting to a nonexistent one. Hopefully that will cause it to retain the most recently entered credentials.

Hey everyone! Well, looks like I have everythnig set up, but I get an error when I type in my home computer's IP addy.

SSH-2.0-OpenSSH_3.8.1p1 Protocol mismatch

Am I missing something? In IE, I type http://xx.xx.xxx.xx:443 and then hit enter. I get that message, but if I take out the 443, I just get a timeout error.

When I was at home, I did the whole localhost thing and was able to login in and get a command prompt.

Any help would be GREATLY apperciated! Thank you :)

hmm. are you sure you forwarded your port correctly? your router could be picking up the ssh request, potentially. if it works at home but not at work, and you're using the same client to connect from both, the problem has pretty much got to be something to do with the router (unless your work firewall is intercepting & rewriting your SSH requests).

I'm pretty sure I forward it correctly. I have ports forwarded so I can use Bit Torrent and haven't had any problems.

My local ip is 192.168.1.100 and that is what I put and I forwarded 443 and checked both TCP and UDP.

I have Linksys WRT54G wireless router.

Hmm... I'll try to see if it works at someone's house, then get back to ya.

Thanks for the responce, Tom :)

Wow! I think I've might have found out what I did wrong.

I did not uncheck the box 'Block Anonymous Internet Requests'

Could that be the problem? I'm going to try it when I get home.

Ok, so I got home, unchecked the box, made sure I edited the sshd_config file, I deleted the hash (#) in front of port 22 and replaced it with 443. Im not suppose to put it back, right? Also, I noticed on putty (when I did the localhost test) it gave me this message:

"sshuser@localhost's password:
Last login: Tue Jun 6 19:23:03 2006 from 127.0.0.1
Could not chdir to home directory /home/sshuser: No such file or directory
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Program Files\OpenSSH>"

--------------------------------

I called my friend from work to check it out again, and I still get the protocol mismatch message. I went to shields Up and it said my 443 port is open.

Thanks Tom

I have Windows 2000 with SP4.

I've tried port 22 and 80 and I'm still getting protocol mismatch. It seems to me that its connecting, but some setting is off.

I'm only suppose to edit the sshd_config, right? And I made sure I deleted the (#) hash.

What about the ssh_config file? Do I still leave it at # port 20?

Ok now I'm getting frustrated.

I can log into my WRT54G router with no problem from work (remote mangament, port 8080) but I still keep getting protocol mismatch. sshd_config is set at port 80, and when I use putty on the server computer (localhost) I can log in with no problem.

I also changed the ssh_config to port 80 and removed the # from both files.

Anyone have any ideas? I don't have Privoxy running because I can't change my browser settings on my work computer.

Thanks again

You're trying to pass traffic through another SSH server (your WRT54G)? I'm sorry, but you're complicating the situation, and also not reading the instructions properly -- Privoxy doesn't run on your work computer in this tutorial, it runs on the server. And if you can't change your browser settings at work, then this will be useless to you anyway -- you need to be able to point it at the SSH tunnel.

Please uninstall everything and give it another try. I apologize, but I can't help you untangle this mess by remote.

No, I don't have another SSH server. The WRT54G is my router.

I know Privoxy runs on the server (where OpenSSH is installed) and the reason I'm not using it is the fact that I cannot change my broswer settings at work, so you are right with that.

What I was trying to say is that from work, I can log into my router (the WRT54G) becauase my router has the option of remote management, meaning I can change settings on my router. I'm using my work computer to log into both of them

The address is xx.xx.xxx.xx:8080 for the router, not SSH.

The SSH is xx.xx.xxx.xx:80. I get the protocol mismatch when I try to log into SSH, but I don't have a problem logging into my Linksys router remotely.

When I'm at home (server computer) I can log into SSH with putty with no problem, I'm just trying to figure out why I can't do it remotely. I've uninstalled and reinstalled twice, but I will try again, and I'll just leave the deafult port 22 again.

Thanks

Your WRT54G *can* operate as an SSH server. You say you have remote management turned on. I realize that's not running on 80, but it's entirely possible that the router still picks up something on 80. Your suggested approach is a good one: try 443 or 22 instead.

Thanks Tom, I'll try port 22 again and see where it takes me.

The reason I turned on the remote management was to see if there was a problem (work firewall and proxy) that was preventing me from connecting to my home computer at all, but it worked so... my quest continues for a solution :\

Do you have any idea what that error messages means?

"SSH-2.0-OpenSSH_3.8.1p1 Protocol mismatch"

I've tried googleing it, but to no avail.

I appreciate your help in this!

I suspect it means that whatever's answering on the other end isn't an SSH server -- or it may be an SSH server other than the one you've set up before (for example, it could be your router trying to pick up with SSH 1.0).

What would be a good router for SSH? It doesn't have to be wireless, but I have no idea how to run OpenWRT on my router, nor do I know anything about Linux :( It looks like I have to modify my WRT54G to get it to work.

I seriously doubt that's the case. I run it over a WRT54G running the sveasoft firmware.

Turn off remote admin, for one. For another, go ask the people at portforward.com what the problem might be. I couldn't say at this point.

Yeah the Sveasoft firmware is Alchemey, should I install that firmware?

I will turn off remote admin when I get home. Thanks for the help, Tom

Ok so I installed Firmware Version: Free-Man/Basic 1.0.4 from TheIndiviual.

I don't see any intructions or whatever, as far as using it, but I did see an optin for SSHD, I enabled it and it asked for port, so I put 443, and then it asks for authorized keys. Where do I get that?

Thanks

Argh...

I still have protocol mismatch, even with the Alchemy firmware installed. I reinstalled OpenSSH and followed the directions carefully- I can still connect via putty locally. I even tried looking on their forums for intructions on how to use that software. I did not enable SSHD under Administration in the firmware because I thought it would conflict with OpenSSH.

Bah. I'm sad now :(

Sorry you're still having trouble, usman. You might try another SSH server package, since openSSH is now somewhat out of date. I'm afraid I don't really have any other suggestions for you.

This appears when I put in my password.

sshuser@localhost's password:
Last login: Tue Jun 13 21:55:14 2006 from localhost
Could not chdir to home directory /home/sshuser: No such file or directory
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Mark: that's fine, it's normal.

When I try to Start it up I get this error message:
"Could not start the OpenSSH Server service on Local Computer.

Error 1067: The process terminated unexpectedly."

What exactly am I missing?

I've got a spare box at home I'm running a Mandrake Linux release on, but I'm a linux n00b. Do you know of any resource that would help step me through a similar configuration on Linux? Thanks much for any information.

Jim: you'll probably just want to start googling for the linux documentation on ssh and on privoxy. privoxy will have to be installed. I know for a fact that this setup can be gotten to work under Linux (it's how I use it). The ssh configuration stuff will be in the file /etc/ssh/sshd_config -- it's well-commented, and should generally make sense (remember, you'll have to restart the sshd service to make the changes load -- "/sbin/service sshd restart" as root).

For privoxy, you should be able to find instructions on installation in the documentation that comes with the package. I believe it's as simple as the usual

./configure
make
#make install

routine, and that the default privoxy configuration works well without additional configuration (I may be misremembering that, however).

Is it possible to verfiy any of the functionality of the SSH/tunnelling from a client in the same LAN on which the SSH server is running? That would be very useful, if possible.

Yes, there is -- it's one of the steps in the how-to, actually. But of course you can't test whether the router's port if properly open from within the LAN (unless you have access to a remote machine from the LAN).

I could use a little troubleshooting help. I have set up ssh server on an xp box and I can connect to it properly (and use privoxy to access the internet through the proxy) when I am using the same machine (i.e. putty connecting to localhost). But when I try using my laptop to connect to the xp box via putty (using the internal address of 192.168.0.102:443), I can a connection time out message. Any thoughts? THanks much in advance for any info/advice.

Sorry, I need to clarify that the laptop is in the LAN, I won't have an opportunity to test from outside until tomorrow.

Jim: make sure that XP firewall is turned off on the server, or at least that port 443 is open.

Now that you say that, I think I am running Kerio PF on my XP SSH server. I don't use the XP firewall but I have been using Kerio . . . at one point I thought I disabled it but now that you say that I think it's running. I'm at work so I can't check it but I'll look at it tonight. Thanks a bunch.

A neat solution, if you have broadband at home, is to use PuTTY to create a port forward and use Remote Desktop to directly control your Home PC to do your dirty work.

Command line for SSH client would be

ssh -L 12321:192.168.0.103:3389 -l sshuser mydns.ath.cx

Where 192.168.0.103 is your home pc's IP on your home network.

Then simply fire up the Remote Desktop Client, and point it at 127.0.0.1:12321

No DNS resolutions (except the initial connect) for admin to see, plus your own comfy desktop to work from.

I'm running WRT54GL that have ssh on port 443 at my home.
And I use PUTTY at office (via proxy port 8080) create socks at port 1080.

It's work well, I can access the block webpage :).

So I have some question.
Is my boss can check the DNS that I connect?
IS the proxy server of my office store my visit data (eg. pictures, PDF etc.)?

Thank you and sorry for my bad English.

RocketTeam:

1) if you aren't using the HTTP proxy part of this solution (privoxy), then yes, your boss can see your DNS

2) if you're using privoxy, then no. if you're just using an SSH tunnel, then they won't be able to see the URLs you're requesting or the content of data served back to you, but will be able to see what domains you're looking up. if you're not using either, then they can see everything, of course.

Quick question, when I test the SSH connection on the computer I made it on and try to use Putty to go through the localhost, I get this message after entering username and password... "Could not chdir to home directory /home/sshuser: No such file or directory." Being the techno-noob I am, I'm not sure what this means. Also, how might I test to see what ports are available through the firewall? The only one I know that is available is port 80.

fastest full free proxy ( proxie ) leech lists for Mega big brotherhood protections tru firewall and Rox is the major responsible for accessdiver * s software settings tweakings mm
all for FREE at

http://www.network54.com/Forum/404475

or

http://www.proxyfantasy.tk

PROXYFANTASY owner is R’a’kan with is greedy and wants a very large sum of money to stop his proxy projects or all customers will turn to me i offer 1000sands of proxy servers
for free no registration needed absolutley NOTHING is hidden
for my users….
proxyfantasy offers latest definitions of spyware fighting software too at no cost at all…..
search engine is added to proxyfantasay aswell as an ip finder….....

cu all over at proxyfantasy.tk

Well, I got everything set up and I tested from several places ( friends and cibers ) and it worked! but I can't get it at work. When I try to connect to my Home PC I alway get this message :" Network error: connection time out".

I think all ports are blocked or restricted.

They R usig ISA server to control internet traficc

I Have scanned ports from a web and tells me that no ports are Open!! ( I did this while Security Proxy at work allow to connect to the web from 1pm to 3 pm daily )

So is there a solution for this or just there is left to say best look!! ?

Thanks and forgive my poor english:P

Looks like there's a new player on the block using something like this technique from the trial I downloaded - free 14 day trial - might help to check if it works at your browsing location before you go to all this trouble http://www.mightykey.com/ . . . checked it out at work and works . . . seems to manage the caching data in an encrypted vault

WAS THINKING OF BUYING ONE OF THOSE MIGHTYKEYS, I HAVE BEEN USING THE TRIAL VERSION AND SEEMS SAFER BUT IS IT REALLY?

So I wrote up this huge response, but your spam filter ate it. I'll try one more time, but a bit shorter. Check out MyEnTunnel (http://nemesis2.qx.net/software-myentunnel.php) - a freeware front-end to PuTTY that makes regular proxying very easy. Also for Firefox, dont forget to set DNS lookups to also go through the proxy (http://digg.com/security/HOWTO:_Secure_Firefox_IM_email_from_anywhere_with_PuTTY#c1775296)

Quick question, when I test the SSH connection on the computer.

Got to point where I ran Putty (according to your instructions) it takes the username, give me the warning and asks for the password. I enter the password and get ACCESS Denied. Any ideas?