A secure command line interface is just the beginning of the
many ways SSH can be used. Given the proper amount of bandwidth,
X11 sessions can be directed over an SSH channel. Or, by using
TCP/IP forwarding, previously insecure port connections between
systems can be mapped to specific SSH channels.
Opening an X11 session over an established SSH connection is as
easy as running an X program on a local machine. When an X program
is run from the secure shell prompt, the SSH client and server
create a new secure channel, and the X program data is sent over
that channel to the client machine transparently.
X11 forwarding can be very useful. For example, X11 forwarding
can be used to create a secure, interactive session with up2date. To do this, connect to the server using
ssh and type:
After supplying the root password for the server, the Red Hat Update Agent appears and allows the
remote user to safely update the remote system.
SSH can secure otherwise insecure TCP/IP protocols via port
forwarding. When using this technique, the SSH server becomes an
encrypted conduit to the SSH client.
Port forwarding works by mapping a local port on the client to a
remote port on the server. SSH can map any port from the server to
any port on the client; port numbers do not need to match for this
technique to work.
To create a TCP/IP port forwarding channel which listens for
connections on the localhost, use the following command:
ssh -L local-port:remote-hostname:remote-port username@hostname
Setting up port forwarding to listen on ports below 1024
requires root level access.
To check email on a server called mail.example.com using POP3 through an encrypted
connection, use the following command:
ssh -L 1100:mail.example.com:110 mail.example.com
Once the port forwarding channel is in place between the client
machine and the mail server, direct a POP3 mail client to use port
1100 on the localhost to check for new mail. Any requests sent to
port 1100 on the client system are directed securely to the
If mail.example.com is not running an
SSH server, but another machine on the same network is, SSH can
still be used to secure part of the connection. However, a slightly
different command is necessary:
ssh -L 1100:mail.example.com:110 other.example.com
In this example, POP3 requests from port 1100 on the client
machine are forwarded through the SSH connection on port 22 to the
SSH server, other.example.com. Then,
other.example.com connects to port 110 on
mail.example.com to check for new mail.
Note, when using this technique only the connection between the
client system and other.example.com SSH
server is secure.
Port forwarding can also be used to get information securely
through network firewalls. If the firewall is configured to allow
SSH traffic via its standard port (22) but blocks access to other
ports, a connection between two hosts using the blocked ports is
still possible by redirecting their communication over an
established SSH connection.
Using port forwarding to forward connections in this manner
allows any user on the client system to connect to that service. If
the client system becomes compromised, the attacker also has access
to forwarded services.
System administrators concerned about port forwarding can
disable this functionality on the server by specifying a No parameter for the AllowTcpForwarding line in /etc/ssh/sshd_config and restarting the sshd service.