SSH Tunneling: Overview

Developed by SSH Communications Security Ltd., Secure Shell (SSH) is a program that allows a computer to log onto another computer over a network to move files over the network and execute commands. SSH is intended as a replacement for rlogin, rsh, rcp, and rdist.

SSH provides strong authentication and secure communications over non-secure channels. SSH protects a network from attacks such as IP and DNS spoofing, IP source routing, and interception of plaintext passwords and authentication data. If an attacker manages to take over a network, he can only force SSH to disconnect. The content and the connection are secure when encryption is enabled.

When you are using the SSH slogin (instead of rlogin), the entire logged-on session, including the transmission of the password, is encrypted. As a result, it is almost impossible for an outsider to collect passwords.

For improved security, the number of times the adapter can log on during a single session is limited because, during a disconnect, the SSH tunnel is not closed. This method of operation allows you to establish another connection without logging on.

For more information on SSH and how to use it, see the following Web site:

http://www.openssh.com

Additional Software Requirements

The adapter makes use of additional software applications. The adapter also supports either of the following applications for SSH tunneling:

• OpenSSH: an encryption and authentication tool for UNIX. For more information go to:

  http://www.openssh.org

• Plink.exe: Plink is a Win32-only command-line interface to the PuTTY Telnet/SSH client. For more information visit:

  http://www.chiark.greenend.org.uk/~sgtatham/putty

In either case, the you are responsible for downloading, installing, and properly configuring the necessary software. You must refer to the appropriate software provider for support and documentation.

SSH Tunneling and the Batch Adapter

To use SSH tunneling to provide for secure logon IDs and passwords, the BatchFTP Adapter uses the additional SSH-tunneling software (see Additional Software Requirements).

Enabling SSH Tunneling

To enable SSH tunneling, select Yes under the SSH Tunneling Enabled parameter in the adapter connection configuration (see SSH Tunneling Configuration Parameters). You can use the SSH-tunneling software in either of the following ways:

• By using an existing SSH channel where a secure connection has already been established

• By internally launching an SSH process for the adapter’s use

Using an Existing Channel

To use an existing channel, select Yes under the SSH Channel Established parameter in the configuration. The adapter then operates under the assumption that you have already established the SSH channel using the additional software. Once you set this parameter to Yes, the adapter automatically uses that channel.

Using an Internal Channel

If you choose No, under the SSH Channel Established parameter, the adapter launches a process within Java CAPS to establish a channel. In this case, you must specify, under the SSH Command Line parameter, a full and correct command-line statement for your SSH-tunneling application and environment.

You can obtain this information from the SSH-tunneling application’s configuration. See the application’s documentation for details.

You must enter a correct and complete command-line statement. That is, all necessary command line parameters must be provided so that the SSH-tunneling software can run correctly without requiring further interaction.

Check the accuracy of this information by executing the command line from the shell. If the software prompts for more information, add the required information to the command line and try again. Continue this process until the software starts and operates properly without additional action.

You may need to launch the application at least once from the shell before using it in the adapter. This requirement depends on the SSH-tunneling application and platform. Some applications prompt for trust-related information on the first attempt, to connect to a remote host.

Port-forwarding Configuration

Through SSH tunneling, the FTP command connection is protected. This mechanism is based on an existing SSH port-forwarding configuration. You must configure SSH port forwarding on the SSH listen host before you configure the supporting adapter Connection.

For example, on the Java CAPS client host localhost, you can issue a command, such as:

ssh -L 4567:atlas:21 -o BatchMode=yes atlas

Under the adapter’s configuration for the previous example, you must specify:

• localhost for the parameter SSH Listen Host

• 4567 for the parameter SSH Listen Port

In this case, the adapter connects to the FTP server atlas:21 through an SSH tunnel.

SSH Tunneling Configuration Parameters

You must set the following SSH tunneling parameters to configure the adapter Connection:

• SSH Tunneling Enabled: Specifies whether the FTP command connection is secured through an SSH tunnel:

  • No: indicates that all other parameters in this section are ignored.

• SSH Channel Established: Specifies whether the adapter needs to launch an SSH subprocess:

  • No: indicates that there is no existing SSH channel for an FTP transfer.

  • Yes: indicates that an SSH channel has been established, so it is not necessary for the adapter to spawn an SSH subprocess. If you select Yes, the following parameters are required:

  • SSH Listen Host

  • SSH Listen Port

• SSH Command Line: Specifies the command line used to establish an SSH channel. This parameter is required only when you set the SSH Channel Established parameter to No.

  The command-line syntax can be different, depending on the specific SSH client implementation. See your SSH-tunneling support software user’s guides for details.

• SSH Listen Host: Specifies the host name where the SSH support software runs, as well as the host it listens to.

  This parameter is required only when you set the SSH Channel Established parameter to Yes. If you choose No, the Listen Host is always localhost because the SSH support software is always started from the local host.

• SSH Listen Port: Specifies the port number that the SSH-tunneling support software uses to check for incoming connections. This port number can be any unused port number on the SSH listen host.

• SSH User Name: Specifies an SSH user name. This parameter can be required when the setting for the SSH Channel Established parameter is No.

• SSH Password: Specifies an SSH password corresponding to the user name entered under SSH User Name. This parameter can be required only when the setting for the SSH Channel Established parameter is No. For more information, see SSH User Name.

For more information, see SSH Tunneling Configuration Parameters.