Secure remote communication over the Internet - using SSH

The growth of fast, cheap access to the Internet has opened up the possibility of providing remote support to customers. However, the Internet is an open network, so a robust means of authenticating remote users and encrypting communications needs to be used to ensure security.

This functionality is normally provided by a Virtual Private Network (VPN). These are great when you need to function as if you were a full member of the network you are joining to, but they can be complicated to set up and often require dedicated hardware at the customer’s end, something you may have little influence over.

Often when supporting a FactoryPMI/SQL or Ignition installation, you only need to access a single machine on the customer’s network. If this is the case, you have another option available to you: Secure Shell access, or SSH. You can implement an SSH solution by installing SSH server software on the machine you want to access and SSH client software on the machine you are using to connect to it. The client’s router or firewall is then configured to forward traffic on the correct port to the machine running the SSH server.

SSH servers

Coming as it does from the Linux world, there are a number of completely free SSH servers for both Linux and Windows. If running Linux on your server, simply install the OpenSSH server software. This is achieved in Ubuntu by selecting the ‘openssh-server’ package in the Synaptic Package Manager, or by entering apt-get install openssh-server in a terminal window. This defaults to running a server on port 22 (the standard SSH port). You will have to enter the username and password of a user on the Linux server to log on.

For Windows, I originally tried freeSSHd which seemed to work well, but Carl and I discovered that it suffers from a bug which causes it to fail whilst downloading large files, the very thing you do when you try to run a FactoryPMI/SQL or Ignition application remotely. The package doesn’t seem to have been updated in over a year, so I reluctantly abandoned it.

It is actually possible to run the OpenSSH software on a Windows PC by installing Cygwin. This is an API compatibility layer which allows a collection of Unix-like tools to run in a terminal window on Windows. The downside of this is that it can be complicated to set up and the full Cygwin package weighs in at over 5GB. Fortunately there is a solution in the form of CopSSH. This is a package consisting of OpenSSH and just the parts of Cygwin required and is being actively maintained at http://www.itefix.no/i2/copssh. When the CopSSH installer is run, it asks for a username and password of the user account it will be run under – I specified an administrator account here.

Once it has installed, you must activate a user before you can connect to the server. This is done through a program accessed from the Start menu. Select the Windows account you wish to use to login to the server (I tend to use the one it is normally left logged into), leave the command shell set to '/bin/bash/ and leave all the options selected. You then have to enter a passphrase of at least 5 characters to protect the private key generated on the server. This will only be required if you want to connect remotely using public key authentication, which I won’t cover here. Once this step is finished, you’re done. The server is now running as a service and will start with Windows. If you want to stop it running, access it from Control Panel\Administrative Tools\Serviceswhere you’ll find it listed as ‘Openssh SSHD’.

SSH clients

For both Linux and Windows there is one stand-out free SSH client – PuTTY. This can be installed in Ubuntu by selecting in from the Ubuntu Software Centre or the Synaptic Package Manager, or by entering apt-get install putty in a terminal window. On Windows, download the putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/ You can then save the file where you want and run it from there – there’s no installation required.

When you run PuTTY, type the address of the server in the top box and ensure the port is set correctly (this will be 22 unless you’ve changed it in the OpenSSH configuration file). Press the ‘Open’ button at the bottom of the window and you should see a terminal window open. The first time you do this, you will probably receive a warning that the host key doesn’t match the one in the cache (or something similar). As long as the server’s IP address was entered correctly, you can proceed and accept the key. You should then be asked to login. If this doesn’t happen, check that you have forwarded port 22 at the remote router to the machine running the server and also check that you have unblocked port 22 on any firewall running on the server.

If you enter the account username and password, you should be logged onto the server over an encrypted connection. Notice that unlike Telnet, both your username and password were also encrypted during the login process, making the whole process very secure. You should now see a terminal window from which you will be able to access the hard drive of the server machine.

At this point you may be thinking “Is that it – all that work for terminal access?!” Don’t worry. SSH has the ability to tunnel other traffic over its encrypted connection. Close the terminal window by typing ‘exit’, then run PuTTY again. Enter the IP address of the server as before, but before you open the connection, go to Connection/SSH/Tunnels. Here you tell PuTTY what ports to pass down the encrypted connection, and where to forward them once the traffic reaches the server. For example, suppose an Ignition web server was running on the server machine on port 8088. You would enter something like 8089 in the ‘Source port’ field, then enter ‘127.0.0.1:8088’ on the Destination field. Don’t forget to press the ‘Add’ button. You should see the tunnel added as L8089 | 127.0.0.1:8088. It’s probably a good idea at this point to go back to the first page in PuTTY (‘Session’) and enter a name for the session and save it.

Try connecting to the server again. This time once you connect, open a web browser and enter ‘127.0.0.1:8089’. (Notice that you use the localhost address and not the server’s own IP address!) You should see the Ignition home page, with all the traffic between the 2 machines going over the encrypted connection.

Of course, this approach is not restricted to accessing web servers. You can tunnel any software that connects over a TCP/IP port, such as MySQL or VNC. By using VNC in this way you can gain full remote control of the PC securely over the Internet.

If this article has been useful or if you need further help at any point, please let me know.

3 Likes

Thanks for writing this up, indeed - SSH tunneling is a useful tool to know about.

As an addition:

CentOS,RHEL both come with OpenSSH installed out of the box.

If your installation doesn’t for some reason, yum install openssh-server is the equiv of the apt-get command.

Just like w/ ubuntu, you need to log onto ssh w/ an acct on the linux machine in question. However! You cannot use the root acct for this.
(well you can, but you have to specifically enable this, BAD IDEA DO NOT DO THIS).

What’s that? You need to transfer files to/from the machine?
SCP(secure copy) is your friend.

You can use WinSCP on a windows machine, or just the cmd line scp on your linux box.
Same as ssh, you’ll use a username/password on the linux machine.

What’s that? You want to intergrate your linux machine onto your existing AD domain? Login using the same username/password as you would any other domain machine? GSSAPI single sign on in Putty and WinSCP??!
Likewise Software will let you do that. Likewise Open is even a no cost option though it does lack some of the nicer feature.

Al,
I know this is an old post but it was just the right thing for my project at the right time.
Thank you endlessly.
Cas

3 Likes

You are very welcome Cas :slight_smile: