Last updated: 06/05/02

SSH for Windows

SSH for Macintosh

Geology / Geophysics Dept. homepage

Useful Computer Resources

Acceptable Use Policy

206 Computer Lab News

How To ...

by System Administrator

SSH and (vs.) VPN

[ Overview | Definitions | Why VPN/SSH? | The Dirty Details | More Resources ]
[ SSH for Windows | SSH for Macintosh ]
-Document still under constructon-

Overview

This page has a fair amount of outdated information on it. Specifically, how the U.'s VPN works (it's now available on-campus, and is recommended for those using Wireless connections), and connecting to the departmental computers using SSH from a Mac. It IS possible to connect to the new fileserver and the new webserver using a mac and SSH, see Setting Up SSH and FTP Port Forwarding (Macintosh VERSION) for details on how to do that.
I will update the rest of this page as I get time this summer ('02).

The University set up a VPN in order to make connecting to the University network easier. It is all about Access to restricted resources at the University. Examples of these resources are the abstracts, journals, periodicals, indexes and other research-related services that have been contracted by the University for the sole use of its student, faculty and staff community. It's used to log in to campus from off-campus, while making it appear that you are on campus. It's kind of like the modem pool for high-speed connections at home. (partly taken from the VPN page.)

The VPN is still being tested (as of 02/21/01), but those associated with the U. are welcome to try it. I do not provide support for this, I have nothing to do with it, the hard work was done by NTS/OIT, and they have done an admirable job. Information on how to download the necessary software, set it up, and get support for it is all here.

The statement above isn't strictly accurate, especially regarding library resources. But I'm going to leave it until the specs are fully worked out. The VPN is for using services on campus that require the user to be on-campus, such as PeopleSoft and some others. Many of the library resources you can access without the VPN, by logging in with your X.500 (e-mail) username and password. Until the final decisions are made, just try to access the resources first WITHOUT the VPN, and then try it with the VPN if the first didn't succeed.

What you can't do with the VPN is surf the general web, like going out to Yahoo or elsewhere. Because that way the U. would be paying double for your network traffic. Use your straight ISP for that. I know this isn't terribly clear. When it gets worked out, I'll modify this page.

SSH is used to connect to the Department of Geology and Geophysics computers (or MSI, or other departments) from off-campus, whether from a modem line, from home across a high-speed connection, or when you're travelling. It can be used in conjunction with the VPN, but that is not strictly necessary.

There currently is not a free way to use SSH with a Mac to connect to the Department's computers. This is because MacSSH did it correctly, but that makes it harder for me to set it up. I'll get to it soon. There is a way to do it if you want to shell out some bucks, see Setting Up SSH and FTP Port Forwarding (MACINTOSH VERSION) at UW for details, and then contact me so we can work out the details.

First, some definitions: (Bah! skip the definitions!)

SSH: Secure Shell is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace telnet, ftp (fetch), rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. (from the openbsd man page).
SSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, SSH provides a myriad of secure tunnelling capabilities, as well as a variety of authentication methods. (from the openssh front page.)

VPN: Virtual Private Network. A private network that is configured within (or to travel across) a public network in order to protect data or for other reasons. In this case, the University of Minnesota built a VPN to allow high-speed internet access users (DSL and cablemodem users) access to U. resources from their homes, like those who use the modem pool have.
The VPN will encrypt data sent from home until it gets to the VPN server on campus, but after that, the data is unencrypted as it passes over the local U. network.

Encryption: a method of encoding data for security purposes by using complex mathemetical factoring techniques. See Cryptography.

Cryptography: The conversion of data into a secret code for transmission over a public network. The original text, or "plaintext," is converted into a coded equivalent called "ciphertext" via an encryption algorithm. The ciphertext is decoded(decrypted) at the receiving end and turned back into plaintext. (from the TechEncylopedia)

"Sniffing:" Reading data sent across the network from somewhere along the line. It's analogous to eavesdropping on a phonecall with a wiretap. Sniffing is trivially easy for those who know anything about how networks work. Therefore, anyone who wants to can get your passwords, read your e-mail, or check out your data. And this can be done anywhere along the path from your computer to the departmental computers.

Why?

Why VPN?
Many U. users are now getting high speed internet access in their homes, through DSL or cablemodems. Before, when users were just dialing in with the modem pool, they could access U. resources, such as the library, from home and use GeoRef and other tools. But when you get high speed connections, you have to go through a different ISP (Internet Sservice Provider, like Visi.com or Qwest). So when you try to log into the U., the U. thinks you're the internet in general. The U. protects it's resources from the internet, and that includes you if you're coming in from a ISP. So the VPN was created to allow U. people access from home.

That's all it was meant to do. Those who are familiar with VPNs might wonder why we can't use the U.'s VPN to connect to departmental computers. That was a design decision on the part of those who are in charge of the VPN. Basically, it comes down to the fact that designing a VPN to match all the needs of all of the departments on campus would have been a nightmare, and probably impossible.

The VPN does, however, encrypt the data being sent from your home computer, and decrypts it when it gets to campus. So it protects you from sniffing out on the internet. It does NOT protect you from sniffers on campus.

Why SSH?
The unix machines in the department hold the webpages, and many of the user files, and are the machines that users would need to connect to from home. They are also, for long and detailed reasons, the most prone to coming under attack from crackers (those who "hack" computers maliciously. Hacking can be good, cracking is bad.) Because of that, access to the Unix machines is granted only to those who are physically located in the Department, or who have asked permission from other parts of campus. Until recently, access was not allowed from off-campus, because there was no way to secure that connection.

What do you mean, secure that connection?
Access is granted to the unix computers either on a machine by machine basis (based on the IP address, that 160.94.123.123 number) or by a group of machines based on their domain names (like geo.umn.edu). That can't be done for most people at home, for various reasons. Also, even here on campus, data that is sent across the network is competely insecure and visible. "Sniffing," or reading that data straight off of the network from another computer, is trivially easy for those who know anything about how networks work. Therefore, anyone who wants to can get your passwords, read your e-mail, or check out your data. And this can be done anywhere along the path from your computer to the departmental computers. To defeat that, and to confirm that you actually are who you say you are when you try to log in, we use encryption (see definitions.)

The Dirty Details

VPN: University of Minnesota built a VPN to allow high-speed internet access users (DSL and cablemodem users) access to U. resources from their homes, like those who use the modem pool have.
The VPN will encrypt data sent from home until it gets to the VPN server on campus, but after that, the data is unencrypted as it passes over the local U. network.
Because of this, access to the Geology/Geophysics machines is denied.

VPN

This is a fine solution for accessing general University resources from specific machines off-campus, such as a home computer. However, it does not work over the modem pool (I actually haven't verified that, but I can imagine trying to run it on the modem pool would be very unpleasant), it doesn't work while traveling to other places very well. And, the University's network is still dangerous. This is simply a fact of academic environments, especially one as large as the U. of Mn.

This is where SSH comes in:

  • It's more flexible, easier to set up, more portable, works across the modem pool, and also protects data traveling across the U.'s network.


    One small detail. If you're using SSH from across the network (say, from another university) and NOT coming in across the modem pool or the VPN, access will be denied the Library and other resources, because they don't see you as being on the U.'s campus, which both the modem pool and the VPN mimic. If you have questions about this, contact me.

    (this is only true when all connections are port forwarded.

    Port Forwarding or Tunneling

    All of the data traveling into and out of your computer travels by one wire, either your modem cord (phone cord) or your network cord. However, in order to allow applications that need to access that data to ignore what it doesn't need, data travels through virtual "ports," which are assigned numbers. Therefore, your FTP/FETCH window can send and receive data just along specific ports, and is therefore much more efficent. This can be visualized like this:

    Certain ports are assigned and recognized all across the internet. Port 23 is telnet, 80 is the basic Web (Netscape, Explorer) port, etc. Under normal circumstances, the data traveling across all of these ports in unencrypted, which is why it's in red.

    The VPN software encrypts everything, going out all of the ports. But remember, all of the VPN data is unencrypted as soon as it hits the VPN server, and your data is essentially dumped on the U.'s network unencrypted.

    What SSH allows us to do is to send data that normally goes out it's own port, say, 21, to be redirected and encrypted, and sent out an encrypted port. This is known as "tunneling." It's important to remember that the "ports" are not real in any physical sense, so the fact that data is all getting shoved down one port won't cause a bottleneck. The encryption itself takes some time, but the "tunneling" does not slow down the data.

    A seperate tunnel has to be created for each application/port. How to do that is described in the individual pages:
    SSH for Windows
    SSH for Macintosh

    More Resources:


    SSH:
     Cryptography/Encryption:
    • Defined at TechEncyclopedia.
    • If you really want to get into this, check out the book Applied Cryptography by Bruce Schneier. This is "the bible" of cryptography.

    Acknowledgements:


    Information for this page, and the related pages, came from a myriad of places: The webpages are cited as they're used, but I would like to give special credit to the folks at the University of Washington who wrote the original connection pages: Setting Up SSH and FTP Port Forwarding (WINDOWS VERSION). Thanks also go to the NetPeople, especially Eric Nordin and David Farmer, and the SysAlums.