An SSH tunnel can be used to secure communication between a client and server that cannot otherwise be secured; for example, when all or part of the application source is not available or it is deemed to expensive to modify to add encrypted communication.

Based on the questions I have seen over the last few months, the process of setting up and using an SSH tunnel is not well understood. The following is my attempt to explain it.

First let me describe the existing insecure method, some application on a workstation connects to a service running on VOS and listening to some port, call it 12345. This is the green line in figure 1 going from the workstation to VOS. The data sent over this connection is unencrypted so anyone with some access to any network that the connection crosses has the potential to capture and read the data.

To secure this communication the first thing that is set up is the SSH connection that will act as the tunnel. This goes from the workstation to the port that the SSH service running on VOS is listening on, the default is port 22 (the red line in figure 1). The SSH client on the workstation needs to be configured not to request that the SSH service on VOS set up a pseudo terminal, otherwise you end up with a login session not a tunnel. Setting up an SSH tunnel will not prevent someone from capturing the data but what they capture will be encrypted.

The SSH client on the workstation also has to be configured to with 2 additional pieces of information. First the port on the workstation that will act as the application client’s entrance to the tunnel, call it port 24680 but any unused port can be used. Second, the IP address and port that the SSH service on VOS will connect with when a connection is made through the tunnel. In our example the IP address would be 127.0.0.1 and the port would be 12345. Exactly how this is set up will depend on the client.

The client application running on the workstation now needs to be configured to connect to the workstation’s local host (127.0.0.1) and the tunnel entrance port, 24680. There are no changes to the application service running on VOS, it still needs to be running and listening on port 12345. The steps are:

1) Start or confirm that the application service is running on VOS
2) Start or confirm that the SSH service (sshd) is running on VOS
3) Start the SSH client on the workstation and set up the tunnel connection (red line)
4) Start the application client on the workstation and have it connect to the SSH tunnel entrance port (blue line)
5) The sshd process on VOS automatically makes a connection to the application service running on VOS (orange line)