4/9/08
11:43 am

MacMost Now 66: Using SSH Tunneling for Secure Connections

Gary Rosenzweig looks at using two Macs to connect to the Internet securely while traveling.

Video Transcript (Click to Expand)
Hi, this is Gary Rosenzweig. If you travel a lot with your laptop, you'll want to learn how to protect against having your data stolen when using public Wi-Fi. So let's get a little paranoid on this episode of MacMost Now.
OK, so the way this works is this: You're traveling and you're using public Wi-Fi, maybe at the hotel, maybe at a conference center, maybe somewhere else, but you trust the provider of the public Wi-Fi. However, do you trust everybody else in the area? Because all it takes is another laptop sniffing the data in the air that could possibly steal your passwords.
As you're happily surfing along the Internet, you're logging on checking your email, logging on to websites, shopping, doing all sorts of things, and meanwhile, they're sniffing all this data out of the air that's completely in the clear. So your passwords and IDs to services are completely just being sent in the clear.
They go and they sniff all the stuff and have programs that sift through it, grab a bunch of passwords and IDs from all the people in the area and suddenly they can log on, change your email, buy items at Amazon, that type of thing.
So, how do you protect yourself against this? Well, the way to do it is to have your data encrypted so it's not just flying through the air in the clear. Now, unfortunately, you can't do that with the public Wi-Fi services, but you can do that if you have something you're connected to on the other end that's allowing your laptop and whatever you're connecting to to have encrypted data go back and forth. You can do this with a service or you can do it with spare computer.
Let's look at how you can do this if you have, say, a spare computer in your office or in your home and you can connect directly to that computer and have an encrypted connection between the two and then you can surf the Internet or even check your email through that encrypted connection.
Let's go ahead and take a look at it step by step. OK, so the technique we're going to be using is called SSH tunneling. Now SSH stands for secure shell. It's a way to log in with a command line to a server or to a computer like a Mac OS X machine. You can log in and it's an encrypted connection between one computer and another. Usually you would do this to issue commands to the other computer, but you can create a tunnel which basically will establish connection and allow you to do all of your network activity between the two computers.
So the way to do this is, first you have to have one machine set up in your office, say, with a static IP address. Now you can get a static IP address at home through a DSL connection or you may already have one at work. So you know the IP address of this computer. And you also have your account information. So, say you know your account is just called 'my account' at that computer, at that MacIntosh, and you know the password. That's all you're going to need.
So what you're going to do is you're going to open the terminal in your laptop while you're traveling and you're going to type 'ssh' and then you're going to use two parameters for that, capital N and capital D. And capital N will basically say, 'Hey, don't open up an actual command line interface, but actually, open up a tunnel.' And command D will tell it to forward a certain port through this tunnel.
OK. So then we're going to go ahead and tell it what port. We're going to use four 9s right now. And then we're going to go ahead and you do your ID, so you say like 'my account,' for instance, if that is the name of the account on your Mac. And you can always create another ID at the Mac for this or if they Mac is just dedicated to this purpose, then you can do it this way.
So you've got 'myaccount@' and then you've got your server address, so that's going to be four numbers, so say '123.456.789.122,' something like that. Of course, it wouldn't be that. Those numbers aren't valid, but you get the idea. It's that IP address. Then after you hit return it's going to ask you for the password for that account. So you enter the password.
This is the same ID, then, the myaccount part, and the password as if you were logging into this computer sitting in front of it. And once you do that, you enter the password, and basically nothing happens. The terminal window kind of freezes and you've opened up this tunnel. And then we go to the next step.
Now the next step is to tell your applications, in this case Safari and mail, to use this tunnel. So you want to go to your system preferences and inside of the network preferences you can go in and select your connection. So, say if it's an airport connection, then you click on advanced. Now under advanced you've got a lot of different things going on. What you want to select here is the last one, proxies.
Under proxies, you want to select SOCKS proxy, right there. Now your SOCKS proxy is basically going to be set to be something very simple and it doesn't really matter what the IP address of the tunnel is. It's just going to be 127.0.0.1, which is the local computer. And the key here is using the same port that you used in the tunnel. So in other words, we're going to use port 9999 as the tunnel between this computer and the computer back at your office.
And once you do that, you hit OK. Now at that point, Safari and mail are both going to tunnel everything they do through this proxy. So instead of contacting your mail server directly or a website directly, it's all going to go through port 9999 to this computer at work, encrypt it, and then from that computer at work it's then going to go out to the Internet and do your business.
The great thing is is that the actual data flowing through the airwaves at the place you're traveling to is going to be encrypted so nobody can sniff your passwords and IDs and things like that.
Now this only protects Safari and mail as far as I can tell. It might do some other applications, as well, as long as they use the proxy set in the system preferences. Something like FireFox doesn't, in fact. You have to go into the FireFox preferences and set the proxy settings there.
So you could potentially be surfing through Safari safely and then FireFox in the clear, or vice versa. That could come in handy if you're in a situation where you want to have something secure and other things, you don't really care about.
Now there are actually some other ways to do the same kind of thing using what's called a virtual private network or VPN. You can do this between two computers the same way we've been talking about, except one of them has to be a Mac OS server. You can't do it with standard Mac OS.
Or you can use a service like HotSpotVPN.com. I haven't tried them myself, but they seem to be able to set up a virtual private network on one end, and you pay them a certain amount per month, and then you don't have to have a computer. So you may want to check out those types of services, as well.
But this is a way to do it just between two plain computers using good old Mac OS 10 Leopard.
I want to thank my friend, Leo, for turning me on to this technique. Check out his website at ask-leo.com. Until next time, this is Gary Rosenzweig with MacMost Now.