SSH Secure Communications client for Windows Version 2.4 Johns Hopkins University Networking Services This page is designed to show someone who knows little about computer security how to secure the email, telnet, and ftp programs on their computers.
Why use ssh?
Almost all of the computers within the JHU domain are connected to the internet most of the day. Whether you are surfing the web in the HAC lab or checking your email in your room, there are other people, inside and outside of Hopkins, that are trying to gain access to our computers. They can use many of the programs that you normally run to do your daily tasks in order to compromise the security of your personal computer and the entire network. These programs include ftp, telnet, email programs, and web browsers. This does not mean you shouldn't use these programs, just that we need to protect them. To do this, we use ssh. How does ssh work? On a very low level, ssh works by encrypting your passwords when you log onto remote machines like JHUnix and HOPS. For the actual nuts and bolts of the program, you can read about that here. The interface of SSH and telnet is much the same, except ssh is more powerful and allows you more control. You can change the basic text properties (like color and size). You can also do what is called "port forwarding." Port forwarding is similar to setting up a firewall on your own machine. Here is an example: Normally, when you start up an ftp program (like cuteFTP), it sends your password to the server on a certain "port" (port 21 actually). This is not secure because people can run "sniffer" programs that read the traffic on the network. When the program sees a logon and password go by, it records them. The hacked now has access to your account. If you use port forwarding, the situation changes a little. Ssh is running on your computer and waiting for you to send something on port 21. When you do, it intercepts it. Your password is then encrypted and then sent to the server where it is decrypted and you are logged on. When the hacked sees your encrypted password go by, they cannot decrypt it, so you are safe. Where do I get ssh? Currently, anyone associated with a University can use SSH for free either at home or at work. You can download the non-commerical version from here Please read the licensing agreement before downloading. How do I use port forwarding? The first thing you need to do is decide what services (programs) you want to make secure. Once you do this, you have to find out what port they run on. Here is a list of most of the ports you need: IMAP (email) 143
POP3 (email) 110
ftp 21
http (internet) 80 Port forwarding only works when you are connected to a server through ssh. You do not need to be connected to the server that all of your services will go to (meaning, you don't have to be connected to JHmail to send mail, you can be connected to JHUnix and it will still work). When F-Secure starts up, you will be presented with the following screen: 
You can set up F-Secure for login into any number of systems, but this page will walk you through setting one up, as well as setting up port forwarding. As an example, I will first set up a secure path to JHUnix to check my mail (using POP3, port 110). If you are not sure whether you use IMAP (port 143) or POP3 for your email, ask your systems administrator. Click on the "OK" button on this screen. What this will do is allow me to use programs like Microsoft Outlook and Eudora to check my email safely. Pick one of your accounts and type in the server's name in the field marked "Host Name:" and your logon in the field marked "User Name:." Then click on the button marked "Properties...." Click on the tab labeled "Forward," make sure the radio button next to "Local" is selected, and then click on the button labeled "New..." Decide on the name of the service (the name doesn't matter), and type it into the field labeled "Name." After looking up which port the service you are going to forward is on (by looking above or here), enter that number into the fields marked "Source Port" and "Destination Port." Enter "127.0.0.1" in the filed labeled "Destination Host." Finally, make sure the box next to "Allow local connections only" is checked (unless you are forwarding FTP, in which case you would leave it unchecked), and click on "OK." Before you click on "OK," it should look something like this: 
After you click on "OK," it should look like this: 
Repeat these steps with any other services you want to forward. **note** Port forwarding for all of these services has not been tested and may not produce the desired effects. Next, we will set up FTP. Click on the "New" button again and enter the following information: 
Notice the lack of a check mark next to the selection box for "Allow Local Conections Only.". *NOTE* You will only be able to have one secure FTP connection at a time. Whatever server you put in the "Destination Host" field will be the only secure ftp connection you can make. To make another connection, you will need to change the name of the server in the field. Also, make sure your FTP program is set to 'passive' mode or it will not work. Click on "OK" You have now set up a secure channel for the command piece of FTP (FTP has two channels, one for data and one for commands, but we can only forward the command channel.). The username/password information will be encrypted. However, the actual files or information ftp'd will not be encrypted.
When you want to log into that server, first connect to the server with SSH. Then enter '127.0.0.1' as the server in your ftp client. It will automatically forward you to the server you have entered in SSH. If you want to ftp securely to another server, you must change the server address in the port forwarding for port 21. It may sound like a pain, but it is necessary to be secure! Be sure to save your setttings, otherwise you will have to recreated the tunnel everytime.
If you have trouble or need help, call 410-516-HELP | 
