Wednesday, September 15, 2010

"But the really cool thing that I just got going is doing SSH tunneling with an app called ConnectBot."

Secure port forwarding with ConnectBot on Android

Android is a pretty hot hacker platform. You can pretty much do whatever you want with an Android device, even to the point of bricking it (be careful with those 3rd-party kernels!). I recently gave in to my irresponsible streak and shelled out for a used Nexus One. The first thing I did was gleefully root it and flash the CyanogenMod-flavored kernel that everybody’s been raving about. Supposedly, CM runs slicker and faster, and is rumored to even provide better reception, on the N1. The custom-kernel thing really excites me; it sounds like the Cyanogen team are going to add in a driver to turn on Wireless-N on the Broadcom chip in the N1 in an upcoming release. That same Broadcom chip also includes an FM receiver/transmitter just waiting to be turned on.
I’m not a kernel hacker (I may be some day, but I’m certainly not starting with a mobile device). But I am a hacker, and so the whole portable-console idea of Android gets me all flustered. Yeah, Google Apps integration is great. Yeah, there are lots of cool 3rd-party apps to look at the SD card, sync with Dropbox, remote-control your torrent downloads, add as a drop-in replacement browser, etc. But the really cool thing that I just got going is doing SSH tunneling with an app called ConnectBot.
SSH tunneling is an amazing feature. With it, you can add transport-layer security (TLS) to any program where you have a server-side SSH account. This comes in quite handy for anything where passwords are sent in clear-text (i.e., via HTTP-Auth). When using a device over the air (e.g., any and all smartphones) you should always employ some form of encryption, be it password-level or session-level.
For running on a mobile device, ConnectBot is a very impressive SSH client. It facilitates SSH shell sessions, local/remote SSH port forwarding, shell-less SSH sessions (for port-forwarding only), and public key management. It also makes good progress in overcoming the ridiculous barrier of using a touchscreen keyboard to command a UNIX shell.
I’m going to walk through the steps required to setup port forwarding with ConnectBot. I’m going to assume here that I’ve got SSH access on a box running a webserver on port 80. By the end, we will have our own home-rolled http+TLS.
  • Download ConnectBot from the Android market (it’s free).
  • Launch ConnectBot. It’ll give you a nice little overview of the features, i.e., how to use the Ctrl key.
  • Enter an username@server in the bottom text box.
  • ConnectBot will initiate the connection. As this is very likely a key new to your phone, ConnectBot will ask you if you want to continue connecting (anybody who’s SSH’d into a box for the first time has seen this). Select “Yes”.
(On the N1, the onscreen keyboard stays up and hides the dialog box at the bottom of the screen. Hold down the menu softkey at the bottom until the keyboard disappears, then select “Yes”.)
  • Enter your password. You’ve now got a live connection to the server!
  • Tap the Menu key. Select the “Port Forwards” option. Tap the Menu key again and select “Add port forward”.
  • Ok, you’re now at the point where you can set up the forward. ConnectBot gives the option of local forwards (equivalent to the “-L” ssh command-line flag) and remote forwards (equivalent to “-R”). I always use local forwarding for this sort of thing, but YMMV (your method may vary). Enter the “Source port”, i.e., which point you want to connect to on your local device, and the “Destination”, where you want to connect to on the destination network. For a webserver running on the same box we’re connecting to, we’ll use these values:
Source port: 8080 Destination: localhost:80
What this means is that we’re going to connect to “localhost:8080” in our browser, and that will tunnel a connection to the “localhost” on the remote end (the server we’re connected to) on port 80 (the standard port reserved for HTTP).
  • Tap “Create port forward”.
And that’s it! You can now load your browser of choice, type “localhost:8080” into the location, and voila, you have a TLS-enabled connection to the remote server! Now, of course you’re not going to be using this much for remote web browsing, as you likely don’t have SSH accounts on all of your favorite web servers. But you can definitely use this for any sort of web interface that you might have on a box at home or at work.

No comments:

Post a Comment

Post a comment and start a conversation...