Connecting Securely from a wireless hotspot on Mac OS X
Why is it needed?
E-mail and user names/passwords are sent as plain text. A program like tcpflow will allow anyone on the same wireless connection to see your password and messages.
SSH Port Forwarding is the solution
You'll need two things to make this work, an always on, always connected Mac OS X (or any UNIX machine) that you have SSH access to (port 22) and the program SSHTunnelManager (version 1.0.3).
This is very much like a VPN and in some ways is better than a VPN. In fact, the latest VPNs are using proven SSL instead of IPsec. Anyway, the concept is you use the protected SSH connection to forward all of your Internet requests to a server which then processes them out to the Internet. Because the SSH tunnel is encrypted eavesdroppers cannot snoop on your connection.
1. Set up your Sharing System Preferences pane to allow incoming SSH connections (Remote Login).
2. Open SSHTunnelManager and set it up. The most important thing here is getting SSH access to a system. If your place of employemnt runs Mac OS X or Unix ask your local IT person. Otherwise you probably have a cable modem or DSL connection and if this is the case then your IP address will occassionally change. I can think of two easy ways to get your IP address when you want to connect. 1.) set up your home system to periodically send an E-mail message to a web based account then look in the message headers to grab the IP address. 2.)the easy way - register for a domain name at one of the many dynamic DNS providers. These work by giving you an easy to remember name, blizzard.no-ip.com, for example, and then you run a client on the "home" computer. Each time your IP address changes the Dynamic DNS provider is notified so your chosen domain name directs to your dynamic IP address.
I'm familiar with:
DynamicDNS.org
No-IP.com
yi.org
but there are many others.
Here is my example:
*Note* If you have a router connected to your home broadband connection you will need to set up port forwarding so that port 22 is relayed from your router to your Mac OS X home computer. A wireless router is Ok.
Login is your user name for the system you are ssh'ing into.
Host is the IP address or domain name. I have a login on one of the traverse.net servers so that is what I use.
Under "Tunnel Setup" click on the "+" to add each port forward. The format is port of the local side, destination you want to connect to, and what port you are connecting. However, on the local side ports below 1024 are protected so you need to pick higher numbered ones. That is why I chose 1100 for incoming mail and 2500 for outgoing mail - I simply took the port and added zeroes.
In my set up I am using the ssh tunnel to check mail hosted on pop.chartermi.net and the incoming mail port is 110. Mail is sent on port 25 via smtp.charter.net and the web proxy server is proxy.tvc.chartermi.net and the port is 8080.
This set up will allow me to securely and privately browse the web, check messages, and send mail over a wireless connection. You can add other services (like VNC, port 5900) using the same format.
3. After clicking 'Apply' your tunnel will show up
click on Start and after a few seconds type in your password.
4. You now have an encrypted SSH tunnel that you can pass all of your Internet traffic through. To do this you'll need to make some changes.
In your E-mail client change the incoming mail server name to localhost and the incoming mail port to what you set up in the Preferences (in my example 1100).
In Apple Mail change the port via the Advanced tab
Make the same changes for the outgoing server. The server name is localhost and the port is what you used as local in SSHTunnelManager Preferences.
For your web connection set your favorite web browser for a manual proxy connection - localhost is the proxy server and use port 8080.
You are now receiving, sending, and browsing the web and no one else can see what you do.
! When you're done be sure to change these settings back !
E-mail and user names/passwords are sent as plain text. A program like tcpflow will allow anyone on the same wireless connection to see your password and messages.
SSH Port Forwarding is the solution
You'll need two things to make this work, an always on, always connected Mac OS X (or any UNIX machine) that you have SSH access to (port 22) and the program SSHTunnelManager (version 1.0.3).
This is very much like a VPN and in some ways is better than a VPN. In fact, the latest VPNs are using proven SSL instead of IPsec. Anyway, the concept is you use the protected SSH connection to forward all of your Internet requests to a server which then processes them out to the Internet. Because the SSH tunnel is encrypted eavesdroppers cannot snoop on your connection.
1. Set up your Sharing System Preferences pane to allow incoming SSH connections (Remote Login).
2. Open SSHTunnelManager and set it up. The most important thing here is getting SSH access to a system. If your place of employemnt runs Mac OS X or Unix ask your local IT person. Otherwise you probably have a cable modem or DSL connection and if this is the case then your IP address will occassionally change. I can think of two easy ways to get your IP address when you want to connect. 1.) set up your home system to periodically send an E-mail message to a web based account then look in the message headers to grab the IP address. 2.)the easy way - register for a domain name at one of the many dynamic DNS providers. These work by giving you an easy to remember name, blizzard.no-ip.com, for example, and then you run a client on the "home" computer. Each time your IP address changes the Dynamic DNS provider is notified so your chosen domain name directs to your dynamic IP address.
I'm familiar with:
DynamicDNS.org
No-IP.com
yi.org
but there are many others.
Here is my example:
*Note* If you have a router connected to your home broadband connection you will need to set up port forwarding so that port 22 is relayed from your router to your Mac OS X home computer. A wireless router is Ok.
Login is your user name for the system you are ssh'ing into.
Host is the IP address or domain name. I have a login on one of the traverse.net servers so that is what I use.
Under "Tunnel Setup" click on the "+" to add each port forward. The format is port of the local side, destination you want to connect to, and what port you are connecting. However, on the local side ports below 1024 are protected so you need to pick higher numbered ones. That is why I chose 1100 for incoming mail and 2500 for outgoing mail - I simply took the port and added zeroes.
In my set up I am using the ssh tunnel to check mail hosted on pop.chartermi.net and the incoming mail port is 110. Mail is sent on port 25 via smtp.charter.net and the web proxy server is proxy.tvc.chartermi.net and the port is 8080.
This set up will allow me to securely and privately browse the web, check messages, and send mail over a wireless connection. You can add other services (like VNC, port 5900) using the same format.
3. After clicking 'Apply' your tunnel will show up
click on Start and after a few seconds type in your password.
4. You now have an encrypted SSH tunnel that you can pass all of your Internet traffic through. To do this you'll need to make some changes.
In your E-mail client change the incoming mail server name to localhost and the incoming mail port to what you set up in the Preferences (in my example 1100).
In Apple Mail change the port via the Advanced tab
Make the same changes for the outgoing server. The server name is localhost and the port is what you used as local in SSHTunnelManager Preferences.
For your web connection set your favorite web browser for a manual proxy connection - localhost is the proxy server and use port 8080.
You are now receiving, sending, and browsing the web and no one else can see what you do.
! When you're done be sure to change these settings back !
posted by Andy at 4:38 PM
<< Home