Course - Network Security (SSZG513)

Topic - SSH Channel Types

Author and Instructor - Vineet Garg

Objective: The objective of this worksheet is to understand the supported channel types by
SSH protocol - Session, X11, Direct TCP/IP (Local Port Forwarding) and Forwarded TCP/IP
(Remote Port Forwarding). SSH is transport layer security protocol to open these channel
types in a secured transport tunnel and widely used in the industry by variety of clients
(PuTTY, TTSSH, WinSCP etc) to provide secure connection and services to and from the
remote machines.

The intended purpose of this worksheet is to show the secure access of different channel
types using SSH. This worksheet DOES NOT extensively use Wireshark to demonstrate the
protocols and its messages in SSH. After analysing SSL through Wireshark in the previous
worksheet, audience are expected to be familiar enough to perform that exercise
themselves.

Prerequisite: Theoretical concepts of SSH protocol in the context of Transport Layer

Security.

Platform: The following platforms are used:

I. A laptop running Windows-8.1.

II. A virtual machine running Linux Ubuntu 14.04 LTS through Oracle VM Virtual Box
4.3.28 on above Windows-8.1 laptop. This machine should be configured to accept
SSH connection requests by installing SSH server.

Note: If you have access to a separate Linux machine that would be good enough
and in that case a virtual machine is not required. You can also jointly do this
exercise with your colleagues. E.g. one person is having a Linux laptop and the other
having a Windows laptop. These two machines should be able to communicate over
the network.

III. PuTTY installed on the Windows-8.1 laptop. It can be downloaded from

http://www.putty.org/. PuTTY is used as SSH client on the Windows laptop.

IV. Xming X server installed on the Windows-8.1 laptop. It can be downloaded from
http://sourceforge.net/projects/xming/ Xming is X Server running on the Windows
platform. It uses X protocol over SSH to provides access to GUI based applications
from remote machines to the local hosts.

Channel Types: Now let us experiment with all 4 types of channels:

I. Session: After installing PuTTY when you run it - a GUI window will appear as shown
below. PuTTY can be used for variety of connections like Rlogin, Telnet, SSH, Raw and
Serial. Host name or IP address (the remote machine) can be provided in the space
given and it automatically selects the post assigned for Telnet, Rlogin and SSH.

BITS Pilani Work Integrated Learning Programme (WILP)

Page 1 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

For example, the PuTTY is running on the

Windows laptop. The IP address of the
Ubuntu virtual machine 192.168.1.35 is
entered for SSH. Note that Ubuntu virtual
machine is configured to secure a separate
IP address different than laptop, although it
is running on the same laptop. Port 22 is
selected by PuTTY for SSH.

On pressing the Open button, a login

window will appear where one can provide
user name and password to login to that
Ubuntu virtual machine. If a separate
physical Linux machine is used, the
procedure will remain same.

Review that - username, password and all

other information you are going to use over this login session will be encrypted, as the
channel connection is established over a secured transport tunnel using SSH transport
protocol.

PuTTY can also be configured to collect all the captured data (Wireshark type) on a text file.
Since it is one of the endpoints (SSH client), all the captured data can be seen unencrypted.
The configuration for logging is shown below:

BITS Pilani Work Integrated Learning Programme (WILP)

Page 2 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

The logs will be captured in putty.log file as

entered in the Log file name and the session
logging is checked for SSH packets and raw data.
This needs to be done before logging to a remote
machine. The second screen shot below shows the
excerpt of the log file that is generated on the
same folder where PuTTY was installed.

Observe that in the above excerpts that username vineet is sent in

SSH2_MSG_USERAUTH_REQUEST message and session as the requested channel. Also
observe that the server responds with SSH2_MSG_USERAUTH_FAILURE with possible
authentication methods as public key and password. Then password is sent from the client
side using the SSH2_MSG_USERAUTH_REQUEST message. Password entry is marked as XX
XX because in the above PuTTY configuration, Omit known password fields is checked. You
are encouraged to compare the Wireshark capture with PuTTY logs. To do this, Wireshark
capturing needs to be started before starting the PuTTY session. In Wireshark, provide SSH
as filtering entry to see only SSH packets exchanged.

Review Questions:

(1) You will not be able to locate in SSH2_MSG_USERAUTH etc. messages in Wireshark
captures. Why? So how PuTTY provided more details?

(2) Try doing the Rlogin or Telnet to the same remote machine (e.g. Ubuntu VM in this case)
and compare the Wireshark logs. What is the fundamental difference other than the
protocol messages? (You may have to configure the remote machine for accepting Rlogin
and Telnet connection requests).
BITS Pilani Work Integrated Learning Programme (WILP)
Page 3 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

II. X11: The session channel type provides mainly text based interface to execute
commands over the shell of the remote machine (remote access). In case we want to
access any GUI based application (e.g. LibreOffice on Linux) from the remote
machine on this laptop in a secured way, a plain session will not support that. Now
let us see how it can be done running an Xming X server on the Windows laptop and
establishing an SSH connection with the remote machine.

Run the Xming X server installed previously. It will run in the background and it will enable
the SSH client (PuTTY) to have a GUI based X11 session on the local Windows machine.
Configure the PuTTY for X11 forwarding as shown below:

Xming

Now run the SSH session with the remote machine as it was done in the previous session
channel type. Once you are logged in, you can run any GUI based application (xclock,
LibreOffice, xterm etc.) from the Windows laptop. Few screenshots are given below for
running xclock, xterm and LibreOffice from the Windows laptop.

In the PuTTY log, you can also notice that requested channel type is X11 in the
SSH2_MSG_CHANNEL_OPEN message as shown in the screenshot below:

BITS Pilani Work Integrated Learning Programme (WILP)

Page 4 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

III. Local Port Forwarding(Direct TCPIP): Review the basic requirements and concepts of
Local Port Forwarding from the lecture slides. It is used for accessing a service
securely and locally which is running on a remote machine. This can be provided by
SSH protocol as one of the supported channels.

In this worksheet, a web site will be opened on the Ubuntu VM using TCP port 80 and HTTP
protocol and it will be accessed on the Windows machine using a local Windows based
browser. All this HTTP traffic will be forwarded over the secured transport tunnel provided
by SSH between Ubuntu and local Windows laptop. Windows is running PuTTY as SSH client
from some port. the HTTP traffic received on this port will be forwrded to the specified port.

The SSH tunnel is configured as shown below. Note that rediffmail.com on HTTP port 80 is
set as destination and source is set as 4000 on the local (Windows) machine. Below that
button Local and Auto (either IPv4 or IPv6) is selected. Once these entries are made, press
Add button.

BITS Pilani Work Integrated Learning Programme (WILP)

Page 5 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

PuTTY logging details and Ubuntu SSH server IP address can be provided as before in the
PuTTY Session.

One all this is done, connect to the remote Ubuntu machine providing the username and
password as it was done before. Now from a web browser on the local Windows machine
type localhost:4000/. You will notice that rediffmail.com website will be opened. Actually,
this site was accessed on the Ubuntu machine and passed over the SSH tunnel and then
forwarded to port 4000 on the local machine.

If you analyse the PuTTY logs you would notice that first SSH2_MSG_CHANNEL_OPEN had a
parameter called session and after some time it was sent again with paramater direct-tcpip
as shown below:

Review Questions:

(1) If you had run the Wireshark, you would not notice any HTTP messages. Why?

(2) What could be the possible applications of direct-tcpip (local port forwarding) in real life?

BITS Pilani Work Integrated Learning Programme (WILP)

Page 6 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

IV. Remote Port Forwarding(Forwarded TCPIP): Review the basic requirements and
concepts of Remote Port Forwarding from the lecture slides. It is used for accessing a
service securely and remotely which is running on a local machine. This can be
provided by SSH protocol as one of the supported channels.

In this worksheet, a web site will be opened on the Windows laptop using TCP port 80
and HTTP protocol and it will be accessed on the Ubuntu machine using a Linux based
browser. All this HTTP traffic will be forwarded over the secured transport tunnel
provided by SSH between Windows laptop and Ubuntu machine and then forwarded to
sepecified port.

The SSH tunnel is configured as shown below. Note that google.com on HTTP port 80 is
set as destination and source is set as 4040 on the local (Ubuntu) machine. Below that
button Remote and Auto (either IPv4 or IPv6) is selected. Once these entries are made,
press Add button.

PuTTY logging details and Ubuntu SSH server IP address can be provided as before in the
PuTTY Session. One all this is done, connect to the remote Ubuntu machine providing the
username and password as it was done before. Now from a web browser on the Ubuntu

BITS Pilani Work Integrated Learning Programme (WILP)

Page 7 of 8, Rev-1.0
 Course - Network Security (SSZG513)
Topic - SSH Channel Types
Author and Instructor - Vineet Garg

machine type localhost:4040/. You will notice that google.com website will be opened up.
Actually, this site was accessed on the Windows machine and passed over the SSH tunnel
and then forwarded to port 4040 on the remote machine (Ubuntu).

If you analyse the PuTTY logs you would notice that first SSH2_MSG_CHANNEL_OPEN had a
parameter called session and after some time it was sent again with paramater forwarded-
tcpip as shown below:

Review Questions:

(1) In remote port forwarding, if SSH client is started from the remote machine what will be
different in the procedure? Where will you run the browser?

BITS Pilani Work Integrated Learning Programme (WILP)

Page 8 of 8, Rev-1.0