Tuesday, March 9, 2010

Tunneling with plink (PuTTY)

This establishes a putty/ssh/plink connection from windows so a nonsecure application can be tunneled through it and then can be closed cleanly.

What is plink?
It's a command line version of PuTTY

What does tunneling mean?
In the case being presented here, any activity that will go to a port on the localhost will do what it should do on the remote site, but do it securely.

No, really, what does that mean?
Let's say you hear that telnet or mysql or ftp isn't that secure, because passwords are flying over the Internet in clear text. That is bad because that password or data isn't encrypted. Yes, I know about sftp, psftp, advanced mysql configuration, ssh, etc. Calm down a bit. If an application doesn't support secure communication, this is what ssh tunneling is about -- providing the secure "tunnel" to do those things.

How do I do it?
1) Make the link
open a command prompt
plink -ssh -L 21:localhost:21 remoteusername@remotedomain

2) use the link
open another command prompt
ftp localhost
and do what you want.

This only works if the remote site is running an ftp server on localhost. (huh?) It means, it only works if the site you want to connect to is listening for ftp connections on (localhost). If it's listening for ftp connections on a local IP address, change localhost in the Plink connection to the local IP address of the REMOTE server. You will still on the local side connect to localhost.

plink -ssh -L 3306:localhost:3306 remoteusername@remotedomain (for use with mysql running on the remote domain. Again, if mysql is listening on a specific IP address, change localhost to the IP address that is configured for mysql.)

Don't forget... this is intended for the *client* applications connecting to the port on the local machine. It will be transparent to the application, but connect to the remote server. Oh, btw, this now establishes the connection securely.

Why would you do this in plink? Frankly, I don't know, except plink was designed for scripting. Most of the examples you'll find on the Internet say, "Usually Plink is not invoked directly by a user, but run automatically by another process. Therefore you typically do not want Plink to prompt you for a user name or a password." Plink is designed to run interactively with things like scp. You should check the furnished manual about that, especially how to put plink in the path, and I strongly suggest you create, save and use all the options (putty session) to minimize the interactivity.

Here's a fun script, though: WARNING! This creates and deletes a file called goawaynow on the remote server!

FIRST sample batch (scheduled?) to connect:
plink puttysessionname rm goawaynow
plink puttysessionname until (test -e goawaynow); do true; done; exit

SECOND run a command like this in another batch (scheduled) after you do the first:
mysqldump -h localhost dbname > dump.sql
plink puttysessionname touch goawaynow

(What does it do?)
First, understand that there is a lot of different customization that can be made to establish the plink connection. Don't be afraid to make changes. But you should necessarily run the two batches separately. The first connect batch removes the goawaynow file. The next line establishes the port forwarding and keeps the link open. The configuration is within the putty session, but you still need to append the until stuff. It basically says, "until goawaynow exists, do nothing, and after goawaynow exists, exit."

The second batch does whatever it needs with the connection, then the next line is supposed to create the goawaynow file, which closes the connection (because the infinite loop above is testing for it).

I'd also like to point to http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ which has really good comments to make what I said above better. (-qTfNnL?)

No comments:

Blog Archive