Encrypt connections with SSH

For applications, using simple TCP/IP based protocols, it is recommended to use some kind of wrapper to encrypt the traffic. The easiest way is to use something at hand: SSH.

Encapsulating (or "tunneling") a TCP/IP connection can be useful when you want to access an internal (behind the CERN firewall) server from a workstation outside CERN. An example of encrypting X11 inside SSH is available here, another example for VNC is here. This example shows how to access to a web site that cannot be browsed outside CERN.

forwarded HTTP session

If a web site cannot be browsed from outside CERN, you must encapsulate the HTTP protocol in an encrypted SSH connection to a CERN host, who will forward it to the web server on your behalf.

The method of encapsulating the HTTP connection is the following:

  1. Select the target server, e.g. website.web.cern.ch, which runs the web service. You also have to know the port of the service on the target server, usually 80 or 443 (HTTPS).

  2. Select a trusted SSH server inside CERN, e.g. lxplus.cern.ch.

  3. Establish a SSH connection from your workstation to the trusted SSH server with local port forwarding.

  4. Browse your local workstation, on a localport on your workstation.

The local port forwarding option specifies that the given port on the local (client) host is to be forwarded to the given target server and target port on the remote side. This works by allocating a socket to listen to the port on the local side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host target server port target port of the remote machine.

Tunneling using a Linux Workstation

You need one terminal window and one web browser to establish this secure connection:

  • From the terminal window: $ ssh -L 2080:website.web.cern.ch:80 lxplus.cern.ch You have to log into LXPLUS using your password.

  • On your web browser, enter the following URL: http://localhost:2080/website/ You can browse the otherwise unreachable website.web.cern.ch.

You may use the verbose option in the SSH client to debug the activity. You will see the following lines in the output, after you have logged into the SSH server:

	$ ssh -v -L 2080:website.web.cern.ch:80 lxplus.cern.ch
  debug1: Connections to local port 2080 forwarded to remote address website.web.cern.ch:80
  debug1: Local forwarding listening on port 2080.

And when the telnet session is started:

debug1: Connection to port 2080 forwarding to website.web.cern.ch port 80 requested.

If everything works perfectly you may optionally configure your SSH client to use Kerberos or PKI authentication, so it will not ask for any password to establish the connection. In this case you can set up a port forwarding as a background process: $ ssh -q -N -L 2080:website.web.cern.ch:80 lxplus.cern.ch

You may get more information on the local port forwarding option from the SSH or the ssh_config manual pages.

This setup is excellent when you connect rarely to a machine from outside CERN, or when you use different source hosts (e.g, you are on a trip). If you log in frequently from the same external computers to the same internal computers, check how to automate the tunneling process and log in in just one step.

Tunneling using a Windows PC

There are several SSH clients for Windows, which you can use. Here we give a guide for PuTTY, which is easy to install on any machine and available via CERN NICE.

  1. You have to set the SSH server:

    putty ssh session to

  2. Add a new forwarding specification in the Connection/SSH/Tunnels panel:

    putty local
      port forwarding settings
  3. Don't forget to press the "Add" button before opening the connection!

    putty local port
      forwarding settings

If you prefer the command line, then you can use plink, similar to the SSH client on a Linux workstation:

  1. Start → Run... → Open: "cmd" C:\> plink -ssh -L 2080:website.web.cern.ch:80 lxplus.cern.ch

  2. Open your web browser and browse: http://localhost:2080/website/


  • Only root can forward privileged ports, so it is usually better to choose one above 1024 as the local port.
  • The local port on your workstation will only be visible for the local host, so you cannot connect to it from a second computer.
  • The TCP connection between the SSH server and the target server will not be encrypted! If you don't trust the network between these machines, then don't use this approach! But ...
  • ... you may set the SSH server and the target server to the same, so you won't use any unencrypted network connection (it is inside the server), e.g.: $ ssh -L 2080:lxplus.cern.ch:23 lxplus.cern.ch