====== SSH Tutorials ======
==== Creating an SSH Tunnel ====
Creating an SSH Tunnel with IPCOP is another way to create an encrypted tunnel between your computer and IPCOP. This allows for remote access to computers behind IPCOP without additional software (such as OpenVPN).

  - Enable External Access to IPCOP on port 222 (Firewall – External Access)
  - Connect to IPCOP via SSH using:
<code>      ssh -p 222 -N -f -L 12345:10.0.0.20:23 root@ipcop.fqn  </code>\\
where 12345 is the local port to listen on, 10.0.0.20 is the remote computer, 23 is the port on the remote computer, and ipcop.fqn is the address of your IPCOP box.

<code>      Full explanation of options specified before:
      -p 222  
      SSH port.  
       
      -N  
      Run SSH background without terminating.  
       
      -f  
      Run SSH in the background.  
       
      -L  
      SSH port forwarding tunnel specified by the next parameters.  
       
      12345  
      The local port.  
       
      10.0.0.20  
      Remote server.  
       
      23  
      Remote port number.  
       
      root@ipcop.fqn  
      Specifies to connect to use your IPCOP firewall.</code>

If you are on Windows, you can create a tunnel by doing the following:
  - Connect via ssh
  - Right click on the name bar and select change settings
  - On the left side, select connecion – ssh – tunnels
  - Under source port put 1000 (this will be the port we will use on our connecting program)
  - Under destination put [ip.of.remote.computer]:[port of remote server] (this is the port we want to connect to)
    * For RPD, use remote port 3389
    * For VNC, use remote port 5800
    * For MySQL, use remote port 3306
  - Click add
  - Click apply
  - Open your remote control program
    * For RDP, open Remote Desktop Connection
    * For VNC, open VNC viewer
    * For MySQL, open MySQL Administrator or MySQL Query Browser as needed
    * If you only have one line for remote computer\\ Enter 127.0.0.1:1000 for computer to connect to
    * If you have a line for computer and port\\ Enter 127.0.0.1 for remote computer and enter 1000 for remote port
  - Click connect

==== SSH with Private Keys ====

You may want to allow access to IPCOP without having to use username/password. The following tutorial is designed to assist in the creation with Windows users using Putty.

=== Creating public/private keys with PuttyGen ===
  * Open PuttyGen (see Figure 1)
{{:faq:tutorials:puttygen-step0.png|}}
      Figure 1: 	PuttyGen Initial Menu

  - Under the parameters section, make sure SSH-2 RSA is selected
  - Click on ’Generate’

  * Generate the keys (see Figure 2)
{{:faq:tutorials:puttygen-step1.png|}}
      Figure 2: 	PuttyGen Generating Keys

  * Personalize your settings (see Figure 3)
{{:faq:tutorials:puttygen-step2.png|}}
      Figure 3: 	PuttyGen Personalize Settings

  - Set your comment
  - Enter a passphrase
  - Reenter a passphrase

  * Save your settings (see Figure 4)
{{:faq:tutorials:puttygen-step3.png|}}
      Figure 4: 	PuttyGen Personalized Settings

  - Save the public key (we will use this file in the additional steps section)
  - Save the private key
  - Copy the key string (in the above example, it starts with ’AAAAB’ and ends with ’fbV8’)

=== Enable SSH on IPCOP with public key ===

Connect to IPCOP via SSH (on Windows use Putty).

  - Run the following commands:
<code>      cd /root  
      mkdir .ssh  
      chmod 700 .ssh  
      cd .ssh  
      touch authorized_keys2  
      chmod 600 authorized_keys2  
      vi authorized_keys2</code>
  - Go into insert mode (i)
  - Paste the public key (right click)
  - Exit vi
<code>      <Esc> :wq!</code>

== Optional Additional Security ==

The following are steps you may want to take. If you change the SSH settings via the web interface, you will have to reset these options. We will be editing the SSH file located at /etc/ssh/sshd_config
  - Disable SSH1
    * Find:
<code>      Protocol 2,1</code>
    * Change to:
<code>      Protocol 2</code>
  - Disable Password Authentication
    * Find:
<code>      PasswordAuthentication yes</code>
    * Change to:
<code>      PasswordAuthentication no</code>
  - Allow TCP Forwarding
    * Find:
<code>      AllowTcpForwarding no</code>
    * Change to:
<code>      AllowTcpForwarding yes</code>

Now you need to reload the configuration file by doing the following:
<code>      kill -HUP ’cat /var/run/sshd.pid’</code>

=== Connecting to IPCOP with public keys - Putty ===

To connect to IPCOP with your public keys, do the following:

{{:faq:tutorials:puttykey-step0.png|}}
Figure 5: 	Putty Public Key Setup
  - Open Putty
  - Goto Connection – SSH – Auth (see Figure 5)
  - Specify your private key file

=== Connecting to IPCOP with public keys - Additional steps ===
If you are having problems connecting to IPCOP with an error message of ’Server refused our key’, do the following:
  - Copy the public key file to IPCOP (see section 3.8).
  - Run the following commands:
    * To add to your public key file\\ <code>ssh-keygen -i -f /path/to/public_key >> ~/.ssh/authorized_keys2</code>
    * To replace your public key file\\ <code>ssh-keygen -i -f /path/to/public_key > ~/.ssh/authorized_keys2 </code>