SSH, the Secure Shell, is a standard protocol that encrypts communications between your computer and a server. The encryption prevents these communications from being viewed or modified by network operators. SSH can be used for a wide variety of secure communications applications, where secure log-in to a server and secure file transfers (SCP or SFTP) are the most common.
SSH is especially useful for censorship circumvention because it can provide encrypted tunnels and work as a generic proxy client. Censors may be reluctant to block SSH entirely because it is used for many purposes other than circumventing censorship; for example, it is used by system administrators to administer their servers over the Internet.
Using SSH requires an account on a server machine, generally a Unix or Linux server. For censorship circumvention, this server needs to have unrestricted Internet access and, ideally, is operated by a trusted contact. Some companies also sell accounts on their servers, and many Web hosting plans provide SSH access. You can find a list of shell account providers at http://www.google.com/Top/Computers/Internet/Access_Providers/Unix_Shell_Providers/ which sell accounts for about 2-10 US Dollars a month.
An SSH program called OpenSSH is already installed on most Unix, Linux, and Mac OS computers as a command-line program run from a terminal as "ssh." For Windows, you can also get a free SSH implementation called PuTTY.
All recent versions of SSH support creating a SOCKS proxy that can let a Web browser and a wide variety of other software use the encrypted SSH connection to communicate with the unfiltered Internet. In this example, we will describe only this use of SSH. The steps below will set up a SOCKS proxy on local port 1080 of your computer using a shell account called "accountname@example.com".
Linux/Unix and MacOS command-line (with OpenSSH)
OpenSSH is available from http://www.openssh.com/, but it comes pre-installed on Linux/Unix and Mac OS computers. You will need a shell account on a server with an unrestricted Internet connection.
The ssh command you'll run contains a local port number (typically 1080), a server name, and a username (account name). It looks like this:
ssh -D localportnumber accountname@servername
You'll be prompted for your password and then you'll be logged into the server. With the use of the -D option, a local SOCKS proxy will be created and will exist as long as you're connected to the server. You can now proceed to verifying the host key and configuring your applications.
Windows graphical user interface (with PuTTY)
PuTTY is available from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You can save the putty.exe program on your hard drive for future use, or run it directly from the Web site (often, this is possible on a shared or public-access computer, such as a computer in a library or Internet café).
When you start PuTTY, a session configuration dialog appears. You first enter the host name (address) of the SSH server you are going to connect to (here, "example.com"). If you only know the IP address or if DNS blocking is preventing you from using the host name, you can use the IP address instead. If you will perform these steps frequently, you can optionally create a PuTTY profile that saves these options as well as the options described below so they will be used every time.
Next, in the Category list, select Connection, then SSH, then Tunnels.
Enter 1080 for the Source port, and check the "Dynamic" and "IPv4" boxes.
Now click the Add button, then the "Open" button. A connection is established to the server, and a new window is opened prompting for your username and password.
Enter this information and you will be logged into the server and receive a command line prompt from the server. The SOCKS proxy is then established.
Host key verification
The first time you connect to a server, you should be prompted to confirm the host key fingerprint for that server. The host key fingerprint is a long sequence of letters and numbers (hexadecimal) like 57:ff:c9:60:10:17:67:bc:5c:00:85:37:20:95:36:dd that securely identifies a particular server.
Checking the host key fingerprint is a security measure to confirm that you are communicating with the server you think you are, and that the encrypted connection cannot be intercepted. (SSH does not provide a means of verifying this automatically. To get the benefit of this security mechanism, you should try to check the value of the host key fingerprint with the administrator of the server you're using, or ask a trusted contact to try connecting to the same server to see if they see the same fingerprint.)
Verifying host key fingerprints is important for ensuring that SSH protects the privacy of your communications against eavesdropping, but it isn't necessary if you only want to circumvent censorship and don't care if network operators can see the contents of your communications.
Configuring applications to use the proxy
The proxy created by the steps above should work until you close the SSH program. However, if your connection to the server is interrupted, you will need to repeat the same steps to reactivate the proxy.
Once the proxy is up and running, you need to configure software applications to use it. Using the steps above, the proxy will be a SOCKS proxy located on localhost, port 1080 (also known as 127.0.0.1, port 1080). You should try to ensure that your applications are configured in a way that prevents DNS leaks, which could make SSH less effective both for privacy protection and censorship circumvention.
