Ubuntu Linux For Dummies (2007)
Part VI: Appendixes
Chapter B. Stupendous OpenSSH Tricks
In This Chapter
· Interactively connecting to a remote SSH server
· Installing and starting an OpenSSH server
· Noninteractively executing commands on remote computers
· Using OpenSSH port forwarding
· Using Public/Private Keys
· Using ssh-agent
· Creating an encrypted wireless network using OpenSSH
Secure Shell (SSH) is a set of network protocols that lets you create a secure — encrypted — communication channel between two computers. Tatu Ylonen created SSH in 1995 to replace the nonencrypted communication applications then in use.
SSH creates an encrypted connection between two computers that protects your private communication. SSH enables you to securely communicate with other computers interactively and noninteractively.
OpenSSH is an open source version of the SSH protocol. OpenSSH is an amazing system that at first glance provides a simple and secure method for interacting with other computers. But dig a little under the surface and OpenSSH provides many more capabilities.
The open source OpenSSH suite of security communication tools is compatible with the commercial SSH suite. In this appendix, I say "connect to an SSH server" when describing the process of connecting to either an SSH or OpenSSH server.
This appendix shows you how to configure and use OpenSSH. It also describes how to use some of OpenSSH's lesser-known capabilities, such as authenticating without passwords and creating an encrypted wireless network using unencrypted access points. OpenSSH is a truly amazing piece of software.
Interactively Connecting to an SSH Server
Using the OpenSSH client to connect to an OpenSSH, or commercial SSH, server is simple. For instance, do the following if you want to use OpenSSH to connect to your computer account on another SSH server on another computer:
1. Open a GNOME Terminal Emulator window by clicking the GNOME Applications menu and choosing Accessories
Terminal.
2. Type ssh username@computername.
For instance, I type ssh paul@ssh.swcp.com to connect to my Internet service provider's (ISP) account.
3. Type your password when prompted.
You can work on the remote computer at this point.
Chapter B. Stupendous OpenSSH Tricks
In This Chapter
· Interactively connecting to a remote SSH server
· Installing and starting an OpenSSH server
· Noninteractively executing commands on remote computers
· Using OpenSSH port forwarding
· Using Public/Private Keys
· Using ssh-agent
· Creating an encrypted wireless network using OpenSSH
Secure Shell (SSH) is a set of network protocols that lets you create a secure — encrypted — communication channel between two computers. Tatu Ylonen created SSH in 1995 to replace the nonencrypted communication applications then in use.
SSH creates an encrypted connection between two computers that protects your private communication. SSH enables you to securely communicate with other computers interactively and noninteractively.
OpenSSH is an open source version of the SSH protocol. OpenSSH is an amazing system that at first glance provides a simple and secure method for interacting with other computers. But dig a little under the surface and OpenSSH provides many more capabilities.
The open source OpenSSH suite of security communication tools is compatible with the commercial SSH suite. In this appendix, I say "connect to an SSH server" when describing the process of connecting to either an SSH or OpenSSH server.
This appendix shows you how to configure and use OpenSSH. It also describes how to use some of OpenSSH's lesser-known capabilities, such as authenticating without passwords and creating an encrypted wireless network using unencrypted access points. OpenSSH is a truly amazing piece of software.
Interactively Connecting to an SSH Server
Using the OpenSSH client to connect to an OpenSSH, or commercial SSH, server is simple. For instance, do the following if you want to use OpenSSH to connect to your computer account on another SSH server on another computer:
1. Open a GNOME Terminal Emulator window by clicking the GNOME Applications menu and choosing AccessoriesTerminal.
2. Type ssh username@computername.
For instance, I type ssh paul@ssh.swcp.com to connect to my Internet service provider's (ISP) account.
3. Type your password when prompted.
You can work on the remote computer at this point.
Using the OpenSSH Server
OpenSSH is based on a client-server model. You use the OpenSSH client to connect with an OpenSSH server. It's a conceptually simple system to configure and use; I show you how to do so in this section.
Installing the OpenSSH server
Ubuntu installs the OpenSSH client, by default, but not the OpenSSH server. Follow these steps to install the OpenSSH server:
1. Click the GNOME System menu and choose AdministrationSynaptic Package Manager.
The Enter Your Password to Perform Administrative Tasks dialog opens.
2. Type your password and press the Enter key.
The Synaptic Package Manager dialog opens.
3. Click the Search button.
The Find dialog opens.
4. Type openssh in the Search text box and click the Search button.
5. Click to select the openssh-server check box.
6. Select the Mark for Installation option in the drop-down menu that opens.
7. Click the Apply button.
The Summary/Apply the Following Changes? dialog opens.
8. Click the Apply button.
The OpenSSH server package is downloaded and installed. The Changes Applied dialog opens when the installation is complete.
9. Click the Close button.
Control returns to the Synaptic Package Manager window.
10. Click the File menu and choose Quit.
The OpenSSH server package is installed and the SSH daemon — sshd — is started automatically.
Testing your OpenSSH server
You can use the OpenSSH client on your Ubuntu computer to connect back to itself. Follow these steps:
1. Click the GNOME Applications menu and choose AccessoriesGNOME Terminal.
2. Type ssh username@localhost.
For instance, I type ssh paul@localhost to log in to my user account on my Ubuntu computer.
3. Type yes when prompted and press the Enter key.
4. Type your password when prompted.
You log on to your computer using the SSH protocol. You can log in to your Ubuntu computer from any other computer that provides an SSH client.
You need to allow incoming SSH sessions if you set up a firewall using Firestarter in Chapter 10. Use the instructions in the section "Configuring Firestarter to allow incoming connections" to allow SSH connections.
Executing a Remote Command
SSH is primarily used to make secure, interactive connections to remote computers. However, SSH can also be used noninteractively to execute commands on remote computers. In the following example, I connect to an OpenSSH server installed in the previous section, "Installing the OpenSSH server." Here's how:
1. Click the GNOME Applications menu and select AccessoriesGNOME Terminal.
2. Type the following and press the Enter key; for example:
ssh paul@localhost date
3. Type your password when prompted.
Your computer's time and date is displayed. You never interactively connected to your computer using OpenSSH. Instead, the OpenSSH client authenticated with the OpenSSH server and executed the date command.
System administrators find the remote command executing to be useful when managing many computers. For instance, you might want to automatically copy files to or from the remote computer in order to back up files to an external USB hard drive. You can use the following command to back up some files:
ssh username@remotemachine rsync -ru * /media/disk
Or for instance, if I want to connect to a remote machine called cancun and copy my home directory to a directory called backups on the USB disk:
ssh paul@cancun rsync -ru * /media/disk/backups
OpenSSH runs the command rsync -ru * /media/disk, which recursively copies all new files from your home directory to the USB hard drive mounted at /media/disk. (The -roption tells rsync to copy files recursively, and the -u option tells it to update files.) This process happens without you having to log into the remote computer and run the command yourself. All you have to do is enter your account password. Less work makes for better system administration.
Using OpenSSH Port Forwarding
OpenSSH lets you forward Linux network ports between machines. Port forwarding lets you set up specialized virtual private networks (VPNs). OpenSSH encrypts the information flowing between the two machines and also takes care of sending the information to and from the right ports.
Port forwarding provides a way to protect unencrypted network traffic. You can also use port forwarding to overcome barriers like firewalls that prevent you from connecting with services. I don't recommend using port forwarding to circumvent security features set up specifically to prevent you from being hacked from the Internet.
I illustrate port forwarding by example. Let's say a firewall prevents you from accessing your ISP e-mail account. You can use OpenSSH to overcome this limitation if you can log in to your ISP using SSH. Follow these steps:
1. Click the GNOME Applications menu and select AccessoriesGNOME Terminal.
2. Type the following and press the Enter key:
ssh -L localport:remoteserver:remoteport username@localhost
For instance, I type ssh -L 1433:localhost:143 paul@myisp.com to log in to my user account at my ISP.
o I picked local port number 1433 at random — I can use any number above 1024.
Using ports below 1024 requires root privileges.
o The remote port 143 corresponds to the port IMAP listens to by default.
3. Type yes if prompted to use the server's public key and press the Enter key.
4. Type your password when prompted.
After you've authenticated to your ISP's user account, you can configure your e-mail client to work through the SSH connection. Follow these steps:
1. Click the GNOME Applications menu and choose InternetEvolution (or Thunderbird Email, if that's your preference).
Your e-mail client opens.
2. Click the Edit menu and choose Account Settings.
The Account Settings dialog opens.
3. Click the Server Settings option.
The Server Settings tab opens.
4. Type 127.0.0.1 in the Server Name text box.
5. Type the port number you selected in the Port text box.
For instance, type 1433 in the Port text box.
6. Click the OK button.
You can securely view your e-mail through the OpenSSH "tunnel."
OpenSSH can automatically forward X Window System connections back to your local machine using the -X option. Connect to the remote machine — ssh -X username@remotemachine — using the -X option, and any applications that use X to display output will automatically forward that output to your window. For instance, log in to a remote machine using the -X option, type the command /usr/bin/xclock, and you'll see the xclock display on your local machine.
Using Public-Private Key Authentication
We're all used to entering a password to gain access to user accounts, Web accounts, and so on. Type in your username and then enter your password when prompted, and you're in. However, passwords are becoming increasingly vulnerable to cracking, shoulder surfing, and good ol' yellow sticky notes. If someone learns your password, he has access to your account. This isn't good.
Fortunately, SSH provides an alternative to traditional static passwords. SSH lets you use a mechanism called Public-key cryptography (also known as asymmetric keys) authentication.
You generate a public- and private-key pair. Anything encrypted with a public key can be decrypted only with the private key. Conversely, anyone in possession of the public key can decrypt what has been encrypted with the private key. This asymmetric relationship allows the SSH protocol to work.
How public-key authentication works
Here's how it works. The actual process is more complicated than presented, but the following is essentially correct:
1. You generate a public- and private-cryptographic-key pair.
2. Optionally, encrypt your private key with a pass phrase.
3. Place the public key in your remote user account.
4. Keep your private key on your local computer.
5. Use the OpenSSH client to connect to the remote SSH server.
6. The remote SSH server generates a random number and encrypts it with your public key.
7. The remote SSH server sends the encrypted random number to your OpenSSH client.
8. Your OpenSSH client decrypts the random number with your private key and sends the result back to the server.
If the returned random number matches the original, you're authenticated because only the private key can decrypt what has been encrypted using the public key.
Creating a OpenSSH public- and private-key pair
Now, let's try a real-world example. Start by generating the public/private key-pair.
1. Click the GNOME Applications menu and select AccessoriesGNOME Terminal.
2. Type the following and press the Enter key:
ssh-keygen -t rsa
The ssh-keygen displays the Generating public/private rsa key pair message.
3. Press the Enter key when you're prompted to enter a filename.
4. Type a pass phrase when prompted.
Longer pass phrases provide more protection. Use at least a 20-character pass phrase if you can. I recommend using a phrase you're familiar with. For instance, select a pass phrase like I'm going down to south Park.
The ssh-keygen utility displays a fingerprint of the key you just generated. Fingerprints identify your keys from fraudulent ones.
Configuring your remote account with your public key
After you create your private/public-key pair, you need to copy the public key to your remote user account and configure the account to use the public key. The public key should be placed in the authorized_keys file in the .ssh directory in your user account's home directory on the remote machine. Follow these steps:
1. Type the following command and press the Enter key:
scp 
/.ssh/id_rsa.pub username@remotemachine
The scp is another OpenSSH utility — Secure Copy — used to copy files from and to remote machines.
2. Log in to the remote machine.
ssh username@remotemachine
3. Create, if necessary, the .ssh directory.
mkdir .ssh
4. Change the permissions on the .ssh directory.
chmod 700 .ssh
This command gives total access to the owner (you) of the .ssh directory and denies all access to everyone else. OpenSSH requires that the files and directories it accesses have minimal access.
5. Insert your public key into the authorized_keys file in the .ssh directory.
cat id_rsa.pub >> .ssh/authorized_keys
Using the double greater-than symbols (>>) appends the contents of the id_rsa.pub file into the authorized_keys file if it already exists. Alternatively, this command creates the authorized_keys file if it doesn't exist and copies the contents of id_rsa.pub into it.
6. Change the permissions on the authorized_keys file.
chmod 600 .ssh/authorized_keys
You can now use OpenSSH public-key authentication to log in to your remote user account.
Using public-key authentication to log in to your remote account
After you copy and configure your public key to the remote user account, you can use the key-pair to log into your remote account. Follow these steps:
1. Type the following command in your local user account:
ssh username@remotemachine
The OpenSSH client looks in the local .ssh directory for private keys. It will find the private key you just generated (id_rsa) and use it to authenticate with the remote SSH server. Alternatively, you explicitly specify what private key to use by using the -i keyname option: ssh -i id_rsa username@remotemachine.
2. Type the private-key pass phrase when prompted.
You're logged in to your user account on the remote machine and you didn't have to enter a password!
Two-factor authentication provides the most secure authentication method available. Two-factor means that you must provide two factors to gain access to an account. Generally, one factor is something you physically possess, and the second factor is something you know. Commercial two-factor systems provide a physical device such as a smart card or token that requires a password or personal identification number (PIN) to work. Anyone intent on surreptitiously gaining access to your account must first steal both factors.
The OpenSSH public-key system provides two-factor authentication. Someone must steal your private key and your pass phrase to break into your user account. Stealing those factors is easier than stealing a commercial one because, by default, you store your private key in your home directory on your computer. Anyone who breaks into your computer can potentially copy your key and use a key logger to read your pass phrase. However, you can further approximate commercial two-factor systems by keeping your private key on removable media like a USB memory stick. The article "Tighter SSH Security with Two-Factor Authentication," found at http://interactive.linuxjournal.com/article/8957, describes the process in more detail.
Using ssh-agent to Store Private Keys
OpenSSH public-key authentication is a great system, giving you two-factor authentication for free. However, using public-key authentication can become onerous if you have to frequently use it to log in to remote machines. You should use a long — at least 20 characters — pass phrase to secure your private key, and typing it for every authentication becomes difficult.
OpenSSH provides a solution in the form of a utility called ssh-agent. The ssh-agent utility lets you decrypt and cache one or more private keys. Your OpenSSH client then uses the cached private key to authenticate to SSH servers.
You use the OpenSSH utility ssh-add to decrypt and cache private keys with ssh-agent. Once cached, the OpenSSH client (ssh) communicates with ssh-agent via a UNIX socket, which is specified by the SSH_AUTH_SOCK environmental variable.
I show how this works by, you guessed it, example. In this example, I assume you've generated your public-private-key-pair and placed the public key in the .ssh/authorized_keysfile in your remote user account, as described in the section, "Using Public-Private Key Authentication," in this appendix. Follow these steps:
1. Click the GNOME Applications menu and choose AccessoriesGNOME Terminal.
2. Type the following and press the Enter key:
ssh-add /.ssh/id_rsa
3. Type your private-key pass phrase when prompted.
ssh-agent tells you that it's added the key.
4. Type ssh-add -l and you see the private key's fingerprint.
Ubuntu starts ssh-agent when you log in to your Ubuntu user account. However, if the ssh-agent fails to start or the process dies for any reason, you can still start one yourself. First, check to see if ssh-agent is running by typing ssh-add and pressing the Enter key. If the response is Could not open a connection to your authentication agent, you need to start a new one. In that case, type eval `ssh-agent` (those are back-tics). This starts ssh-agent and sets the SSH_AUTH_SOCK environmental variable.
5. Type the following to log in to your remote account:
ssh username@remotemachine
For instance, I type ssh paul@myisp.com to log into my ISP account.
How does all this work? Here's a slightly simplified description of how the process works:
1. The OpenSSH client connects to the SSH server and asks the server to authenticate the user.
2. The SSH server generates a random number and encrypts it with your public key.
3. The SSH server sends the encrypted random number to your OpenSSH client.
4. Your OpenSSH client uses the value of the SSH_AUTH_SOCK environmental variable to identify the UNIX socket connected to the ssh-agent.
5. Your OpenSSH client sends the encrypted random number to ssh-agent through the UNIX socket identified by SSH_AUTH_SOCK.
6. The ssh-agent reads your previously decrypted private key to decrypt the random number.
7. The ssh-agent sends the decrypted random number back to your OpenSSH client.
8. The OpenSSH client sends the decrypted random number back to the SSH server.
9. The remote SSH server compares the decrypted random number — from the OpenSSH client — to the original and authenticates your connection if they match.
Your private key never left your Ubuntu workstation and yet it was used to authenticate your connection. You can use ssh-agent to authenticate indefinitely without having to re-enter your pass phrase. You can set life-times on the cached keys and also forward the authentication agent to other machines.
Creating an Encrypted Wireless Network Using OpenSSH
A VPN within an unencrypted wireless network makes it easier to use your Ubuntu computer on wireless networks.
Chapter 7 describes how to connect your Ubuntu computer to three types of wireless networks: unencrypted and encrypted ones using either WEP or WPA encryption. The great thing about using unencrypted wireless networks is they're very easy to use — Ubuntu can use more wireless network adapters without encryption than with. The bad thing about using unencrypted wireless networks, of course, is that they don't protect your information.
You need two pieces of equipment to make this network:
· A second Wi-Fi access point (AP): You attach the second AP to your primary AP. The second AP will accept unencrypted connections from your Ubuntu computer. I use an old 802.11b AP that I replaced with a faster 802.11g model as the second AP.
Devices based on the 802.11b protocol communicate at speeds up to 11 Mbps (million-bits-per-second), while 802.11g models go up to 54 Mbps.
· An Ubuntu computer with a wireless network adapter: I assume this computer is a laptop.
· An account on a Linux computer: This computer is the VPN server. You forward all Web and e-mail communication from the second AP through a user account on the VPN server using OpenSSH. OpenSSH provides the forwarding capability and the encryption. You can use Ubuntu Linux as the VPN server, of course; however, the essential ingredient to making this system work is a computer that provides an SSH server.
When you have your equipment, you need to configure the following:
· An SSH server on the VPN server.
· A user account on the VPN server.
· Generate a public-private-key-pair.
Don't use pass-phrase protection and place the public key in the .ssh/authorized_keys file in your account on the VPN server.
· Accept unencrypted connections on the second AP.
Don't specify WEP or WPA.
· Route all outgoing communication from the second AP to the VPN Server. Normally, you configure your AP to route outgoing communication to your ISP via a cable modem or DSL modem. (Actually, most modern APs do this automatically.) However, in this case, you must use the VPN server to provide a VPN to the Internet using OpenSSH.
Configuring the second AP to route all outgoing traffic through the VPN server prevents anyone who doesn't have your private key from using your unencrypted wireless network. Intruders can connect to your second AP but can't make use of your Internet connection; nor can they access your private network attached to your primary AP.
However, you'll be able to browse the Internet and get and send e-mail. Your work will also be fully encrypted, at a higher level than possible with WEP or WPA encryption, by using OpenSSH. You accomplish this by configuring your OpenSSH client on your Ubuntu laptop to forward such connections through your user account on the VPN server. All of your Web and e-mail communication will be encrypted and forwarded to their destinations by OpenSSH.
Configuring your second AP
The particulars involved with configuring your second AP depend on its make and model. You only need to configure how it gets its Internet interface connection, often referred to as the WAN (wide area network), how it gets its IP address, and where it sends outgoing packets.
The general process is as follows:
1. Open Firefox and connect to your secondary AP.
2. Type the administrative account username and password.
3. Go to the menu that specifies how the WAN interface gets its IP address and change from dynamic (DHCP) to static.
4. Change the WAN interface IP address to an unused value on the primary AP.
For instance, my primary AP uses the network address space of 192.168.1.1 through 192.168.1.254. The primary AP's IP address defaults to 192.168.1.1, so I chose 192.168.1.254, which is easy to use and does not interfere with the DHCP addresses that the primary AP hands out to connecting computers.
5. Change the default destination IP address to the address of your VPN server.
All outgoing communications from the secondary AP will automatically be sent to your VPN server. This protects your AP from surreptitiously being used by intruders. Anyone who doesn't have your private key won't be able to use your wireless network, even though it's unencrypted.
6. Save your changes and restart your secondary AP.
Configuring your VPN server user account
To start using your wireless VPN, you need a Linux computer connected to your primary AP. The VPN server must be running an SSH server. You also need a user account on the VPN Server.
1. Connect your Ubuntu laptop computer to your primary AP using a wired Ethernet connection.
See Chapter 6 for more information about making such connections.
2. Log in to your Ubuntu laptop user account.
3. Generate a public-private-key-pair using the following command:
ssh-keygen -t rsa -f key-vpn-fwd -C key-vpn-fwd
This command is a variation of the one used in the section, "Using Public-Private Key Authentication," earlier in this chapter. In this case, I use the -f option in order to choose a descriptive filename. The -C option inserts the string key-vpn-fwd into the private-key file, which helps identify its purpose in the future.
4. Press the Enter key when prompted to select a pass phrase.
In this case, create an unencrypted private key to automatically establish an SSH port-forwarding connection to the VPN server whenever you boot the Ubuntu laptop. The private key will remain safe on your Ubuntu computer as long as it isn't compromised. This is reasonable because anyone who breaks into your laptop can also steal your WEP or WPA keys.
Make sure you protect both your private keys and your Ubuntu computer. Set minimal file permissions on your private keys — only the owner should be able to read the file. Update your Ubuntu/Debian packages whenever new ones become available. Use good passwords on your user account and protect them well. Also, use the advice given throughout this book on good system administration hygiene.
5. Use the following command to copy your public key to your VPN server user account:
scp .ssh/id_rsa.pub username@vpnserver
6. Log in to your user account on the VPN Server:
ssh username@vpnserver
7. Append the public key into the authorized_keys file in the .ssh directory in your VPN server user account.
cat id_rsa.pub >> .ssh/authorized_keys
I assume you've protected the authorized_keys files as described in the section "Using Public-Private Key Authentication."
8. Type the following command and press the Enter key:
ssh -i .ssh/key-vpn -D 8888 username@vpnserver
For instance, I would type ssh -i .ssh/key-vpn -D 8888 paul@vpnserver to make the connection.
This command creates an SSH connection to the VPN server using dynamic port forwarding. I use static port forwarding in the "Using OpenSSH Port Forwarding" section in this chapter. However, dynamic port forwarding lets you create a Web proxy server using OpenSSH. I forward all Web traffic through this connection. The port 8888 is arbitrary; you can use any port number above 1024.
9. Type the following command and press the Enter key:
ssh -i key-vpn -L 1433:ispmail.com:143 username@vpnserver
In my case, I would type ssh -i .ssh/key-vpn -L 1433:mail.myisp.com:143 paul@vpnserver to make the connection.
Here, I establish an SSH connection to provide static port forwarding that I use to receive messages. I use static rather than dynamic forwarding in this case because I want to connect to only one external machine to get my e-mail.
10. Type the following command and press the Enter key:
ssh -i key-vpn -L 2555:ispmail.com:25 username@vpnserver
In my case, I would type ssh -i .ssh/key-vpn -L 2555:mail.myisp.com:25 paul@vpnserver to make the connection that lets me send messages.
I configured three OpenSSH connections that will let me browse the Internet plus send and receive e-mail.
Configuring Firefox and Thunderbird to use OpenSSH port forwarding
After you configure your wireless VPN, you can start securely using the Internet via your unencrypted, insecure wireless network. All you have to do is configure Firefox and Evolution to use it.
Configuring Firefox
Configuring Firefox requires you to use a proxy connection instead of a direct one to the Internet.
1. Click the GNOME Applications menu and choose InternetFirefox.
A Firefox window opens.
2. Click the Edit menu and choose the Preferences option.
The Preferences dialog opens.
3. Click the Advanced button and select the Network tab.
The Connections Setting dialog opens.
4. Click the Manual Proxy Configuration radio button.
5. Type 127.0.0.1 in the SOCKS Host text box.
6. Type the dynamic port number you selected in the Port text box.
You specified the dynamic port number in Step 8 of the section "Configuring Your VPN Server User Account." For instance, I selected the dynamic port number 8888.
7. Click the OK button.
Control returns to the Firefox Preferences dialog.
8. Click the Close button.
You can now make unencrypted connections from your Ubuntu laptop to the secondary AP and securely browse the Internet.
Configuring the Thunderbird e-mail client
To securely send and receive e-mail, you must configure Thunderbird to use OpenSSH static port forwarding.
Evolution doesn't let you change the port it uses to receive e-mail, so use Thunderbird.
Follow these steps:
1. Click the GNOME Applications menu and select InternetThunderbird Mail.
A Thunderbird window opens.
2. Click the Edit menu and select the Account Settings option.
The Account Settings dialog opens.
3. Choose the Server Setting menu option.
4. Type 127.0.0.1 in the Server Name text box (replacing any existing server information).
5. Type the static port number you selected in Step 9 in the "Configuring Your VPN Server User Account" section.
For example, I type the value of 1433.
6. Click the Outgoing Server (SMTP) menu option.
7. Select your outgoing server and click the Edit button.
The SMTP Server dialog opens.
8. Type 127.0.0.1 in the Server Name text box (replacing any existing value).
9. Type the static port number in the Port text box.
In my case, I enter the value of 2555.
10. Click the OK button.
Control returns to the Account Settings dialog.
11. Click the OK button.
OpenSSH now provides a secure tunnel for incoming and outgoing e-mail messages. Your unencrypted wireless network provides high security using OpenSSH!