SSH over SSL or telnet proxy server

SSH over SSL or telnet proxy server

Post by Troy Wollenslege » Wed, 18 Oct 2000 04:00:00



I am trying to connect to an SSH server on the interenet from behind a
firewall.

The firewall allows telnet outbound (through checkpoint proxy telnet)
  >telnet firewall
  Escape character is '^]'.
  Check Point FireWall-1 authenticated Telnet server running on firewall
  User: username
  FireWall-1 password: ******
  User username authenticated by FireWall-1 authentication
  Host: my.host.com

another firewall allows outbound web also through password proxy including
SSL, I remember once seeing a SSL proxy script for SSH, but it did not support
password protected proxy. What would I need to change on that in order to get
this to work?

Has anyone gotten either option to work?

Thanks
Troy

 
 
 

SSH over SSL or telnet proxy server

Post by Richard E. Silverm » Wed, 18 Oct 2000 04:00:00


    Troy> I remember once seeing a SSL proxy script for SSH, but it did
    Troy> not support password protected proxy.

I have no idea what this would mean; SSL and SSH have nothing to do with
one another.

    Troy> Has anyone gotten either option to work?

I don't understand the "options" you're referring to.  If your firewall
supports SOCKS, I would use that.  You didn't say what flavor of SSH
you're using.  Many SSH clients do SOCKS.  OpenSSH does not, but works
with the "runsocks" hack that comes with the NEC socks5 package.

--
  Richard Silverman


 
 
 

SSH over SSL or telnet proxy server

Post by Troy Wollenslege » Thu, 19 Oct 2000 04:00:00




:     Troy> I remember once seeing a SSL proxy script for SSH, but it did
:     Troy> not support password protected proxy.

: I have no idea what this would mean; SSL and SSH have nothing to do with
: one another.

You CAN do ssh over an SSL (http) tunnel from what I have understood by using
a web proxy.
You are right, the only thing they have in common is that the SSL is the
transport for the SSH session.

:     Troy> Has anyone gotten either option to work?

: I don't understand the "options" you're referring to.  If your firewall
: supports SOCKS, I would use that.  You didn't say what flavor of SSH
: you're using.  Many SSH clients do SOCKS.  OpenSSH does not, but works
: with the "runsocks" hack that comes with the NEC socks5 package.

NO go.. no socks support.

I can use any version of SSH  (unix or winblows) if one would work, but again,
socks is unfortunately not an option.

Troy

 
 
 

SSH over SSL or telnet proxy server

Post by Richard E. Silverm » Thu, 19 Oct 2000 04:00:00


    Troy> You CAN do ssh over an SSL (http) tunnel from what I have
    Troy> understood by using a web proxy.  

I don't know what you mean by this.  Web proxies are HTTP-specific; you
won't generally get a clean full-duplex byte pipe over which to run an SSH
session.  A proxy accepts HTTP queries and answers them, possibly allowing
the queries to arrive over SSL.

    Troy> You are right, the only thing they have in common is that the
    Troy> SSL is the transport for the SSH session.

This is false.  SSH does not use the SSL protocol at all.

    Troy> NO go.. no socks support.

    Troy> I can use any version of SSH (unix or winblows) if one would
    Troy> work, but again, socks is unfortunately not an option.

If you don't have IP connectivity to the outside, and are limited to
Telnet and HTTP-specific proxies, then I don't think you can get out with
SSH.  You could try using telnet to set up a connection using
ProxyCommand, but you'll have problems with the telnet protocol not being
transparent.

--
  Richard Silverman

 
 
 

SSH over SSL or telnet proxy server

Post by Michael Shuldm » Fri, 20 Oct 2000 04:00:00



Quote:> If you don't have IP connectivity to the outside, and are limited to
> Telnet and HTTP-specific proxies, then I don't think you can get out with
> SSH.  You could try using telnet to set up a connection using
> ProxyCommand, but you'll have problems with the telnet protocol not being
> transparent.

The last version of the Dante package supports http proxying (in
addition to socks).  That should allow him to "socksify ssh" (or
"socksify ftp", "socksify telnet", "socksify <whatever>") and connect
out through a standard http proxy.

--
  _ //

 
 
 

SSH over SSL or telnet proxy server

Post by Dennis Dav » Sat, 21 Oct 2000 04:00:00



...

Quote:>I don't understand the "options" you're referring to.  If your
>firewall supports SOCKS, I would use that.  You didn't say what
>flavor of SSH you're using.  Many SSH clients do SOCKS.  OpenSSH
>does not, but works with the "runsocks" hack that comes with the
>NEC socks5 package.

It should be fairly straightforward to put the SOCKS support code
into OpenSSH.  Appended below are some diffs for socks5 against
openssh-2.2.0p1.  Obviously the Makefile also needs tweaking to
define SOCKS and scan the socks5 library -- /opt/lib/libsocks5.a on
our Solaris boxes.

I haven't tested this extensively, but a colleague has used it a
couple of times get out through a dante server.

Dante is an alternative socks server.  See:

http://www.inet.no/dante/

for details.  I have version 1.1.5 of Dante up and running here
on both Solaris & OpenBSD boxes.

I haven't built openssh-2.2.0p1 against the dante libraries that
provide SOCKS facilities.  But, given that the above seems OK,
I'd expect it to be just as straightforward.

*** ssh.c.orig  Tue Aug 29 01:33:51 2000
--- ssh.c       Wed Sep 27 15:14:36 2000
***************
*** 10,15 ****
--- 10,19 ----

   */

+ #ifdef SOCKS
+ #include <socks.h>
+ #endif
+
  #include "includes.h"
  RCSID("$OpenBSD: ssh.c,v 1.63 2000/08/28 20:19:52 markus Exp $");

***************
*** 242,247 ****
--- 246,256 ----
        /* Save our own name. */
        av0 = av[0];

+ #ifdef SOCKS
+       /* Initialize SOCKS (the firewall traversal library). */
+       SOCKSinit(av0);
+ #endif /* SOCKS */
+
        /* Initialize option structure to indicate that no values have been set. */
        initialize_options(&options);

*** sshconnect.c.orig   Tue Aug 29 01:33:51 2000
--- sshconnect.c        Wed Sep 27 15:03:47 2000
***************
*** 7,12 ****
--- 7,16 ----
   * login (authentication) dialog.
   */

+ #ifdef SOCKS
+ #include <socks.h>
+ #endif
+
  #include "includes.h"
  RCSID("$OpenBSD: sshconnect.c,v 1.77 2000/08/28 03:50:54 deraadt Exp $");

*** bsd-rresvport.c.orig        Sun Jul  9 12:23:52 2000
--- bsd-rresvport.c     Wed Sep 27 15:00:32 2000
***************
*** 33,38 ****
--- 33,42 ----
   * SUCH DAMAGE.
   */

+ #ifdef SOCKS
+ #include <socks.h>
+ #endif
+
  #include "config.h"

  #ifndef HAVE_RRESVPORT_AF
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK

 
 
 

SSH over SSL or telnet proxy server

Post by Richard E. Silverm » Sat, 21 Oct 2000 04:00:00


    Dennis> It should be fairly straightforward to put the SOCKS support
    Dennis> code into OpenSSH.  

I believe the OpenSSH developers made a decision a while ago to not
include SOCKS support directly.  The idea was instead to use the
ProxyCommand feature.  I have verified that this works just fine, using a
socksified version of netcat.  However, I don't know of a standard utility
that behaves like that, and without one, it leaves people without a simple
SOCKS solution for OpenSSH.  This issue should be resolved one way or the
other, I think.

--
  Richard Silverman

 
 
 

SSH over SSL or telnet proxy server

Post by Dennis Dav » Wed, 25 Oct 2000 04:00:00




>    Dennis> It should be fairly straightforward to put the SOCKS support
>    Dennis> code into OpenSSH.  

>I believe the OpenSSH developers made a decision a while ago to not
>include SOCKS support directly.  The idea was instead to use the
>ProxyCommand feature.  I have verified that this works just fine,
>using a socksified version of netcat.  However, I don't know of a
>standard utility that behaves like that, and without one, it leaves
>people without a simple SOCKS solution for OpenSSH.  This issue
>should be resolved one way or the other, I think.

I can't say that I'm surprised at the omission of support for NEC
Socks.  The README that comes with OpenSSH includes the phrase "all
patent-encumbered algorithms removed".  This is presumably why you
won't find things like IDEA in OpenSSH.  IDEA is patented and not
free for commercial use.  To include IDEA in OpenSSH would imply
licence restrictions that would otherwise not be present.

There are restrictions on the use of NEC Socks.  The Copyright file
that comes with socks5 includes the sentence:

    You may use the Software for non-commercial purposes only, such
    as academic, research and internal business use.

So to include support for NEC Socks in OpenSSH would again imply
possible restrictions on use.

Dante is available under a BSD/CMU licence:

ftp://ftp.inet.no/pub/socks/LICENSE

which is much less restrictive.  Building OpenSSH against the
dante libraries, or using the dante "socksify" command for runtime
socksifying, should be a viable alternative.

Caveat: I'm not a lawyer and do not play the part of one on
        television.  Working at an academic institute means that
        I can often freely use software that is not licensed for
        commercial use.  Those who may be influenced by licensing
        restrictions should examine the licences for OpenSSH, NEC
        Socks & Dante and decide for themselves.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK