SSH through HTTP proxy

This article explains how to connect to a ssh server located on the internet from a local network protected by a firewall through a HTTPS proxy.

Requirement are :

  • Your firewall has to allow HTTPS connections through a proxy
  • You need to have root access to the server where ssh is listening

Configure the ssh server

The ssh daemon need to listen on 443 port. To accomplish this, just edit this file (on debian system) /etc/ssh/sshd_config and add this line :

Port 443

Then restart the daemon :

sudo /etc/init.d/ssh restart

Configure the client

I suppose you are on a Linux system (debian for example). First you have to compile the connect binary which will help your ssh client to use proxies (HTTPS in our case). Then you have to configure your ssh client to tell him to use HTTPS proxy when he tries to connect to your ssh server.

  1. Install the connect software :
    • On debian system, just install the connect-proxy package :
      sudo apt-get install connect-proxy
    • On other Linux systems, you have to compile it :
      cd /tmp/
      wget http://www.meadowy.org/~gotoh/ssh/connect.c
      gcc connect.c -o connect
      sudo cp connect /usr/local/bin/ ; chmod +x /usr/local/bin/connect
  2. Configure your ssh client. Open or create your ~/.ssh/config file and add these lines :
    ## Outside of the firewall, with HTTPS proxy
    Host my-ssh-server-host.net
      ProxyCommand connect -H proxy.free.fr:3128 %h 443
    ## Inside the firewall (do not use proxy)
    Host *
       ProxyCommand connect %h %p
  3. Then pray and test the connection :
    ssh my-ssh-server-host.net

SSH to another server through the tunnel

For example to connect to in ssh github.com :

Host github.com
  ProxyCommand=ssh my-ssh-server-host.net "/bin/nc -w1 %h %p"

Discussion

LinusLinus, 2010/04/01 19:58

Works damn good. Thanks.

JohanJohan, 2010/04/29 09:18

I found this article useful (and confusing at first) http://www.saulchristie.com/how-to/bypass-firewalls

Bit more complicated but unlike the 'connect' method this technique will work anywhere, even if full level 7 traffic analysis is performed on the link.

MattMatt, 2011/01/14 17:08

Thanks a ton for posting this, works great behind my corporate firewall. Now I can run Ubuntu in a VM in peace.

Enter your comment
 
 
 

Recent changes RSS feed Valid XHTML 1.0 Valid CSS Driven by DokuWiki