Thursday, October 14, 2010
James' guide to sshing through an http proxy
May you never need this guide.
Preparing sshd on the server:
Preparing sshd on the server:
- Edit /etc/ssh/sshd_config and add:
- Port 443
- service ssh reload
Why port 443 (https)? https can't be truly proxied without subterfuge. Between the SSL protocol itself and the presumed good behavior of the CAs, your company or school proxy can't establish trusted https connections on your behalf. To overcome this, http proxies implement a command called CONNECT which establishes a pass-through connection between the client and the specified host. The operating theory is that the vast majority of http proxies are going to allow CONNECT to arbitrary hosts over port 443, or the web would be broken for most of their users. The proxy can't interfere with this traffic and hopefully they don't look at it too closely either, because ssh is distinguishable from ssl traffic.
Client side (for testing):
- There is a program out there called corkscrew but it isn't needed on an OS with a relatively thick GNU stack, like Linux or OS X. It needs to have nc, which is corkscrew on crack.
- Try this: ssh -o ProxyCommand="nc -X connect -x <proxy host>:<proxy port> %h %p" -p 443 <user>@<ssh host>
If that works, awesome! Toss the ProxyCommand line in ~/.ssh/config. The Internets have some resources on doing this dynamically based on whether you're behind a proxy or not.