Debian & Ubuntu - SSH Via an HTTP Proxy

So you’re sitting at work, and your much-loved VPS with hosting company X has gone down. You need to bring it back up, but you’re an hour away from getting to a PC.

Fear not, fellow hacker - SSH over an HTTP proxy is here! Well actually, it’s been here a while. Ahem.

Before you do this, I must stress that you should check with your network’s usage policy before continuing. You may be breaking your networks rules, and I cannot & will not be held responsible for anything that arrises from using these instructions. You are on your own.

Installing Corkscrew

To quote its package details in Debian & Ubuntu repositories, Corkscrew “is a simple tool to tunnel TCP connections through an HTTP proxy supporting the CONNECT method. It reads stdin and writes to stdout during the connection, just like netcat“. Put simply, it’s a way of sending traffic that would normally go via alternate means (say, over port 22), through a proxy server that may block the original routes.

We’ll need corkscrew, or a similar TCP tunnel package, to send the info via the proxy. Fire up a shell and execute the following:

sudo apt-get install corkscrew

This will install corkscrew. Don’t worry, it doesn’t run as a daemon, but instead on a per-connection basis (that is, it reads from stdin), so it’s not going to hog many resources. Once that’s done, we’ll configure ssh to use corkscrew instead of a direct connection.

If your HTTP proxy uses authentication, then you’ll need to tell it about the username and password to use. This is where the concept of ‘auth-file’ comes into play. All you have to do is put your username & password, separated by a colon, into a textfile. Once you’ve done this, you just have to tell corkscrew where to find the auth-file. Create a file called .corkscrew-auth in your home directory and place your username and password in the following format:

username:password

Save the file and get ready for the next bit… :)

Configuring ’ssh’ For Tunneling

Now we’ll tell ssh what to do when connecting to all or specific hosts. Open up ~/.ssh/config (that’s /home/yourusername/.ssh/config) in your favourite text editor (vim > *) and add the following lines:

Host *
ProxyCommand corkscrew proxyhostname proxyport %h %p /home/username/.corkscrew-auth

Note: replace proxyhostname and proxyport with the equivalents for your network.

Note: you won’t need to add the last section, ‘/home/username/.corkscrew-auth’, if your HTTP proxy doesn’t use authentication.

What we’ve just told ssh to do is for all hostnames (’Host *’), use the following proxy command to route the connection. The text after ProxyCommand is all specific to your HTTP tunneling software, except %h and %p which are ssh config variables for the hostname and port respectively.

This should work out of the box. It did so for me. Test it out in a shell by doing the following:

ssh somehost.com

I think you’ll be pleasantly surprised…Any issues, please post below and I’ll be happy to help out.

Cheers for reading,

Placid

This entry was written by atc and posted on June 10, 2008 at 8:21 am and filed under Linux, Technology. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. chetan
    Posted July 8, 2008 at 1:17 pm | Permalink

    on Fedora, u can use netcat:

    $ssh user@server.com -o”ProxyCommand /usr/bin/nc -X connect -x PROXY:PORT %h %p”

  2. placid
    Posted July 27, 2008 at 10:23 am | Permalink

    chetan:

    Thanks, I wasn’t aware netcat was so versatile (well I knew it was a great tool, but never thought of it to be this usable).

    Note, that’s not just for Fedora users.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*