SSH Proxies

From Schmid.wiki
Jump to: navigation, search

Contents

From a Closed Network To the World

Using PuTTY

This doesn't work!

The scenario includes the local machine, LOCAL, DESTINATION being the host I ultimately want to connect to, and PROXY being the intermediate host. 

servers:
 LOCAL --> PROXY --> DESTINATION
                          |
                    (DESTINATION can only be reached from PROXY)

In PuTTY, make the following settings: 

Session    > Host Name              : DESTINATION
Connection > Proxy > Proxy Hostname : PROXY
                   > Username       : PROXY USERNAME

Alternatively, use as 'local proxy command': 

plink %user@%proxyhost -nc %host:%port

Using Subversion over an SSH Proxy Connection

Now I can create tunnels to arbitrary servers visible from DESTINATION, e.g. svn: 

Source port: 3690
Destination: SVNSERVER:3690

And then use svn: 

svn --username USERNAME ls svn://localhost/path/to/repos

Using OpenSSH

The example given here is a connection from my laptop at Aalborg University to some server.

  • Check that the public key of the local computer is added to authorized_keys at the remote server.
  • Make an entry similar to the following in ~/.ssh/config: 
Host            servername
HostName        server.name.dk
User            schmid
ProxyCommand    ssh homer.cs.aau.dk /usr/bin/nc -w 1 %h 22
  • The ProxyCommand entry should be under each host for which it is needed (not for local hosts!)

Receiving Mail From an Unreachable Host

This description is for receiving mail from a host that only can be reached from another host, which we do have access to. As Putty Doesn't have the ProxyCommand feature of OpenSSH, we can either use the Cygwin OpenSSH or the OpenSSH for Windows. If you have CygWin installed, you should not use OpenSSH for Windows. In the description below, we'll use the Cygwin OpenSSH.

The task of receiving mail from a SSH-reachable host is described in SSH Tunneling.

One Way of Doing It

This method forwards port 143 through a tunnel to the unreachable host.

SSH Configuration

~/.ssh/config should have an entry like this: 

Host            short_name                 the netcat program is used here for forwarding the
HostName        unreachable.host           data sent to port 22 to unreachable.host (%h)
User            username                              |              
ProxyCommand    ssh username@reachable.host /usr/bin/nc -w 1 %h 22
LocalForward    143 unreachable.host:143  
                \______________________/     here, we forward the IMAP port to the unreachable
                            |_______________ host. Of course, this blocks access to the local
                                             IMAP port, but it is impractical

Thunderbird Configuration

Ensure that we don't use a proxy: 

Tools -> Options -> Advanced -> Offline and Connection Settings -> Connection Settings
Select 'Direct connection to the Internet'

A Better Way of Doing It

A cooler way of doing it is using a SOCKS proxy. However, I can't get this to work. Don't know why.

SSH Configuration 

Host            short_name                 the netcat program is used here for forwarding the
HostName        unreachable.host           data sent to port 22 to unreachable.host (%h)
User            username                              |              
ProxyCommand    ssh username@reachable.host /usr/bin/nc -w 1 %h 22
DynamicForward  3333

Thunderbird Configuration

SOCKS proxy setup: 

Tools -> Options -> Advanced -> Offline and Connection Settings -> Connection Settings
Select 'Manual Proxy Configuration'
Enter SOCKS Host 'localhost' and port 3333

Account settings: 

Tools -> Account Settings -> (select account) -> Server Settings
Server Name: unreachable.host
Port:        143
User Name:   username

References

Retrieved from "http://www.schmid.dk/wiki/index.php?title=SSH_Proxies&oldid=7152"
Personal tools