Access SSH server via HTTP proxy - SSH

This is a discussion on Access SSH server via HTTP proxy - SSH ; Hi, My company doesn't allow any kind of connection to outside. The only way you can have access to the internet is thru the company's HTTP proxy. Other traffic (DNS included) is prohibited. I have learned that you can access ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Access SSH server via HTTP proxy

  1. Access SSH server via HTTP proxy

    Hi,
    My company doesn't allow any kind of connection to outside. The only
    way you can have access to the internet is thru the company's HTTP
    proxy. Other traffic (DNS included) is prohibited.
    I have learned that you can access ssh server via http proxy. But when
    I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    service not allowed exception (error 403).
    But if I try to change the port # of ssh server setting for PUTTY from
    22 to 80 it throws this exception:
    503: service unavailable.

    So I wonder if I change my SSH server port to 8080 for example, will it
    work for me?

    Thanks guys


  2. Re: Access SSH server via HTTP proxy

    Doug wrote:
    > Hi,
    > My company doesn't allow any kind of connection to outside. The only
    > way you can have access to the internet is thru the company's HTTP
    > proxy. Other traffic (DNS included) is prohibited.
    > I have learned that you can access ssh server via http proxy. But when
    > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    > service not allowed exception (error 403).
    > But if I try to change the port # of ssh server setting for PUTTY from
    > 22 to 80 it throws this exception:
    > 503: service unavailable.
    >
    > So I wonder if I change my SSH server port to 8080 for example, will it
    > work for me?
    >
    > Thanks guys
    >


    In order to access the web from work, do you have to enter the proxy
    server's info into your browser's configuration? If not you may be
    hitting a firewall restriction and not a proxy server issue at all. If
    this is the case you just need to run your ssh server on a port that is
    not blocked by the firewall and configure putty to connect to it
    directly on that non-standard port. A few that would likely work are 80
    (http), 443 (https), 8080-8089 (typical proxy server port #'s).

  3. Re: Access SSH server via HTTP proxy

    Thanks for your response.
    yes, I do have to enter the proxy hostname and port in my browser.
    As i indicated earlier, no traffic is allowed except traffic go thru
    the proxy (after filtering and inspect I guess)

    Thanks

    Chuck wrote:
    > Doug wrote:
    > > Hi,
    > > My company doesn't allow any kind of connection to outside. The only
    > > way you can have access to the internet is thru the company's HTTP
    > > proxy. Other traffic (DNS included) is prohibited.
    > > I have learned that you can access ssh server via http proxy. But when
    > > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    > > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    > > service not allowed exception (error 403).
    > > But if I try to change the port # of ssh server setting for PUTTY from
    > > 22 to 80 it throws this exception:
    > > 503: service unavailable.
    > >
    > > So I wonder if I change my SSH server port to 8080 for example, will it
    > > work for me?
    > >
    > > Thanks guys
    > >

    >
    > In order to access the web from work, do you have to enter the proxy
    > server's info into your browser's configuration? If not you may be
    > hitting a firewall restriction and not a proxy server issue at all. If
    > this is the case you just need to run your ssh server on a port that is
    > not blocked by the firewall and configure putty to connect to it
    > directly on that non-standard port. A few that would likely work are 80
    > (http), 443 (https), 8080-8089 (typical proxy server port #'s).



  4. Re: Access SSH server via HTTP proxy

    "Doug" writes:

    > Hi,
    > My company doesn't allow any kind of connection to outside. The only
    > way you can have access to the internet is thru the company's HTTP
    > proxy. Other traffic (DNS included) is prohibited.
    > I have learned that you can access ssh server via http proxy. But when
    > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    > service not allowed exception (error 403).
    > But if I try to change the port # of ssh server setting for PUTTY from
    > 22 to 80 it throws this exception:
    > 503: service unavailable.
    >
    > So I wonder if I change my SSH server port to 8080 for example, will it
    > work for me?


    If you change your SSH server to listen on 443 you'll probably be
    golden.


    --
    Todd H.
    http://www.toddh.net/

  5. Re: Access SSH server via HTTP proxy

    Todd H. wrote:
    > "Doug" writes:
    >
    > If you change your SSH server to listen on 443 you'll probably be
    > golden.



    most likely it will not.... or at least, this just half of the job.

    An http-proxy can be made to just pass the packets to another machine
    with the "connect"-method. (just telnet to your http-proxy port and
    enter "connect rem.ote.mach.ine port")

    In a lot of setup (including my own) the connect-method is only allowed
    to port 443, so your ssh-server should listen on that port.

    But you still need a software which connects to the http-proxy and
    tells it to pass this connection along using the connect-method.

    There's one: http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
    I use it for exactly this job under Linux. connect.c can be compiled
    for Windows too, but I don't know wheter you can make putty using this
    connect-command. I have no Windows machine here to test this, but maybe
    in 13 hours.

    Cheers,
    Armin


  6. Re: Access SSH server via HTTP proxy

    But that is you are using openSSH.
    I understand that Putty already has HTTP proxy connect build in.
    I hope my understading is correct.
    doug

    On Oct 16, 1:48 pm, "hasenhei" wrote:
    > Todd H. wrote:
    > > "Doug" writes:

    >
    > > If you change your SSH server to listen on 443 you'll probably be
    > > golden.most likely it will not.... or at least, this just half of the job.

    >
    > An http-proxy can be made to just pass the packets to another machine
    > with the "connect"-method. (just telnet to your http-proxy port and
    > enter "connect rem.ote.mach.ine port")
    >
    > In a lot of setup (including my own) the connect-method is only allowed
    > to port 443, so your ssh-server should listen on that port.
    >
    > But you still need a software which connects to the http-proxy and
    > tells it to pass this connection along using the connect-method.
    >
    > There's one:http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
    > I use it for exactly this job under Linux. connect.c can be compiled
    > for Windows too, but I don't know wheter you can make putty using this
    > connect-command. I have no Windows machine here to test this, but maybe
    > in 13 hours.
    >
    > Cheers,
    > Armin



  7. Re: Access SSH server via HTTP proxy

    Doug wrote:
    > But that is you are using openSSH.
    > I understand that Putty already has HTTP proxy connect build in.
    > I hope my understading is correct.


    Doug, your understanding is absolutely correct :-)

    I just didn't know that putty has this functionality built-in. I just
    tested configuring proxy in putty on a windows-machine now, and it
    worked fine.

    Doug wrote :

    But when
    > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    > service not allowed exception (error 403).


    Right, this is what I meant when saying "In a lot of setup (including
    my own) the connect-method is only allowed to port 443,".

    The proxy-server of your company does not allow the connect-method to
    port 22.

    > But if I try to change the port # of ssh server setting for PUTTY from
    > 22 to 80 it throws this exception:
    > 503: service unavailable.


    Yes, because there's no ssh-server (not even anything at all)
    responding on port 80 on the machine you try to connect to.

    I think the solution to your problem was already given by Todd H. in
    his previous message.

    You should configure your ssh-server to listen on port 443 (maybe 80
    would do too here, but 443 is better).
    Of course you need to tell putty to connect to port 443 then. I just
    tested this here, and it worked fine.

    Cheers,
    Armin

    PS: Be careful with firewall-piercing if your work-contract does not
    allow such habits.
    Of course this ssh-connection shows up in the proxy-log.


  8. Re: Access SSH server via HTTP proxy

    Just an update.
    I did what what Todd told and it is working fine.
    Thanks Todd, you the man
    hasenhei wrote:
    > Doug wrote:
    > > But that is you are using openSSH.
    > > I understand that Putty already has HTTP proxy connect build in.
    > > I hope my understading is correct.

    >
    > Doug, your understanding is absolutely correct :-)
    >
    > I just didn't know that putty has this functionality built-in. I just
    > tested configuring proxy in putty on a windows-machine now, and it
    > worked fine.
    >
    > Doug wrote :
    >
    > But when
    > > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
    > > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
    > > service not allowed exception (error 403).

    >
    > Right, this is what I meant when saying "In a lot of setup (including
    > my own) the connect-method is only allowed to port 443,".
    >
    > The proxy-server of your company does not allow the connect-method to
    > port 22.
    >
    > > But if I try to change the port # of ssh server setting for PUTTY from
    > > 22 to 80 it throws this exception:
    > > 503: service unavailable.

    >
    > Yes, because there's no ssh-server (not even anything at all)
    > responding on port 80 on the machine you try to connect to.
    >
    > I think the solution to your problem was already given by Todd H. in
    > his previous message.
    >
    > You should configure your ssh-server to listen on port 443 (maybe 80
    > would do too here, but 443 is better).
    > Of course you need to tell putty to connect to port 443 then. I just
    > tested this here, and it worked fine.
    >
    > Cheers,
    > Armin
    >
    > PS: Be careful with firewall-piercing if your work-contract does not
    > allow such habits.
    > Of course this ssh-connection shows up in the proxy-log.



  9. Re: Access SSH server via HTTP proxy

    "Doug" writes:

    > Just an update.
    > I did what what Todd told and it is working fine.
    > Thanks Todd, you the man


    Woot! Glad to help.

    So setting up the server to listen on 443 let you get out to it just
    fine?


    --
    Todd H.
    http://www.toddh.net/

  10. Re: Access SSH server via HTTP proxy

    Yes,
    Apparently setting up sshd listening on 443 or 8080 would be fine. I
    set it up at 8080 by the way.
    Thanks man

    Todd H. wrote:
    > "Doug" writes:
    >
    > > Just an update.
    > > I did what what Todd told and it is working fine.
    > > Thanks Todd, you the man

    >
    > Woot! Glad to help.
    >
    > So setting up the server to listen on 443 let you get out to it just
    > fine?
    >
    >
    > --
    > Todd H.
    > http://www.toddh.net/



  11. Re: Access SSH server via HTTP proxy

    On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
    > Apparently setting up sshd listening on 443 or 8080 would be fine.


    I have always set my home ssh server on port 443 for this reason and it
    has worked for me. Does anybody know whether this will always work in
    all environments? Or are there "deep inspection" corporate firewalls
    that can discern the ssh content (the setup at least) and block it (but
    still pass normal https)?

  12. Re: Access SSH server via HTTP proxy

    Mark wrote:
    > On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
    >> Apparently setting up sshd listening on 443 or 8080 would be fine.


    > I have always set my home ssh server on port 443 for this reason and it
    > has worked for me. Does anybody know whether this will always work in
    > all environments? Or are there "deep inspection" corporate firewalls
    > that can discern the ssh content (the setup at least) and block it (but
    > still pass normal https)?


    I don't know about 'discern the ssh content', but you could use a web
    proxy instead of a normal firewall. Such a device could participate in
    the HTTPS connection, which the ssh client would not conduct. That
    would prevent basic use of the port. You could still tunnel traffic,
    but it would have to be done within an HTTPS transport rather than
    directly via TCP/443.

    The first hit for me on google turned up this page:
    http://dag.wieers.com/howto/ssh-http-tunneling/

    --
    Darren Dunham ddunham@taos.com
    Senior Technical Consultant TAOS http://www.taos.com/
    Got some Dr Pepper? San Francisco, CA bay area
    < This line left intentionally blank to confuse you. >

  13. Re: Access SSH server via HTTP proxy

    Mark wrote:
    > I have always set my home ssh server on port 443 for this reason and it
    > has worked for me. Does anybody know whether this will always work in
    > all environments? Or are there "deep inspection" corporate firewalls
    > that can discern the ssh content (the setup at least) and block it (but
    > still pass normal https)?


    One simple thing a firewall can do which hardly touches HTTPS but
    frustrates _most_ of the useful things you can do with SSH is to set
    a very short maximum lifetime on any connection. No need to even try
    to figure out the nature of the data being passed.

    I haven't heard of anyone deliberately doing this to annoy SSH
    users, but I do know I've heard of firewalls doing this _by
    accident_ and only SSH users noticing...
    --
    Simon Tatham These are my opinions. There are many
    like them but these ones are mine.

  14. Re: Access SSH server via HTTP proxy

    Well, in Putty I set the param "keep Alive" to 26 secs. So Putty
    constantly keeps the connection alive for every 26secs.
    I believe firewall only closes the connection if it is inactive for 30
    or 50 seconds.

    Regards

    On Oct 24, 1:51 am, Simon Tatham wrote:
    > Mark wrote:
    > > I have always set my home ssh server on port 443 for this reason and it
    > > has worked for me. Does anybody know whether this will always work in
    > > all environments? Or are there "deep inspection" corporate firewalls
    > > that can discern the ssh content (the setup at least) and block it (but
    > > still pass normal https)?One simple thing a firewall can do which hardly touches HTTPS but

    > frustrates _most_ of the useful things you can do with SSH is to set
    > a very short maximum lifetime on any connection. No need to even try
    > to figure out the nature of the data being passed.
    >
    > I haven't heard of anyone deliberately doing this to annoy SSH
    > users, but I do know I've heard of firewalls doing this _by
    > accident_ and only SSH users noticing...
    > --
    > Simon Tatham These are my opinions. There are many
    > like them but these ones are mine.



  15. Re: Access SSH server via HTTP proxy

    On 2006-10-23, Mark wrote:
    > On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
    >> Apparently setting up sshd listening on 443 or 8080 would be fine.

    >
    > I have always set my home ssh server on port 443 for this reason and it
    > has worked for me. Does anybody know whether this will always work in
    > all environments? Or are there "deep inspection" corporate firewalls
    > that can discern the ssh content (the setup at least) and block it (but
    > still pass normal https)?


    The could trivially (SSH connections always start with the the "SSH-"
    identifier) although I'm not aware of any product that actully does this.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread