Tuesday, October 6, 2009

Using Corkscrew to tunnel SSH over HTTP

Ever come to work and realize you left a required file at home? Or you’re out on the road and find yourself in the same situation?

Some environments and ISPs have strict firewall rules that can make life difficult. In some cases, these rules are absolutely required, in others perhaps not so much. If you are in an environment that disallows the use of SSH and forces the use of an HTTP proxy, it is possible to use that HTTP proxy as a transport for SSH.

Please note that I am not advocating breaking out of your environment’s firewall if you have a policy that expressly prevents that or outbound SSH access!

Unfortunately in the real world, some draconian firewall rules are in place that cause more grief than they need to and without a real reason.

In some environments, however, the explicit denial of outbound SSH is required and for that reason you should respect the policy.

I am not at all advocating breaking any rules unless you have permission or an exception from the people that should provide it.

With that disclaimer out of the away, go to the Corkscrew homepage and download the source for Corkscrew.

Corkscrew is an HTTP-tunneling programming that does not require server-side modifications to work. It is also cross-platform and will work on most client systems.

To build Corkscrew, simply unpack the tarball and run:
# ./configure
# make

Then copy the resulting corkscrew application to somewhere in your PATH or in ~/bin/. Next, edit your SSH configuration file, ~/.ssh/config, and add:
Host somehost
    Hostname somehost.example.com
    ProxyCommand /home/user/bin/corkscrew proxy.example.com 8080 %h %p

Replace the hostname with the host you are attempting to SSH into, and replace “proxy.example.com” with the actual HTTP proxy.

You may also need to replace the port (8080) if the proxy listens on an alternate port (i.e., port 3128 in the case of Squid).

OpenSSH transparently converts the %h to the hostname to connect to (somehost.example.com) and the port to connect to (22, by default).

The ProxyCommand line here is telling OpenSSH to start the Corkscrew program to make the actual connection to the end SSH server.

You can create multiple entries for all of the hosts you may need to connect to, or use a simple regular expression or the global asterisk (*) in the Host line (* will tell OpenSSH to use this Host stanza for all connections).

When this is done, you should be able to run ssh somehost and have the connection be established, just as if you were connecting directly.

Keep in mind this may not work with all proxies, so it may be a little hit-and-miss, but it should work with Squid and Apache’s mod_proxy module as well as a few other popular implementations.

Get the PDF version of this tip here.

No comments:

Post a Comment