LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-07-2010, 04:05 PM   #1
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 61
Need help for SSH tunnel through NTLM-authenticated HTTP proxy


Hello,

I have a problem setting up a SSH tunnel. I know how it's usually done, but the setup is different this time…
I am behind a HTTP(S) and FTP proxy, that does NTLM authentication, and I want to access a server beyond the proxy.

MY CLIENT <-> LAN <-> HTTP PROXY <-> INTERNET <-> MY SERVER

So far, the best I have achieved is installing and configuring CNTLM as a local proxy for the authentication part. Using CNTLM, I managed to access and mount a secured (https) DAV share using davfs2.

In theory, CNTLM should let me setup permanent tunnels from local ports to distant ports, and it does; however these tunnels don't seem to work for SSH nor for IMAP (another protocol I tried). I suspect the problem is that neither SSH nor IMAP is HTTP- or FTP-based, but anyway it does not work.

So back to square one: how should I proceed to get ssh to connect through the HTTP proxy (with NTLM authentication) to the remote server?
For that matter, if there's a better way than SSH to create a tunnel, that would work in my situation, that's OK with me.

Just in case, here are the relevant parts from my firewall setup on the server:
Code:
# default policies
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

# reset
iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT

# allow continuation of established connections
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -f -j ACCEPT

# allow local connections
iptables -t filter -A INPUT -i lo -j ACCEPT

# open ports:
# ssh
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
Yves.
 
Old 03-08-2010, 03:43 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
You may not be able to through this proxy, depending on how much traffic inspection is performed
 
Old 03-10-2010, 09:29 AM   #3
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Original Poster
Rep: Reputation: 61
Actually, I did manage after all

First, the SSH server had to listen on port 443. It wouldn't work on port 21, even though FTP is allowed through the proxy.

Next, as I already had HTTPS working on port 443, I installed SSLH. Now, port 443 is for both HTTPS and SSH. I checked: https:/…, WebDav, and SyncPlaces all still work reliably, as well as plain SSH from the server's LAN.

Finally, an SSH proxy allows the connection. I did several tests with .ssh/config, mostly with success:
— “ProxyCommand proxytunnel -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p”: what I ended up using.
— “ProxyCommand proxytunnel -N -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p” is more secure but did not work for some reason (seems to be a conflict with SSLH).
— “ProxyCommand proxytunnel -p localhost:3128 -d %h:%p” did work however (using CNTLM on localhost:3128), and achieves the same security.
— “ProxyCommand corkscrew localhost 3128 %h %p” is another working solution.

proxytunnel has a feature that corkscrew has not: the possibility to add HTTP headers, such as “User-Agent: Mozilla/…”.

My .ssh/config file now looks like this:
Code:
Host MY_SERVER
Port 443
KeepAlive yes
ProxyCommand proxytunnel -v -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p
The result:
Code:
[yves@MY_CLIENT ~]$ ssh MY_SERVER
Local proxy HTTP_PROXY resolves to 1xx.xxx.xxx.xxx
Connected to HTTP_PROXY:8080 (local proxy)

Tunneling to MY_SERVER:443 (destination)
Communication with local proxy:
 -> CONNECT MY_SERVER:443 HTTP/1.0
 -> Proxy-Authorization: Basic BASIcBASicBAsicBasI=
 -> Proxy-Connection: Keep-Alive
 <- HTTP/1.0 200 Connection established

Tunnel established.
yves@MY_SERVER's password: 
Linux MY_SERVER 2.6.nn-n-486 #1 … UTC 2009 i686
…
yves@MY_SERVER:~$
All's not perfect but that's already fine, since I was able to tunnel port 143 and thus read IMAP mail on MY_CLIENT.

Yves.

Last edited by theYinYeti; 03-10-2010 at 09:30 AM.
 
Old 02-25-2012, 02:15 PM   #4
YanPozKa
LQ Newbie
 
Registered: Feb 2012
Posts: 2

Rep: Reputation: Disabled
Same case

Hello,
I have a same situation with a exception that my <SE.R.VE.R> is already lisen on 2232,
I have installed/config cntlm, my ssh is already lisen on 443, and my .ssh/config looks like:

Host yanpoz
HostName <SE.R.VE.R>
KeepAlive yes
Port 2239
User nameUser
# ProxyCommand corkscrew 127.0.0.1 3128 %h %p
ProxyCommand proxytunnel -p localhost:3128 -d %h:%p

and I need to make a tunnel ssh to my server using a user/password autentication
and when I typed my
$ ssh yanpoz
I got this output:

Via localhost:3128 -> <SE.R.VE.R>:2239
analyze_HTTP: readline failed: Connection closed by remote host
ssh_exchange_identification: Connection closed by remote host

Maybe the fact of my remote SERVER is lisen on 2239, some help !
greetings !!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anyone know of a way to tunnel RTMP through a HTTP proxy? qwertyjjj Linux - Server 5 05-03-2010 10:59 AM
Can i tunnel http via ssh without setting up a http proxy? ginda Linux - Networking 3 12-24-2009 04:25 AM
SSH via HTTP Authenticated Proxy wag2639 Linux - Networking 3 03-25-2008 11:10 PM
"socks5" -> "http" proxy protocol, or ssh tunnel to sock5 ? I'm beyond http p vmicho Linux - Networking 2 12-16-2003 05:32 AM
Encrypting HTTP over SSH tunnel kleptophobiac Linux - Networking 5 08-20-2003 03:59 PM


All times are GMT -5. The time now is 07:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration