Need help for SSH tunnel through NTLM-authenticated HTTP proxy
Hello,
I have a problem setting up a SSH tunnel. I know how it's usually done, but the setup is different this time… I am behind a HTTP(S) and FTP proxy, that does NTLM authentication, and I want to access a server beyond the proxy. MY CLIENT <-> LAN <-> HTTP PROXY <-> INTERNET <-> MY SERVER So far, the best I have achieved is installing and configuring CNTLM as a local proxy for the authentication part. Using CNTLM, I managed to access and mount a secured (https) DAV share using davfs2. In theory, CNTLM should let me setup permanent tunnels from local ports to distant ports, and it does; however these tunnels don't seem to work for SSH nor for IMAP (another protocol I tried). I suspect the problem is that neither SSH nor IMAP is HTTP- or FTP-based, but anyway it does not work. So back to square one: how should I proceed to get ssh to connect through the HTTP proxy (with NTLM authentication) to the remote server? For that matter, if there's a better way than SSH to create a tunnel, that would work in my situation, that's OK with me. Just in case, here are the relevant parts from my firewall setup on the server: Code:
# default policies |
You may not be able to through this proxy, depending on how much traffic inspection is performed
|
Actually, I did manage after all :)
First, the SSH server had to listen on port 443. It wouldn't work on port 21, even though FTP is allowed through the proxy. Next, as I already had HTTPS working on port 443, I installed SSLH. Now, port 443 is for both HTTPS and SSH. I checked: https:/…, WebDav, and SyncPlaces all still work reliably, as well as plain SSH from the server's LAN. Finally, an SSH proxy allows the connection. I did several tests with .ssh/config, mostly with success: — “ProxyCommand proxytunnel -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p”: what I ended up using. — “ProxyCommand proxytunnel -N -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p” is more secure but did not work for some reason (seems to be a conflict with SSLH). — “ProxyCommand proxytunnel -p localhost:3128 -d %h:%p” did work however (using CNTLM on localhost:3128), and achieves the same security. — “ProxyCommand corkscrew localhost 3128 %h %p” is another working solution. proxytunnel has a feature that corkscrew has not: the possibility to add HTTP headers, such as “User-Agent: Mozilla/…”. My .ssh/config file now looks like this: Code:
Host MY_SERVER Code:
[yves@MY_CLIENT ~]$ ssh MY_SERVER Yves. |
Same case
Hello,
I have a same situation with a exception that my <SE.R.VE.R> is already lisen on 2232, I have installed/config cntlm, my ssh is already lisen on 443, and my .ssh/config looks like: Host yanpoz HostName <SE.R.VE.R> KeepAlive yes Port 2239 User nameUser # ProxyCommand corkscrew 127.0.0.1 3128 %h %p ProxyCommand proxytunnel -p localhost:3128 -d %h:%p and I need to make a tunnel ssh to my server using a user/password autentication and when I typed my $ ssh yanpoz I got this output: Via localhost:3128 -> <SE.R.VE.R>:2239 analyze_HTTP: readline failed: Connection closed by remote host ssh_exchange_identification: Connection closed by remote host Maybe the fact of my remote SERVER is lisen on 2239, some help ! greetings !! |
All times are GMT -5. The time now is 04:06 PM. |