Hello,

I have a problem setting up a SSH tunnel. I know how it's usually done, but the setup is different this time…
I am behind a HTTP(S) and FTP proxy, that does NTLM authentication, and I want to access a server beyond the proxy.

MY CLIENT <-> LAN <-> HTTP PROXY <-> INTERNET <-> MY SERVER

So far, the best I have achieved is installing and configuring CNTLM as a local proxy for the authentication part. Using CNTLM, I managed to access and mount a secured (https) DAV share using davfs2.

In theory, CNTLM should let me setup permanent tunnels from local ports to distant ports, and it does; however these tunnels don't seem to work for SSH nor for IMAP (another protocol I tried). I suspect the problem is that neither SSH nor IMAP is HTTP- or FTP-based, but anyway it does not work.

So back to square one: how should I proceed to get ssh to connect through the HTTP proxy (with NTLM authentication) to the remote server?
For that matter, if there's a better way than SSH to create a tunnel, that would work in my situation, that's OK with me.

Just in case, here are the relevant parts from my firewall setup on the server:
Yves.

You may not be able to through this proxy, depending on how much traffic inspection is performed

Actually, I did manage after all

First, the SSH server had to listen on port 443. It wouldn't work on port 21, even though FTP is allowed through the proxy.

Next, as I already had HTTPS working on port 443, I installed SSLH. Now, port 443 is for both HTTPS and SSH. I checked: https:/…, WebDav, and SyncPlaces all still work reliably, as well as plain SSH from the server's LAN.

Finally, an SSH proxy allows the connection. I did several tests with .ssh/config, mostly with success:
— “ProxyCommand proxytunnel -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p”: what I ended up using.
— “ProxyCommand proxytunnel -N -p HTTP_PROXY:8080 -P PX_LOG:PX_PASS -d %h:%p” is more secure but did not work for some reason (seems to be a conflict with SSLH).
— “ProxyCommand proxytunnel -p localhost:3128 -d %h:%p” did work however (using CNTLM on localhost:3128), and achieves the same security.
— “ProxyCommand corkscrew localhost 3128 %h %p” is another working solution.

proxytunnel has a feature that corkscrew has not: the possibility to add HTTP headers, such as “User-Agent: Mozilla/…”.

My .ssh/config file now looks like this:
The result:
All's not perfect but that's already fine, since I was able to tunnel port 143 and thus read IMAP mail on MY_CLIENT.

Yves.

Hello,
I have a same situation with a exception that my <SE.R.VE.R> is already lisen on 2232,
I have installed/config cntlm, my ssh is already lisen on 443, and my .ssh/config looks like:

Host yanpoz
HostName <SE.R.VE.R>
KeepAlive yes
Port 2239
User nameUser
# ProxyCommand corkscrew 127.0.0.1 3128 %h %p
ProxyCommand proxytunnel -p localhost:3128 -d %h:%p

and I need to make a tunnel ssh to my server using a user/password autentication
and when I typed my
$ ssh yanpoz
I got this output:

Via localhost:3128 -> <SE.R.VE.R>:2239
analyze_HTTP: readline failed: Connection closed by remote host
ssh_exchange_identification: Connection closed by remote host

Maybe the fact of my remote SERVER is lisen on 2239, some help !
greetings !!