December 25, 2008 · Security, Server · Email This Post

Sponsored Link
If you want to ssh your vps server or your home computer from your work place (assuming you are using http proxy).You need to use Corkscrew.

corkscrew is a simple tool to tunnel TCP connections through an HTTP proxy supporting the CONNECT method. It reads stdin and writes to stdout during the connection, just like netcat.

It can be used for instance to connect to an SSH server running on a remote 443 port through a strict HTTPS proxy.

Install corkscrew in ubuntu using the following command

sudo aptitude install corkscrew

This will complete the installation.

Configue corkscrew

If your HTTP proxy uses authentication, then you’ll need to tell it about the username and password to use This is where the concept of ‘auth-file’ comes into play. All you have to do is put your username & password, separated by a colon, into a textfile. Once you’ve done this, you just have to tell corkscrew where to find the auth-file. Create a file called .corkscrew-auth in your home directory

$touch .corkscrew-auth

$gedit .corkscrew-auth

and place your username and password in the following format

username:password

Save and exit the file.

Configure ssh For Tunneling

Now we’ll tell ssh what to do when connecting to all or specific hosts. Open up ~/.ssh/config (that’s /home/yourusername/.ssh/config) in your favourite text editor (gedit,nano,vim etc)

$gedit /home/yourusername/.ssh/config

and add the following lines

Host *

ProxyCommand corkscrew proxyhostname proxyport %h %p /home/username/.corkscrew-auth

Save and exit the file

Note: replace proxyhostname and proxyport with the equivalents for your network.

Note: you won’t need to add the last section, ‘/home/username/.corkscrew-auth’, if your HTTP proxy doesn’t use authentication.

What we’ve just told ssh to do is for all hostnames (’Host *’), use the following proxy command to route the connection.If you want more secure connections you can also list of hosts.

Corkscrew Syntax

corkscrew proxy proxyport targethost targetport [ authfile ]

proxy -- This is the name of the host running the HTTP proxy.

proxyport -- This is the port on which to connect on the proxy.

target -- This is the host to reach through the proxy.

targetport -- This is the port to connect to on the target host.

Test your SSH connection

ssh serverip

Sponsored Link

Incoming search terms:

Related posts

11 Comments to “How to use SSH Via HTTP Proxy using Corkscrew in Ubuntu”

  1. kuminamoya says:

    You should add that (1) this could violate the security policy in many companies, and (2) that this is relatively easy detectable at the proxy. So it would be a good idea to talk to your IT guys before you try this.

    [Reply]

  2. Andrea Ratto says:

    I used connect-proxy a Debian specific little executable that does just the same.
    I also found out that the proxy must allow ssl access to the port you want to connect to, otherwise these tool won’t work.

    [Reply]

  3. Ramesh says:

    Hi Guys, I do it by configuring sshd_config with port 443 and connect ssh -p 443 user@host….. Does this CorkScrew does anything better..

    Cheers
    Ramesh

    [Reply]

  4. John Zbesko says:

    As kuminamoya says, this tunneling is easily detected if the proxy uses stateful packet inspection. However, if the ssh session is made through https, then it should be private. How might one accomplish this?

    [Reply]

  5. Jim says:

    @John Zbesko,

    I thought the author was describing exactly what you are talking about. Strict HTTPS proxy? Port 443? What did you understand Ubunutgeek to be talking about?

    [Reply]

  6. Would it be better to just use Squid?

    [Reply]

  7. Proxy says:

    Your post is quite interesting and useful. I have bookmarked it for later use to see what other great articles you post!

    [Reply]

  8. Richard Neill says:

    Excellent howto.

    One catch is that the majority of https proxies are configured to only allow forwarding to port 443. The https protocol supports any destination port on the far-end machine (eg 22), but typical corporate firewalls insist that the dest-port must be 443.

    The answer is to run your ssh server on port 443, or set up an inbound firewalling rule to redirect connections from 443 to 22.

    Also worth mentioning that SSH -R allows reverse-port-forwarding. So once you have outbound SSH, you get inbound SSH for free.

    [Reply]

  9. Johan says:

    Is this different from just defining an http proxy in putty? That seems to do about the same thing doesn’t it?

    I also saw a way to get through multiple proxies and or turn ssh into real https traffic on http://www.saulchristie.com/how-to/bypass-firewalls . Looks bit complicated to me to be honest but seems to say that this corkscrew or putty config won’t work on its own in some schools.

    [Reply]

  10. Jim Hogan says:

    Worked like a charme THANK YOU !

    [Reply]

  11. John says:

    Could you create a guide on how to setup it with HTTPS? Thanks.

    [Reply]

Leave a Reply