How to use SSH Via HTTP Proxy using Corkscrew in Ubuntu
Sponsored Link
corkscrew is a simple tool to tunnel TCP connections through an HTTP proxy supporting the CONNECT method. It reads stdin and writes to stdout during the connection, just like netcat.
It can be used for instance to connect to an SSH server running on a remote 443 port through a strict HTTPS proxy.
Install corkscrew in ubuntu using the following command
sudo aptitude install corkscrew
This will complete the installation.
Configue corkscrew
If your HTTP proxy uses authentication, then you’ll need to tell it about the username and password to use This is where the concept of ‘auth-file’ comes into play. All you have to do is put your username & password, separated by a colon, into a textfile. Once you’ve done this, you just have to tell corkscrew where to find the auth-file. Create a file called .corkscrew-auth in your home directory
$touch .corkscrew-auth
$gedit .corkscrew-auth
and place your username and password in the following format
username:password
Save and exit the file.
Configure ssh For Tunneling
Now we’ll tell ssh what to do when connecting to all or specific hosts. Open up ~/.ssh/config (that’s /home/yourusername/.ssh/config) in your favourite text editor (gedit,nano,vim etc)
$gedit /home/yourusername/.ssh/config
and add the following lines
Host *
ProxyCommand corkscrew proxyhostname proxyport %h %p /home/username/.corkscrew-auth
Save and exit the file
Note: replace proxyhostname and proxyport with the equivalents for your network.
Note: you won’t need to add the last section, ‘/home/username/.corkscrew-auth’, if your HTTP proxy doesn’t use authentication.
What we’ve just told ssh to do is for all hostnames (’Host *’), use the following proxy command to route the connection.If you want more secure connections you can also list of hosts.
Corkscrew Syntax
corkscrew proxy proxyport targethost targetport [ authfile ]
proxy -- This is the name of the host running the HTTP proxy.
proxyport -- This is the port on which to connect on the proxy.
target -- This is the host to reach through the proxy.
targetport -- This is the port to connect to on the target host.
Test your SSH connection
ssh serverip
You should add that (1) this could violate the security policy in many companies, and (2) that this is relatively easy detectable at the proxy. So it would be a good idea to talk to your IT guys before you try this.
I used connect-proxy a Debian specific little executable that does just the same.
I also found out that the proxy must allow ssl access to the port you want to connect to, otherwise these tool won’t work.
Hi Guys, I do it by configuring sshd_config with port 443 and connect ssh -p 443 [email protected]….. Does this CorkScrew does anything better..
Cheers
Ramesh
As kuminamoya says, this tunneling is easily detected if the proxy uses stateful packet inspection. However, if the ssh session is made through https, then it should be private. How might one accomplish this?
@John Zbesko,
I thought the author was describing exactly what you are talking about. Strict HTTPS proxy? Port 443? What did you understand Ubunutgeek to be talking about?
Would it be better to just use Squid?
Your post is quite interesting and useful. I have bookmarked it for later use to see what other great articles you post!
Excellent howto.
One catch is that the majority of https proxies are configured to only allow forwarding to port 443. The https protocol supports any destination port on the far-end machine (eg 22), but typical corporate firewalls insist that the dest-port must be 443.
The answer is to run your ssh server on port 443, or set up an inbound firewalling rule to redirect connections from 443 to 22.
Also worth mentioning that SSH -R allows reverse-port-forwarding. So once you have outbound SSH, you get inbound SSH for free.
Worked like a charme THANK YOU !
Could you create a guide on how to setup it with HTTPS? Thanks.
Worked like a charme for me too. Thank You!