--- /dev/null
+<?xml version="1.0" encoding="us-ascii"?>\r
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\r
+ "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\r
+ <head>\r
+ <title>SSH Proxy Command -- connect.c</title>\r
+ <meta name="generator" content="emacs-wiki.el" />\r
+ <meta http-equiv="Content-Type"\r
+ content="us-ascii" />\r
+ <link rev="made" href="mailto:gotoh@imasy.or.jp" />\r
+ <link rel="home" href="http://www.imasy.ne.jp/~gotoh/" />\r
+ <link rel="index" href="http://www.imasy.ne.jp/~gotoh/SiteIndex.html" />\r
+ <link rel="stylesheet" type="text/css" href="emacs-wiki.css">\r
+ </head>\r
+ <body>\r
+ <h1>SSH Proxy Command -- connect.c</h1>\r
+ <!-- Page published by Emacs Wiki begins here -->\r
+<p>\r
+<strong>connect.c</strong> is the simple relaying command to make network\r
+connection via SOCKS and https proxy. It is mainly intended to\r
+be used as <strong>proxy command</strong> of OpenSSH. You can make SSH session\r
+beyond the firewall with this command,\r
+\r
+</p>\r
+\r
+<p>\r
+Features of <strong>connect.c</strong> are:\r
+\r
+</p>\r
+\r
+<ul>\r
+<li>Supports SOCKS (version 4/4a/5) and https CONNECT method.\r
+</li>\r
+<li>Supports NO-AUTH and USERPASS authentication of SOCKS\r
+</li>\r
+<li>You can input password from tty, ssh-askpass or\r
+ environment variable.\r
+</li>\r
+<li>Run on UNIX or Windows platform.\r
+</li>\r
+<li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.)\r
+</li>\r
+<li>Simple and general program independent from OpenSSH.\r
+</li>\r
+<li>You can also relay local socket stream instead of standard I/O.\r
+</li>\r
+</ul>\r
+\r
+<p>\r
+Download source code from:\r
+<a href="http://www.imasy.or.jp/~gotoh/ssh/connect.c">http://www.imasy.or.jp/~gotoh/ssh/connect.c</a>\r
+<br/>\r
+For windows user, pre-compiled binary is also available:\r
+<a href="http://www.imasy.or.jp/~gotoh/ssh/connect.exe">http://www.imasy.or.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC)\r
+\r
+</p>\r
+\r
+<hr>\r
+<dl class="contents">\r
+<dt class="contents">\r
+<a href="connect.html#sec1">News</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec2">What is 'proxy command'</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec3">How to Use</a>\r
+</dt>\r
+<dd>\r
+<dl class="contents">\r
+<dt class="contents">\r
+<a href="connect.html#sec4">Get Source</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec5">Compile and Install</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec6">Modify your ~/.ssh/config</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec7">Use SSH</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec8">Have trouble?</a>\r
+</dt>\r
+</dl>\r
+</dd>\r
+<dt class="contents">\r
+<a href="connect.html#sec9">More Detail</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec10">Limitations</a>\r
+</dt>\r
+<dd>\r
+<dl class="contents">\r
+<dt class="contents">\r
+<a href="connect.html#sec11">SOCKS5 authentication</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec12">HTTP authentication</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec13">Switching proxy server</a>\r
+</dt>\r
+</dl>\r
+</dd>\r
+<dt class="contents">\r
+<a href="connect.html#sec14">Tips</a>\r
+</dt>\r
+<dd>\r
+<dl class="contents">\r
+<dt class="contents">\r
+<a href="connect.html#sec15">Proxying socket connection</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec16">Use with <code>ssh-askpass</code> command</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec17">Use for Network Stream of Emacs</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec18">Remote resolver</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec19">Hopping Connection via SSH</a>\r
+</dt>\r
+</dl>\r
+</dd>\r
+<dt class="contents">\r
+<a href="connect.html#sec20">F.Y.I.</a>\r
+</dt>\r
+<dd>\r
+<dl class="contents">\r
+<dt class="contents">\r
+<a href="connect.html#sec21">Difference between SOCKS versions.</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec22">Configuration to use HTTPS</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec23">SOCKS5 Servers</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec24">Specifications</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec25">Related Links</a>\r
+</dt>\r
+<dt class="contents">\r
+<a href="connect.html#sec26">Similars</a>\r
+</dt>\r
+</dl>\r
+</dd>\r
+</dl>\r
+\r
+<h2><a name="sec1">News</a></h2>\r
+\r
+<dl>\r
+<dt>2003-01-07</dt>\r
+<dd>\r
+Rev. 1.68. Fixed a trouble around timeout support.\r
+</dd>\r
+<dt>2002-11-21</dt>\r
+<dd>\r
+Rev. 1.64 supports reading parameters from file /etc/connectrc or\r
+ ~/.connectrc instead of specifying via environment variables. For\r
+ examle, you can use this feature to switch setting by replacing file\r
+ when network environment is changed. And added SOCKS_DIRECT,\r
+ SOCKS5_DIRECT, SOCKS4_DIRECT, HTTP_DIRECT, SOCKS5_AUTH, environment\r
+ parameters. (Thanks Masatoshi TSUCHIYA)\r
+</dd>\r
+<dt>2002-11-20</dt>\r
+<dd>\r
+Rev. 1.63 supports some old proxies which make response 401 with\r
+ WWW-Authenticate: header. And fixed to use username specified in\r
+ proxy host by -H option correctly. (contributed from Des Herriott, thanks)\r
+</dd>\r
+<dt>2002-10-14</dt>\r
+<dd>\r
+Rev. 1.61 with New option -w for specifying connection timeout.\r
+ Currently, it works on UNIX only. (contributed from Darren Tucker, thanks)\r
+</dd>\r
+<dt>2002-09-29</dt>\r
+<dd>\r
+Add sample script for switching proxy server\r
+ advised from Darren Tucker, thanks.\r
+</dd>\r
+<dt>2002-08-27</dt>\r
+<dd>\r
+connect.c is updataed to rev. 1.60.\r
+</dd>\r
+<dt>2002-04-08</dt>\r
+<dd>\r
+Updated <a href="http://www.imasy.or.jp/~gotoh/ssh/openssh-socks.html">"Using OpenSSH through a SOCKS compatible PROXY on your LAN"</a> written by J. Grant. (version 0.8)\r
+</dd>\r
+<dt>2002-02-20</dt>\r
+<dd>\r
+Add link of new document "Using OpenSSH through a SOCKS compatible PROXY on your LAN"\r
+ written by J. Grant.\r
+</dd>\r
+<dt>2002-01-31</dt>\r
+<dd>\r
+Rev. 1.53 -- On Win32 and with MSVC, handle password\r
+ input from console correctly.\r
+</dd>\r
+<dt>2002-01-30</dt>\r
+<dd>\r
+Rev. 1.50 -- [Security Fix] Do not print secure info in debug mode.\r
+</dd>\r
+<dt>2002-01-09</dt>\r
+<dd>\r
+Web page was made.\r
+ connect.c is rev. 1.48.\r
+</dd>\r
+</dl>\r
+\r
+<h2><a name="sec2">What</a> is 'proxy command'</h2>\r
+\r
+<p>\r
+OpenSSH development team decides to stop supporting SOCKS and any\r
+other tunneling mechanism. It was aimed to separate complexity to\r
+support various mechanism of proxying from core code. And they\r
+recommends more flexible mechanism: '<strong>ProxyCommand</strong>' option\r
+instead.\r
+\r
+</p>\r
+\r
+<p>\r
+Proxy command mechanism is delegation of network stream\r
+communication. If '<strong>ProxyCommand</strong>' options is specified, SSH\r
+invoke specified external command and talk with standard I/O of thid\r
+command. Invoked command undertakes network communication with\r
+relaying to/from standard input/output including iniitial\r
+communication or negotiation for proxying. Thus, ssh can split out\r
+proxying code into external command.\r
+\r
+</p>\r
+\r
+<p>\r
+'<strong>connect.c</strong>' was made for this purpose.\r
+\r
+</p>\r
+\r
+<h2><a name="sec3">How</a> to Use</h2>\r
+\r
+<h3><a name="sec4">Get</a> Source</h3>\r
+\r
+<p>\r
+Download source code from <a href="http://www.imasy.or.jp/~gotoh/ssh/connect.c">here</a>.\r
+<br/>\r
+If you are MS Windows user, you can get pre-compiled binary from\r
+<a href="http://www.imasy.or.jp/~gotoh/ssh/connect.exe">here</a>.\r
+\r
+</p>\r
+\r
+<h3><a name="sec5">Compile</a> and Install</h3>\r
+\r
+<p>\r
+In most environment, you can compile '<strong>connect.c</strong>' simply.\r
+On UNIX environment, you can use cc or gcc.\r
+On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc.\r
+\r
+</p>\r
+\r
+<table border="2" cellpadding="5">\r
+<thead>\r
+<tr>\r
+<th>Compiler</th><th>command line to compile</th>\r
+</tr>\r
+</thead>\r
+<tbody>\r
+<tr>\r
+<td>UNIX cc</td><td>cc connect.c -o connect</td>\r
+</tr>\r
+<tr>\r
+<td>UNIX gcc</td><td>gcc connect.c -o connect</td>\r
+</tr>\r
+<tr>\r
+<td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td>\r
+</tr>\r
+<tr>\r
+<td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td>\r
+</tr>\r
+<tr>\r
+<td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td>\r
+</tr>\r
+<tr>\r
+<td>Cygwin gcc</td><td>gcc connect.c -o connect</td>\r
+</tr>\r
+</tbody>\r
+</table>\r
+\r
+<p>\r
+To install '<strong>connect</strong>' command, simply copy compiled binary to directory\r
+in your PATH (ex. /usr/local/bin). Like this:\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+$ cp connect /usr/local/bin\r
+</pre>\r
+\r
+<h3><a name="sec6">Modify</a> your ~/.ssh/config</h3>\r
+\r
+<p>\r
+Modify your <code>~/.ssh/config</code> file to use '<strong>connect</strong>' command as\r
+'<strong>proxy command</strong>'. For the case of SOCKS server is running on\r
+firewall host '<code>socks.local.net</code>' with port 1080, you can add\r
+'<strong>ProxyCommand</strong>' option in <code>~/.ssh/config</code>, like this:\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+Host remote.outside.net\r
+ ProxyCommand connect -S socks.local.net %h %p\r
+</pre>\r
+\r
+<p>\r
+'<code>%h</code>' and '<code>%p</code>' will be replaced on invoking proxy command with\r
+target hostname and port specified to SSH command.\r
+\r
+</p>\r
+\r
+<p>\r
+If you hate writing many entries of remote hosts, following example\r
+may help you.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+## Outside of the firewall, use connect command with SOCKS conenction.\r
+Host *\r
+ ProxyCommand connect -S socks.local.net %h %p\r
+\r
+## Inside of the firewall, use connect command with direct connection.\r
+Host *.local.net\r
+ ProxyCommand connect %h %p\r
+</pre>\r
+\r
+<p>\r
+If you want to use http proxy, use '<strong>-H</strong>' option instead of '<strong>-S</strong>'\r
+option in examle above, like this:\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+## Outside of the firewall, with HTTP proxy\r
+Host *\r
+ ProxyCommand connect -H proxy.local.net:8080 %h %p\r
+\r
+## Inside of the firewall, direct\r
+Host *.local.net\r
+ ProxyCommand connect %h %p\r
+</pre>\r
+\r
+<h3><a name="sec7">Use</a> SSH</h3>\r
+\r
+<p>\r
+After editing your <code>~/.ssh/config</code> file, you are ready to use ssh.\r
+You can execute ssh without any special options as if remote host is\r
+IP reachable host. Following is an example to execute '<code>hostname</code>'\r
+command on host '<code>remote.outside.net</code>'.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+$ ssh remote.outside.net hostname\r
+remote.outside.net\r
+$\r
+</pre>\r
+\r
+<h3><a name="sec8">Have</a> trouble?</h3>\r
+\r
+<p>\r
+If you have trouble, execute '<strong>connect</strong>' command from command line\r
+with '<code>-d</code>' option to see what is happened. Some debug message may\r
+appear and reports progress. This information may tell you what is\r
+wrong. In this example, error has occurred on authentication stage of\r
+SOCKS5 protocol.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+$ connect -d -S socks.local.net unknown.remote.outside.net 110\r
+DEBUG: relay_method = SOCKS (2)\r
+DEBUG: relay_host=socks.local.net\r
+DEBUG: relay_port=1080\r
+DEBUG: relay_user=gotoh\r
+DEBUG: socks_version=5\r
+DEBUG: socks_resolve=REMOTE (2)\r
+DEBUG: local_type=stdio\r
+DEBUG: dest_host=unknown.remote.outside.net\r
+DEBUG: dest_port=110\r
+DEBUG: Program is $Revision$\r
+DEBUG: connecting to xxx.xxx.xxx.xxx:1080\r
+DEBUG: begin_socks_relay()\r
+DEBUG: atomic_out() [4 bytes]\r
+DEBUG: >>> 05 02 00 02\r
+DEBUG: atomic_in() [2 bytes]\r
+DEBUG: <<< 05 02\r
+DEBUG: auth method: USERPASS\r
+DEBUG: atomic_out() [some bytes]\r
+DEBUG: >>> xx xx xx xx ...\r
+DEBUG: atomic_in() [2 bytes]\r
+DEBUG: <<< 01 01\r
+ERROR: Authentication faield.\r
+FATAL: failed to begin relaying via SOCKS.\r
+</pre>\r
+\r
+<h2><a name="sec9">More</a> Detail</h2>\r
+\r
+<p>\r
+Command line usage is here:\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+usage: connect [-dnhs45] [-R resolve] [-p local-port] [-w sec]\r
+ [-H [user@]proxy-server[:port]]\r
+ [-S [user@]socks-server[:port]]\r
+ host port\r
+</pre>\r
+\r
+<p>\r
+'<strong>host</strong>' and '<strong>port</strong>' is target hostname and port-number to connect.\r
+\r
+</p>\r
+\r
+<p>\r
+'<strong>-H</strong>' option specify hostname and port number of http proxy server to\r
+relay. If port is omitted, 80 is used. You can specify this value by\r
+environment variable <code>HTTP_PROXY</code> and give '<strong>-h</strong>' option to use it.\r
+\r
+</p>\r
+\r
+<p>\r
+'<strong>-S</strong>' option specify hostname and port number of SOCKS server to\r
+relay. Like '<strong>-H</strong>' option, port number can be omit and default is 1080. \r
+You can also specify this value pair by environment variable\r
+<code>SOCKS5_SERVER</code> and give '<strong>-s</strong>' option to use it.\r
+\r
+</p>\r
+\r
+<p>\r
+'<strong>-4</strong>' and '<strong>-5</strong>' is for specifying SOCKS protocol version. It is\r
+valid only using with '<strong>-s</strong>' or '<strong>-S</strong>'. Default is '<strong>-5</strong>'\r
+(protocol version 5)\r
+\r
+</p>\r
+\r
+<p>\r
+'<strong>-R</strong>' is for specifying method to resolve hostname. 3 keywords\r
+('<code>local</code>', '<code>remote</code>', '<code>both</code>') or dot-notation IP address is\r
+allowed. Keyword '<code>both</code>' means; "Try local first, then\r
+remote". If dot-notation IP address is specified, use this host as\r
+nameserver (UNIX only). Default is '<code>remote</code>' for SOCKS5 or '<code>local</code>'\r
+for others. On SOCKS4 protocol, remote resolving method ('<code>remote</code>'\r
+and '<code>both</code>') use protocol version 4a.\r
+\r
+</p>\r
+\r
+<p>\r
+The '<strong>-p</strong>' option will forward a local TCP port instead of using the\r
+standard input and output.\r
+\r
+</p>\r
+\r
+<p>\r
+The '<strong>-w</strong>' option specifys timeout seconds for making connection with\r
+TARGET host.\r
+\r
+</p>\r
+\r
+<p>\r
+The '<strong>-a</strong>' option specifiys user intended authentication methods\r
+separated by comma. Currently '<code>userpass</code>' and '<code>none</code>' are\r
+supported. Default is '<code>userpass</code>'. You can also specifying this\r
+parameter by the environment variable <code>SOCKS5_AUTH</code>.\r
+\r
+</p>\r
+\r
+<p>\r
+The '<strong>-d</strong>' option is used for debug. If you fail to connect, use this\r
+and check request to and response from server.\r
+\r
+</p>\r
+\r
+<p>\r
+You can omit '<strong>port</strong>' argument when program name is special format\r
+containing port number itself. For example, \r
+\r
+</p>\r
+\r
+<pre class="example">\r
+$ ln -s connect connect-25\r
+$ ./connect-25 smtphost.outside.net\r
+220 smtphost.outside.net ESMTP Sendmail\r
+QUIT\r
+221 2.0.0 smtphost.remote.net closing connection\r
+$\r
+</pre>\r
+\r
+<p>\r
+This example means that the command name "<code>connect-25</code>" contains port number\r
+25 so you can omit 2nd argument (and used if specified explicitly).\r
+\r
+</p>\r
+\r
+<h2><a name="sec10">Limitations</a></h2>\r
+\r
+<h3><a name="sec11">SOCKS5</a> authentication</h3>\r
+\r
+<p>\r
+Only NO-AUTH and USER/PASSWORD authentications are supported.\r
+GSSAPI authentication (RFC 1961) and other draft authentications (CHAP,\r
+EAP, MAF, etc.) is not supported.\r
+\r
+</p>\r
+\r
+<h3><a name="sec12">HTTP</a> authentication</h3>\r
+\r
+<p>\r
+BASIC authentication is supported but DIGEST authentication is not.\r
+\r
+</p>\r
+\r
+<h3><a name="sec13">Switching</a> proxy server</h3>\r
+\r
+<p>\r
+There is no mechanism to switch proxy server regarding to PC environment.\r
+This limitation might be bad news for mobile user.\r
+Since I do not want to make this program complex, I do not want to\r
+support although this feature is already requested. Please advice me\r
+if there is good idea of detecting environment to swich and simple way\r
+to specify conditioned directive of servers.\r
+\r
+</p>\r
+\r
+<p>\r
+One tricky workaround exists. It is replacing ~/.ssh/config file\r
+by script on ppp up/down.\r
+\r
+</p>\r
+\r
+<p>\r
+There's another example of wrapper script (contributed by Darren Tucker).\r
+This script costs executing ifconfig and grep to detect\r
+current environment, but it works. (NOTE: you should modify addresses\r
+if you use it.)\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+#!/bin/sh\r
+## ~/bin/myconnect --- Proxy server switching wrapper\r
+\r
+if ifconfig eth0 |grep "inet addr:192\.168\.1" >/dev/null; then\r
+ opts="-S 192.168.1.1:1080" \r
+elif ifconfig eth0 |grep "inet addr:10\." >/dev/null; then\r
+ opts="-H 10.1.1.1:80"\r
+else\r
+ opts="-s"\r
+fi\r
+exec /usr/local/bin/connect $opts $@\r
+</pre>\r
+\r
+<h2><a name="sec14">Tips</a></h2>\r
+\r
+<h3><a name="sec15">Proxying</a> socket connection</h3>\r
+\r
+<p>\r
+In usual, '<strong>connect.c</strong>' relays network connection to/from standard\r
+input/output. By specifying '<strong>-p</strong>' option, however, '<strong>connect.c</strong>'\r
+relays local network stream instead of standard input/output.\r
+With this option, '<strong>connect</strong>' command waits connection\r
+from other program, then start relaying between both network stream.\r
+\r
+</p>\r
+\r
+<p>\r
+This feature may be useful for the program which is hard to SOCKSify.\r
+\r
+</p>\r
+\r
+<h3><a name="sec16">Use</a> with <code>ssh-askpass</code> command</h3>\r
+\r
+<p>\r
+'<strong>connect.c</strong>' ask you password when authentication is required. If\r
+you are using on tty/pty terminal, connect can input from terminal\r
+with prompt. But you can also use '<code>ssh-askpass</code>' program to input\r
+password. If you are graphical environment like X Window or MS\r
+Windows, and program does not have tty/pty, and environment variable\r
+SSH_ASKPASS is specified, then '<strong>connect.c</strong>' invoke command\r
+specified by environment variable '<code>SSH_ASKPASS</code>' to input password.\r
+<code>ssh-askpass</code> program might be installed if you are using OpenSSH on\r
+UNIX environment. On Windows environment, pre-compiled binary is\r
+available from\r
+<a href="http://www.imasy.or.jp/~gotoh/ssh/ssh-askpass.exe">here</a>.\r
+\r
+</p>\r
+\r
+<p>\r
+This feature is limited on window system environment.\r
+\r
+</p>\r
+\r
+<p>\r
+And also useful on Emacs on MS Windows (NT Emacs or Meadow). It is\r
+hard to send passphrase to '<strong>connect</strong>' command (and also ssh)\r
+because external command is invoked on hidden terminal and do I/O with\r
+this terminal. Using ssh-askpass avoids this problem.\r
+\r
+</p>\r
+\r
+<h3><a name="sec17">Use</a> for Network Stream of Emacs</h3>\r
+\r
+<p>\r
+Although '<strong>connect.c</strong>' is made for OpenSSH, it is generic and\r
+independent from OpenSSH. So we can use this for other purpose. For\r
+example, you can use this command in Emacs to open network connection\r
+with remote host over the firewall via SOCKS or HTTP proxy without\r
+SOCKSifying Emacs itself.\r
+\r
+</p>\r
+\r
+<p>\r
+There is sample code: \r
+<a href="http://www.imasy.or.jp/~gotoh/lisp/relay.el">http://www.imasy.or.jp/~gotoh/lisp/relay.el</a>\r
+\r
+</p>\r
+\r
+<p>\r
+With this code, you can use <code>relay-open-network-stream</code> function\r
+instead of <code>open-network-stream</code> to make network connection. See top\r
+comments of source for more detail.\r
+\r
+</p>\r
+\r
+<h3><a name="sec18">Remote</a> resolver</h3>\r
+\r
+<p>\r
+If you are SOCKS4 user on UNIX environment, you might want specify\r
+nameserver to resolve remote hostname. You can do it specifying\r
+'<strong>-R</strong>' option followed by IP address of resolver.\r
+\r
+</p>\r
+\r
+<h3><a name="sec19">Hopping</a> Connection via SSH</h3>\r
+\r
+<p>\r
+Conbination of ssh and '<strong>connect</strong>' command have more interesting usage.\r
+Following command makes indirect connection to host2:port from your\r
+current host via host1.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+ssh host1 connect host2 port\r
+</pre>\r
+\r
+<p>\r
+This method is useful for the situations like:\r
+\r
+</p>\r
+\r
+<ul>\r
+<li>You are outside of organizasion now, but you want to access an\r
+ internal host barriered by firewall.\r
+</li>\r
+<li>You want to use some service which is allowed only from some\r
+ limited hosts.\r
+</li>\r
+</ul>\r
+\r
+<p>\r
+For example, I want to use local NetNews service in my office\r
+from home. I cannot make NNTP session directly because NNTP host is\r
+barriered by firewall. Fortunately, I have ssh account on internal\r
+host and allowed using SOCKS5 on firewall from outside. So I use\r
+following command to connect to NNTP service.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+$ ssh host1 connect news 119\r
+200 news.my-office.com InterNetNews NNRP server INN 2.3.2 ready (posting ok).\r
+quit\r
+205 .\r
+$\r
+</pre>\r
+\r
+<p>\r
+By combinating hopping connection and relay.el, I can read NetNews\r
+using <a href="http://www.gohome.org/wl/">Wanderlust</a> on Emacs at home.\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+ |\r
+ External (internet) | Internal (office)\r
+ |\r
++------+ +----------+ +-------+ +-----------+\r
+| HOME | | firewall | | host1 | | NNTP host |\r
++------+ +----------+ +-------+ +-----------+\r
+ emacs <-------------- ssh ---------------> sshd <-- connect --> nntpd\r
+ <-- connect --> socksd <-- SOCKS -->\r
+</pre>\r
+\r
+<h2><a name="sec20">F</a>.Y.I.</h2>\r
+\r
+<h3><a name="sec21">Difference</a> between SOCKS versions.</h3>\r
+\r
+<p>\r
+SOCKS version 4 is first popular implementation which is documented\r
+<a href="http://www.socks.nec.com/protocol/socks4.protocol">here</a>. Since\r
+this protocol provide IP address based requesting, client program\r
+should resolve name of outer host by itself. Version 4a (documented\r
+<a href="http://www.socks.nec.com/protocol/socks4a.protocol">here</a>) is\r
+enhanced to allow request by hostname instead of IP address.\r
+\r
+</p>\r
+\r
+<p>\r
+SOCKS version 5 is re-designed protocol stands on experience of\r
+version 4 and 4a. There is no compativility with previous\r
+versions. Instead, there's some improvement: IPv6 support, request by\r
+hostname, UDP proxying, etc.\r
+\r
+</p>\r
+\r
+<h3><a name="sec22">Configuration</a> to use HTTPS</h3>\r
+\r
+<p>\r
+Many http proxy servers implementation supports https <code>CONNECT</code> method\r
+(SLL). You might add configuration to allow using https. For the\r
+example of <a href="http://www.delegate.org/delegate/">DeleGate</a> (\r
+DeleGate is a multi-purpose application level gateway, or a proxy\r
+server) , you should add '<code>https</code>' to '<code>REMITTABLE</code>' parameter to\r
+allow HTTP-Proxy like this:\r
+\r
+</p>\r
+\r
+<pre class="example">\r
+delegated -Pxxxx ...... REMITTABLE='+,https' ...\r
+</pre>\r
+\r
+<p>\r
+For the case of Squid, you should allow target ports via https by ACL,\r
+and so on.\r
+\r
+</p>\r
+\r
+<h3><a name="sec23">SOCKS5</a> Servers</h3>\r
+\r
+<dl>\r
+<dt><a href="http://www.socks.nec.com/refsoftware.html">NEC SOCKS Reference Implementation</a></dt>\r
+<dd>\r
+Reference implementation of SOKCS server and library.\r
+</dd>\r
+<dt><a href="http://www.inet.no/dante/index.html">Dante</a></dt>\r
+<dd>\r
+Dante is free implementation of SOKCS server and library.\r
+ Many enhancements and modulalized.\r
+</dd>\r
+<dt><a href="http://www.delegate.org/delegate/">DeleGate</a></dt>\r
+<dd>\r
+DeleGate is multi function proxy service provider.\r
+ DeleGate 5.x.x or earlier can be SOCKS4 server,\r
+ and 6.x.x can be SOCKS5 and SOCKS4 server.\r
+ and 7.7.0 or later can be SOCKS5 and SOCKS4a server.\r
+</dd>\r
+</dl>\r
+\r
+<h3><a name="sec24">Specifications</a></h3>\r
+\r
+<dl>\r
+<dt><a href="http://www.socks.nec.com/protocol/socks4.protocol">socks4.protocol.txt</a></dt>\r
+<dd>\r
+SOCKS: A protocol for TCP proxy across firewalls\r
+</dd>\r
+<dt><a href="http://www.socks.nec.com/protocol/socks4a.protocol">socks4a.protocol.txt</a></dt>\r
+<dd>\r
+SOCKS 4A: A Simple Extension to SOCKS 4 Protocol\r
+</dd>\r
+<dt><a href="http://www.socks.nec.com/rfc/rfc1928.txt">RFC 1928</a></dt>\r
+<dd>\r
+SOCKS Protocol Version 5\r
+</dd>\r
+<dt><a href="http://www.socks.nec.com/rfc/rfc1929.txt">RFC 1929</a></dt>\r
+<dd>\r
+Username/Password Authentication for SOCKS V5\r
+</dd>\r
+<dt><a href="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616</a></dt>\r
+<dd>\r
+Hypertext Transfer Protocol -- HTTP/1.1\r
+</dd>\r
+<dt><a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a></dt>\r
+<dd>\r
+HTTP Authentication: Basic and Digest Access Authentication\r
+</dd>\r
+</dl>\r
+\r
+<h3><a name="sec25">Related</a> Links</h3>\r
+\r
+<ul>\r
+<li><a href="http://www.openssh.org">OpenSSH Home</a>\r
+</li>\r
+<li><a href="http://www.ssh.com/">Proprietary SSH</a>\r
+</li>\r
+<li><a href="http://www.imasy.or.jp/~gotoh/ssh/openssh-socks.html">Using OpenSSH through a SOCKS compatible PROXY on your LAN</a> (J. Grant)\r
+</li>\r
+</ul>\r
+\r
+<h3><a name="sec26">Similars</a></h3>\r
+\r
+<ul>\r
+<li><a href="http://proxytunnel.sourceforge.net/">Proxy Tunnel</a> -- Proxying command using https CONNECT.\r
+</li>\r
+<li><a href="http://www.snurgle.org/~griffon/ssh-https-tunnel">stunnel</a> -- Proxy through an https tunnel (Perl script)\r
+</li>\r
+</ul>\r
+<br>\r
+\r
+ <!-- Page published by Emacs Wiki ends here -->\r
+ <div class="navfoot">\r
+ <hr/>\r
+ <table width="100%" border="0" summary="Footer navigation">\r
+ <tbody><tr>\r
+ <td width="50%" align="left">\r
+ <span class="footdate">Last Updated: 2003-06-17</span><br/>\r
+ </td>\r
+ <td width="50%" align="right">\r
+ This page is authored by <a href="mailto:gotoh@taiyo.co.jp">Shun-ichi GOTO</a>\r
+ using <a href="http://repose.cx/emacs/wiki">emacs-wiki.el</a><br/>\r
+ </td>\r
+ </tr></tbody>\r
+ </table>\r
+ </div>\r
+ </body>\r
+</html>\r
projects / packages / openssh.git / commitdiff