]>
Commit | Line | Data |
---|---|---|
cef3726d | 1 | <?xml version="1.0" encoding="us-ascii"?>\r |
2 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\r | |
3 | "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">\r | |
4 | <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\r | |
5 | <head>\r | |
6 | <title>SSH Proxy Command -- connect.c</title>\r | |
7 | <meta name="generator" content="emacs-wiki.el" />\r | |
8 | <meta http-equiv="Content-Type"\r | |
9 | content="us-ascii" />\r | |
10 | <link rev="made" href="mailto:gotoh@imasy.or.jp" />\r | |
11 | <link rel="home" href="http://www.imasy.ne.jp/~gotoh/" />\r | |
12 | <link rel="index" href="http://www.imasy.ne.jp/~gotoh/SiteIndex.html" />\r | |
13 | <link rel="stylesheet" type="text/css" href="emacs-wiki.css">\r | |
14 | </head>\r | |
15 | <body>\r | |
16 | <h1>SSH Proxy Command -- connect.c</h1>\r | |
17 | <!-- Page published by Emacs Wiki begins here -->\r | |
18 | <p>\r | |
19 | <strong>connect.c</strong> is the simple relaying command to make network\r | |
20 | connection via SOCKS and https proxy. It is mainly intended to\r | |
21 | be used as <strong>proxy command</strong> of OpenSSH. You can make SSH session\r | |
22 | beyond the firewall with this command,\r | |
23 | \r | |
24 | </p>\r | |
25 | \r | |
26 | <p>\r | |
27 | Features of <strong>connect.c</strong> are:\r | |
28 | \r | |
29 | </p>\r | |
30 | \r | |
31 | <ul>\r | |
32 | <li>Supports SOCKS (version 4/4a/5) and https CONNECT method.\r | |
33 | </li>\r | |
34 | <li>Supports NO-AUTH and USERPASS authentication of SOCKS\r | |
35 | </li>\r | |
36 | <li>You can input password from tty, ssh-askpass or\r | |
37 | environment variable.\r | |
38 | </li>\r | |
39 | <li>Run on UNIX or Windows platform.\r | |
40 | </li>\r | |
41 | <li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.)\r | |
42 | </li>\r | |
43 | <li>Simple and general program independent from OpenSSH.\r | |
44 | </li>\r | |
45 | <li>You can also relay local socket stream instead of standard I/O.\r | |
46 | </li>\r | |
47 | </ul>\r | |
48 | \r | |
49 | <p>\r | |
50 | Download source code from:\r | |
51 | <a href="http://www.imasy.or.jp/~gotoh/ssh/connect.c">http://www.imasy.or.jp/~gotoh/ssh/connect.c</a>\r | |
52 | <br/>\r | |
53 | For windows user, pre-compiled binary is also available:\r | |
54 | <a href="http://www.imasy.or.jp/~gotoh/ssh/connect.exe">http://www.imasy.or.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC)\r | |
55 | \r | |
56 | </p>\r | |
57 | \r | |
58 | <hr>\r | |
59 | <dl class="contents">\r | |
60 | <dt class="contents">\r | |
61 | <a href="connect.html#sec1">News</a>\r | |
62 | </dt>\r | |
63 | <dt class="contents">\r | |
64 | <a href="connect.html#sec2">What is 'proxy command'</a>\r | |
65 | </dt>\r | |
66 | <dt class="contents">\r | |
67 | <a href="connect.html#sec3">How to Use</a>\r | |
68 | </dt>\r | |
69 | <dd>\r | |
70 | <dl class="contents">\r | |
71 | <dt class="contents">\r | |
72 | <a href="connect.html#sec4">Get Source</a>\r | |
73 | </dt>\r | |
74 | <dt class="contents">\r | |
75 | <a href="connect.html#sec5">Compile and Install</a>\r | |
76 | </dt>\r | |
77 | <dt class="contents">\r | |
78 | <a href="connect.html#sec6">Modify your ~/.ssh/config</a>\r | |
79 | </dt>\r | |
80 | <dt class="contents">\r | |
81 | <a href="connect.html#sec7">Use SSH</a>\r | |
82 | </dt>\r | |
83 | <dt class="contents">\r | |
84 | <a href="connect.html#sec8">Have trouble?</a>\r | |
85 | </dt>\r | |
86 | </dl>\r | |
87 | </dd>\r | |
88 | <dt class="contents">\r | |
89 | <a href="connect.html#sec9">More Detail</a>\r | |
90 | </dt>\r | |
91 | <dt class="contents">\r | |
92 | <a href="connect.html#sec10">Limitations</a>\r | |
93 | </dt>\r | |
94 | <dd>\r | |
95 | <dl class="contents">\r | |
96 | <dt class="contents">\r | |
97 | <a href="connect.html#sec11">SOCKS5 authentication</a>\r | |
98 | </dt>\r | |
99 | <dt class="contents">\r | |
100 | <a href="connect.html#sec12">HTTP authentication</a>\r | |
101 | </dt>\r | |
102 | <dt class="contents">\r | |
103 | <a href="connect.html#sec13">Switching proxy server</a>\r | |
104 | </dt>\r | |
105 | </dl>\r | |
106 | </dd>\r | |
107 | <dt class="contents">\r | |
108 | <a href="connect.html#sec14">Tips</a>\r | |
109 | </dt>\r | |
110 | <dd>\r | |
111 | <dl class="contents">\r | |
112 | <dt class="contents">\r | |
113 | <a href="connect.html#sec15">Proxying socket connection</a>\r | |
114 | </dt>\r | |
115 | <dt class="contents">\r | |
116 | <a href="connect.html#sec16">Use with <code>ssh-askpass</code> command</a>\r | |
117 | </dt>\r | |
118 | <dt class="contents">\r | |
119 | <a href="connect.html#sec17">Use for Network Stream of Emacs</a>\r | |
120 | </dt>\r | |
121 | <dt class="contents">\r | |
122 | <a href="connect.html#sec18">Remote resolver</a>\r | |
123 | </dt>\r | |
124 | <dt class="contents">\r | |
125 | <a href="connect.html#sec19">Hopping Connection via SSH</a>\r | |
126 | </dt>\r | |
127 | </dl>\r | |
128 | </dd>\r | |
129 | <dt class="contents">\r | |
130 | <a href="connect.html#sec20">F.Y.I.</a>\r | |
131 | </dt>\r | |
132 | <dd>\r | |
133 | <dl class="contents">\r | |
134 | <dt class="contents">\r | |
135 | <a href="connect.html#sec21">Difference between SOCKS versions.</a>\r | |
136 | </dt>\r | |
137 | <dt class="contents">\r | |
138 | <a href="connect.html#sec22">Configuration to use HTTPS</a>\r | |
139 | </dt>\r | |
140 | <dt class="contents">\r | |
141 | <a href="connect.html#sec23">SOCKS5 Servers</a>\r | |
142 | </dt>\r | |
143 | <dt class="contents">\r | |
144 | <a href="connect.html#sec24">Specifications</a>\r | |
145 | </dt>\r | |
146 | <dt class="contents">\r | |
147 | <a href="connect.html#sec25">Related Links</a>\r | |
148 | </dt>\r | |
149 | <dt class="contents">\r | |
150 | <a href="connect.html#sec26">Similars</a>\r | |
151 | </dt>\r | |
152 | </dl>\r | |
153 | </dd>\r | |
154 | </dl>\r | |
155 | \r | |
156 | <h2><a name="sec1">News</a></h2>\r | |
157 | \r | |
158 | <dl>\r | |
159 | <dt>2003-01-07</dt>\r | |
160 | <dd>\r | |
161 | Rev. 1.68. Fixed a trouble around timeout support.\r | |
162 | </dd>\r | |
163 | <dt>2002-11-21</dt>\r | |
164 | <dd>\r | |
165 | Rev. 1.64 supports reading parameters from file /etc/connectrc or\r | |
166 | ~/.connectrc instead of specifying via environment variables. For\r | |
167 | examle, you can use this feature to switch setting by replacing file\r | |
168 | when network environment is changed. And added SOCKS_DIRECT,\r | |
169 | SOCKS5_DIRECT, SOCKS4_DIRECT, HTTP_DIRECT, SOCKS5_AUTH, environment\r | |
170 | parameters. (Thanks Masatoshi TSUCHIYA)\r | |
171 | </dd>\r | |
172 | <dt>2002-11-20</dt>\r | |
173 | <dd>\r | |
174 | Rev. 1.63 supports some old proxies which make response 401 with\r | |
175 | WWW-Authenticate: header. And fixed to use username specified in\r | |
176 | proxy host by -H option correctly. (contributed from Des Herriott, thanks)\r | |
177 | </dd>\r | |
178 | <dt>2002-10-14</dt>\r | |
179 | <dd>\r | |
180 | Rev. 1.61 with New option -w for specifying connection timeout.\r | |
181 | Currently, it works on UNIX only. (contributed from Darren Tucker, thanks)\r | |
182 | </dd>\r | |
183 | <dt>2002-09-29</dt>\r | |
184 | <dd>\r | |
185 | Add sample script for switching proxy server\r | |
186 | advised from Darren Tucker, thanks.\r | |
187 | </dd>\r | |
188 | <dt>2002-08-27</dt>\r | |
189 | <dd>\r | |
190 | connect.c is updataed to rev. 1.60.\r | |
191 | </dd>\r | |
192 | <dt>2002-04-08</dt>\r | |
193 | <dd>\r | |
194 | Updated <a href="http://www.imasy.or.jp/~gotoh/ssh/openssh-socks.html">"Using OpenSSH through a SOCKS compatible PROXY on your LAN"</a> written by J. Grant. (version 0.8)\r | |
195 | </dd>\r | |
196 | <dt>2002-02-20</dt>\r | |
197 | <dd>\r | |
198 | Add link of new document "Using OpenSSH through a SOCKS compatible PROXY on your LAN"\r | |
199 | written by J. Grant.\r | |
200 | </dd>\r | |
201 | <dt>2002-01-31</dt>\r | |
202 | <dd>\r | |
203 | Rev. 1.53 -- On Win32 and with MSVC, handle password\r | |
204 | input from console correctly.\r | |
205 | </dd>\r | |
206 | <dt>2002-01-30</dt>\r | |
207 | <dd>\r | |
208 | Rev. 1.50 -- [Security Fix] Do not print secure info in debug mode.\r | |
209 | </dd>\r | |
210 | <dt>2002-01-09</dt>\r | |
211 | <dd>\r | |
212 | Web page was made.\r | |
213 | connect.c is rev. 1.48.\r | |
214 | </dd>\r | |
215 | </dl>\r | |
216 | \r | |
217 | <h2><a name="sec2">What</a> is 'proxy command'</h2>\r | |
218 | \r | |
219 | <p>\r | |
220 | OpenSSH development team decides to stop supporting SOCKS and any\r | |
221 | other tunneling mechanism. It was aimed to separate complexity to\r | |
222 | support various mechanism of proxying from core code. And they\r | |
223 | recommends more flexible mechanism: '<strong>ProxyCommand</strong>' option\r | |
224 | instead.\r | |
225 | \r | |
226 | </p>\r | |
227 | \r | |
228 | <p>\r | |
229 | Proxy command mechanism is delegation of network stream\r | |
230 | communication. If '<strong>ProxyCommand</strong>' options is specified, SSH\r | |
231 | invoke specified external command and talk with standard I/O of thid\r | |
232 | command. Invoked command undertakes network communication with\r | |
233 | relaying to/from standard input/output including iniitial\r | |
234 | communication or negotiation for proxying. Thus, ssh can split out\r | |
235 | proxying code into external command.\r | |
236 | \r | |
237 | </p>\r | |
238 | \r | |
239 | <p>\r | |
240 | '<strong>connect.c</strong>' was made for this purpose.\r | |
241 | \r | |
242 | </p>\r | |
243 | \r | |
244 | <h2><a name="sec3">How</a> to Use</h2>\r | |
245 | \r | |
246 | <h3><a name="sec4">Get</a> Source</h3>\r | |
247 | \r | |
248 | <p>\r | |
249 | Download source code from <a href="http://www.imasy.or.jp/~gotoh/ssh/connect.c">here</a>.\r | |
250 | <br/>\r | |
251 | If you are MS Windows user, you can get pre-compiled binary from\r | |
252 | <a href="http://www.imasy.or.jp/~gotoh/ssh/connect.exe">here</a>.\r | |
253 | \r | |
254 | </p>\r | |
255 | \r | |
256 | <h3><a name="sec5">Compile</a> and Install</h3>\r | |
257 | \r | |
258 | <p>\r | |
259 | In most environment, you can compile '<strong>connect.c</strong>' simply.\r | |
260 | On UNIX environment, you can use cc or gcc.\r | |
261 | On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc.\r | |
262 | \r | |
263 | </p>\r | |
264 | \r | |
265 | <table border="2" cellpadding="5">\r | |
266 | <thead>\r | |
267 | <tr>\r | |
268 | <th>Compiler</th><th>command line to compile</th>\r | |
269 | </tr>\r | |
270 | </thead>\r | |
271 | <tbody>\r | |
272 | <tr>\r | |
273 | <td>UNIX cc</td><td>cc connect.c -o connect</td>\r | |
274 | </tr>\r | |
275 | <tr>\r | |
276 | <td>UNIX gcc</td><td>gcc connect.c -o connect</td>\r | |
277 | </tr>\r | |
278 | <tr>\r | |
279 | <td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td>\r | |
280 | </tr>\r | |
281 | <tr>\r | |
282 | <td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td>\r | |
283 | </tr>\r | |
284 | <tr>\r | |
285 | <td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td>\r | |
286 | </tr>\r | |
287 | <tr>\r | |
288 | <td>Cygwin gcc</td><td>gcc connect.c -o connect</td>\r | |
289 | </tr>\r | |
290 | </tbody>\r | |
291 | </table>\r | |
292 | \r | |
293 | <p>\r | |
294 | To install '<strong>connect</strong>' command, simply copy compiled binary to directory\r | |
295 | in your PATH (ex. /usr/local/bin). Like this:\r | |
296 | \r | |
297 | </p>\r | |
298 | \r | |
299 | <pre class="example">\r | |
300 | $ cp connect /usr/local/bin\r | |
301 | </pre>\r | |
302 | \r | |
303 | <h3><a name="sec6">Modify</a> your ~/.ssh/config</h3>\r | |
304 | \r | |
305 | <p>\r | |
306 | Modify your <code>~/.ssh/config</code> file to use '<strong>connect</strong>' command as\r | |
307 | '<strong>proxy command</strong>'. For the case of SOCKS server is running on\r | |
308 | firewall host '<code>socks.local.net</code>' with port 1080, you can add\r | |
309 | '<strong>ProxyCommand</strong>' option in <code>~/.ssh/config</code>, like this:\r | |
310 | \r | |
311 | </p>\r | |
312 | \r | |
313 | <pre class="example">\r | |
314 | Host remote.outside.net\r | |
315 | ProxyCommand connect -S socks.local.net %h %p\r | |
316 | </pre>\r | |
317 | \r | |
318 | <p>\r | |
319 | '<code>%h</code>' and '<code>%p</code>' will be replaced on invoking proxy command with\r | |
320 | target hostname and port specified to SSH command.\r | |
321 | \r | |
322 | </p>\r | |
323 | \r | |
324 | <p>\r | |
325 | If you hate writing many entries of remote hosts, following example\r | |
326 | may help you.\r | |
327 | \r | |
328 | </p>\r | |
329 | \r | |
330 | <pre class="example">\r | |
331 | ## Outside of the firewall, use connect command with SOCKS conenction.\r | |
332 | Host *\r | |
333 | ProxyCommand connect -S socks.local.net %h %p\r | |
334 | \r | |
335 | ## Inside of the firewall, use connect command with direct connection.\r | |
336 | Host *.local.net\r | |
337 | ProxyCommand connect %h %p\r | |
338 | </pre>\r | |
339 | \r | |
340 | <p>\r | |
341 | If you want to use http proxy, use '<strong>-H</strong>' option instead of '<strong>-S</strong>'\r | |
342 | option in examle above, like this:\r | |
343 | \r | |
344 | </p>\r | |
345 | \r | |
346 | <pre class="example">\r | |
347 | ## Outside of the firewall, with HTTP proxy\r | |
348 | Host *\r | |
349 | ProxyCommand connect -H proxy.local.net:8080 %h %p\r | |
350 | \r | |
351 | ## Inside of the firewall, direct\r | |
352 | Host *.local.net\r | |
353 | ProxyCommand connect %h %p\r | |
354 | </pre>\r | |
355 | \r | |
356 | <h3><a name="sec7">Use</a> SSH</h3>\r | |
357 | \r | |
358 | <p>\r | |
359 | After editing your <code>~/.ssh/config</code> file, you are ready to use ssh.\r | |
360 | You can execute ssh without any special options as if remote host is\r | |
361 | IP reachable host. Following is an example to execute '<code>hostname</code>'\r | |
362 | command on host '<code>remote.outside.net</code>'.\r | |
363 | \r | |
364 | </p>\r | |
365 | \r | |
366 | <pre class="example">\r | |
367 | $ ssh remote.outside.net hostname\r | |
368 | remote.outside.net\r | |
369 | $\r | |
370 | </pre>\r | |
371 | \r | |
372 | <h3><a name="sec8">Have</a> trouble?</h3>\r | |
373 | \r | |
374 | <p>\r | |
375 | If you have trouble, execute '<strong>connect</strong>' command from command line\r | |
376 | with '<code>-d</code>' option to see what is happened. Some debug message may\r | |
377 | appear and reports progress. This information may tell you what is\r | |
378 | wrong. In this example, error has occurred on authentication stage of\r | |
379 | SOCKS5 protocol.\r | |
380 | \r | |
381 | </p>\r | |
382 | \r | |
383 | <pre class="example">\r | |
384 | $ connect -d -S socks.local.net unknown.remote.outside.net 110\r | |
385 | DEBUG: relay_method = SOCKS (2)\r | |
386 | DEBUG: relay_host=socks.local.net\r | |
387 | DEBUG: relay_port=1080\r | |
388 | DEBUG: relay_user=gotoh\r | |
389 | DEBUG: socks_version=5\r | |
390 | DEBUG: socks_resolve=REMOTE (2)\r | |
391 | DEBUG: local_type=stdio\r | |
392 | DEBUG: dest_host=unknown.remote.outside.net\r | |
393 | DEBUG: dest_port=110\r | |
394 | DEBUG: Program is $Revision$\r | |
395 | DEBUG: connecting to xxx.xxx.xxx.xxx:1080\r | |
396 | DEBUG: begin_socks_relay()\r | |
397 | DEBUG: atomic_out() [4 bytes]\r | |
398 | DEBUG: >>> 05 02 00 02\r | |
399 | DEBUG: atomic_in() [2 bytes]\r | |
400 | DEBUG: <<< 05 02\r | |
401 | DEBUG: auth method: USERPASS\r | |
402 | DEBUG: atomic_out() [some bytes]\r | |
403 | DEBUG: >>> xx xx xx xx ...\r | |
404 | DEBUG: atomic_in() [2 bytes]\r | |
405 | DEBUG: <<< 01 01\r | |
406 | ERROR: Authentication faield.\r | |
407 | FATAL: failed to begin relaying via SOCKS.\r | |
408 | </pre>\r | |
409 | \r | |
410 | <h2><a name="sec9">More</a> Detail</h2>\r | |
411 | \r | |
412 | <p>\r | |
413 | Command line usage is here:\r | |
414 | \r | |
415 | </p>\r | |
416 | \r | |
417 | <pre class="example">\r | |
418 | usage: connect [-dnhs45] [-R resolve] [-p local-port] [-w sec]\r | |
419 | [-H [user@]proxy-server[:port]]\r | |
420 | [-S [user@]socks-server[:port]]\r | |
421 | host port\r | |
422 | </pre>\r | |
423 | \r | |
424 | <p>\r | |
425 | '<strong>host</strong>' and '<strong>port</strong>' is target hostname and port-number to connect.\r | |
426 | \r | |
427 | </p>\r | |
428 | \r | |
429 | <p>\r | |
430 | '<strong>-H</strong>' option specify hostname and port number of http proxy server to\r | |
431 | relay. If port is omitted, 80 is used. You can specify this value by\r | |
432 | environment variable <code>HTTP_PROXY</code> and give '<strong>-h</strong>' option to use it.\r | |
433 | \r | |
434 | </p>\r | |
435 | \r | |
436 | <p>\r | |
437 | '<strong>-S</strong>' option specify hostname and port number of SOCKS server to\r | |
438 | relay. Like '<strong>-H</strong>' option, port number can be omit and default is 1080. \r | |
439 | You can also specify this value pair by environment variable\r | |
440 | <code>SOCKS5_SERVER</code> and give '<strong>-s</strong>' option to use it.\r | |
441 | \r | |
442 | </p>\r | |
443 | \r | |
444 | <p>\r | |
445 | '<strong>-4</strong>' and '<strong>-5</strong>' is for specifying SOCKS protocol version. It is\r | |
446 | valid only using with '<strong>-s</strong>' or '<strong>-S</strong>'. Default is '<strong>-5</strong>'\r | |
447 | (protocol version 5)\r | |
448 | \r | |
449 | </p>\r | |
450 | \r | |
451 | <p>\r | |
452 | '<strong>-R</strong>' is for specifying method to resolve hostname. 3 keywords\r | |
453 | ('<code>local</code>', '<code>remote</code>', '<code>both</code>') or dot-notation IP address is\r | |
454 | allowed. Keyword '<code>both</code>' means; "Try local first, then\r | |
455 | remote". If dot-notation IP address is specified, use this host as\r | |
456 | nameserver (UNIX only). Default is '<code>remote</code>' for SOCKS5 or '<code>local</code>'\r | |
457 | for others. On SOCKS4 protocol, remote resolving method ('<code>remote</code>'\r | |
458 | and '<code>both</code>') use protocol version 4a.\r | |
459 | \r | |
460 | </p>\r | |
461 | \r | |
462 | <p>\r | |
463 | The '<strong>-p</strong>' option will forward a local TCP port instead of using the\r | |
464 | standard input and output.\r | |
465 | \r | |
466 | </p>\r | |
467 | \r | |
468 | <p>\r | |
469 | The '<strong>-w</strong>' option specifys timeout seconds for making connection with\r | |
470 | TARGET host.\r | |
471 | \r | |
472 | </p>\r | |
473 | \r | |
474 | <p>\r | |
475 | The '<strong>-a</strong>' option specifiys user intended authentication methods\r | |
476 | separated by comma. Currently '<code>userpass</code>' and '<code>none</code>' are\r | |
477 | supported. Default is '<code>userpass</code>'. You can also specifying this\r | |
478 | parameter by the environment variable <code>SOCKS5_AUTH</code>.\r | |
479 | \r | |
480 | </p>\r | |
481 | \r | |
482 | <p>\r | |
483 | The '<strong>-d</strong>' option is used for debug. If you fail to connect, use this\r | |
484 | and check request to and response from server.\r | |
485 | \r | |
486 | </p>\r | |
487 | \r | |
488 | <p>\r | |
489 | You can omit '<strong>port</strong>' argument when program name is special format\r | |
490 | containing port number itself. For example, \r | |
491 | \r | |
492 | </p>\r | |
493 | \r | |
494 | <pre class="example">\r | |
495 | $ ln -s connect connect-25\r | |
496 | $ ./connect-25 smtphost.outside.net\r | |
497 | 220 smtphost.outside.net ESMTP Sendmail\r | |
498 | QUIT\r | |
499 | 221 2.0.0 smtphost.remote.net closing connection\r | |
500 | $\r | |
501 | </pre>\r | |
502 | \r | |
503 | <p>\r | |
504 | This example means that the command name "<code>connect-25</code>" contains port number\r | |
505 | 25 so you can omit 2nd argument (and used if specified explicitly).\r | |
506 | \r | |
507 | </p>\r | |
508 | \r | |
509 | <h2><a name="sec10">Limitations</a></h2>\r | |
510 | \r | |
511 | <h3><a name="sec11">SOCKS5</a> authentication</h3>\r | |
512 | \r | |
513 | <p>\r | |
514 | Only NO-AUTH and USER/PASSWORD authentications are supported.\r | |
515 | GSSAPI authentication (RFC 1961) and other draft authentications (CHAP,\r | |
516 | EAP, MAF, etc.) is not supported.\r | |
517 | \r | |
518 | </p>\r | |
519 | \r | |
520 | <h3><a name="sec12">HTTP</a> authentication</h3>\r | |
521 | \r | |
522 | <p>\r | |
523 | BASIC authentication is supported but DIGEST authentication is not.\r | |
524 | \r | |
525 | </p>\r | |
526 | \r | |
527 | <h3><a name="sec13">Switching</a> proxy server</h3>\r | |
528 | \r | |
529 | <p>\r | |
530 | There is no mechanism to switch proxy server regarding to PC environment.\r | |
531 | This limitation might be bad news for mobile user.\r | |
532 | Since I do not want to make this program complex, I do not want to\r | |
533 | support although this feature is already requested. Please advice me\r | |
534 | if there is good idea of detecting environment to swich and simple way\r | |
535 | to specify conditioned directive of servers.\r | |
536 | \r | |
537 | </p>\r | |
538 | \r | |
539 | <p>\r | |
540 | One tricky workaround exists. It is replacing ~/.ssh/config file\r | |
541 | by script on ppp up/down.\r | |
542 | \r | |
543 | </p>\r | |
544 | \r | |
545 | <p>\r | |
546 | There's another example of wrapper script (contributed by Darren Tucker).\r | |
547 | This script costs executing ifconfig and grep to detect\r | |
548 | current environment, but it works. (NOTE: you should modify addresses\r | |
549 | if you use it.)\r | |
550 | \r | |
551 | </p>\r | |
552 | \r | |
553 | <pre class="example">\r | |
554 | #!/bin/sh\r | |
555 | ## ~/bin/myconnect --- Proxy server switching wrapper\r | |
556 | \r | |
557 | if ifconfig eth0 |grep "inet addr:192\.168\.1" >/dev/null; then\r | |
558 | opts="-S 192.168.1.1:1080" \r | |
559 | elif ifconfig eth0 |grep "inet addr:10\." >/dev/null; then\r | |
560 | opts="-H 10.1.1.1:80"\r | |
561 | else\r | |
562 | opts="-s"\r | |
563 | fi\r | |
564 | exec /usr/local/bin/connect $opts $@\r | |
565 | </pre>\r | |
566 | \r | |
567 | <h2><a name="sec14">Tips</a></h2>\r | |
568 | \r | |
569 | <h3><a name="sec15">Proxying</a> socket connection</h3>\r | |
570 | \r | |
571 | <p>\r | |
572 | In usual, '<strong>connect.c</strong>' relays network connection to/from standard\r | |
573 | input/output. By specifying '<strong>-p</strong>' option, however, '<strong>connect.c</strong>'\r | |
574 | relays local network stream instead of standard input/output.\r | |
575 | With this option, '<strong>connect</strong>' command waits connection\r | |
576 | from other program, then start relaying between both network stream.\r | |
577 | \r | |
578 | </p>\r | |
579 | \r | |
580 | <p>\r | |
581 | This feature may be useful for the program which is hard to SOCKSify.\r | |
582 | \r | |
583 | </p>\r | |
584 | \r | |
585 | <h3><a name="sec16">Use</a> with <code>ssh-askpass</code> command</h3>\r | |
586 | \r | |
587 | <p>\r | |
588 | '<strong>connect.c</strong>' ask you password when authentication is required. If\r | |
589 | you are using on tty/pty terminal, connect can input from terminal\r | |
590 | with prompt. But you can also use '<code>ssh-askpass</code>' program to input\r | |
591 | password. If you are graphical environment like X Window or MS\r | |
592 | Windows, and program does not have tty/pty, and environment variable\r | |
593 | SSH_ASKPASS is specified, then '<strong>connect.c</strong>' invoke command\r | |
594 | specified by environment variable '<code>SSH_ASKPASS</code>' to input password.\r | |
595 | <code>ssh-askpass</code> program might be installed if you are using OpenSSH on\r | |
596 | UNIX environment. On Windows environment, pre-compiled binary is\r | |
597 | available from\r | |
598 | <a href="http://www.imasy.or.jp/~gotoh/ssh/ssh-askpass.exe">here</a>.\r | |
599 | \r | |
600 | </p>\r | |
601 | \r | |
602 | <p>\r | |
603 | This feature is limited on window system environment.\r | |
604 | \r | |
605 | </p>\r | |
606 | \r | |
607 | <p>\r | |
608 | And also useful on Emacs on MS Windows (NT Emacs or Meadow). It is\r | |
609 | hard to send passphrase to '<strong>connect</strong>' command (and also ssh)\r | |
610 | because external command is invoked on hidden terminal and do I/O with\r | |
611 | this terminal. Using ssh-askpass avoids this problem.\r | |
612 | \r | |
613 | </p>\r | |
614 | \r | |
615 | <h3><a name="sec17">Use</a> for Network Stream of Emacs</h3>\r | |
616 | \r | |
617 | <p>\r | |
618 | Although '<strong>connect.c</strong>' is made for OpenSSH, it is generic and\r | |
619 | independent from OpenSSH. So we can use this for other purpose. For\r | |
620 | example, you can use this command in Emacs to open network connection\r | |
621 | with remote host over the firewall via SOCKS or HTTP proxy without\r | |
622 | SOCKSifying Emacs itself.\r | |
623 | \r | |
624 | </p>\r | |
625 | \r | |
626 | <p>\r | |
627 | There is sample code: \r | |
628 | <a href="http://www.imasy.or.jp/~gotoh/lisp/relay.el">http://www.imasy.or.jp/~gotoh/lisp/relay.el</a>\r | |
629 | \r | |
630 | </p>\r | |
631 | \r | |
632 | <p>\r | |
633 | With this code, you can use <code>relay-open-network-stream</code> function\r | |
634 | instead of <code>open-network-stream</code> to make network connection. See top\r | |
635 | comments of source for more detail.\r | |
636 | \r | |
637 | </p>\r | |
638 | \r | |
639 | <h3><a name="sec18">Remote</a> resolver</h3>\r | |
640 | \r | |
641 | <p>\r | |
642 | If you are SOCKS4 user on UNIX environment, you might want specify\r | |
643 | nameserver to resolve remote hostname. You can do it specifying\r | |
644 | '<strong>-R</strong>' option followed by IP address of resolver.\r | |
645 | \r | |
646 | </p>\r | |
647 | \r | |
648 | <h3><a name="sec19">Hopping</a> Connection via SSH</h3>\r | |
649 | \r | |
650 | <p>\r | |
651 | Conbination of ssh and '<strong>connect</strong>' command have more interesting usage.\r | |
652 | Following command makes indirect connection to host2:port from your\r | |
653 | current host via host1.\r | |
654 | \r | |
655 | </p>\r | |
656 | \r | |
657 | <pre class="example">\r | |
658 | ssh host1 connect host2 port\r | |
659 | </pre>\r | |
660 | \r | |
661 | <p>\r | |
662 | This method is useful for the situations like:\r | |
663 | \r | |
664 | </p>\r | |
665 | \r | |
666 | <ul>\r | |
667 | <li>You are outside of organizasion now, but you want to access an\r | |
668 | internal host barriered by firewall.\r | |
669 | </li>\r | |
670 | <li>You want to use some service which is allowed only from some\r | |
671 | limited hosts.\r | |
672 | </li>\r | |
673 | </ul>\r | |
674 | \r | |
675 | <p>\r | |
676 | For example, I want to use local NetNews service in my office\r | |
677 | from home. I cannot make NNTP session directly because NNTP host is\r | |
678 | barriered by firewall. Fortunately, I have ssh account on internal\r | |
679 | host and allowed using SOCKS5 on firewall from outside. So I use\r | |
680 | following command to connect to NNTP service.\r | |
681 | \r | |
682 | </p>\r | |
683 | \r | |
684 | <pre class="example">\r | |
685 | $ ssh host1 connect news 119\r | |
686 | 200 news.my-office.com InterNetNews NNRP server INN 2.3.2 ready (posting ok).\r | |
687 | quit\r | |
688 | 205 .\r | |
689 | $\r | |
690 | </pre>\r | |
691 | \r | |
692 | <p>\r | |
693 | By combinating hopping connection and relay.el, I can read NetNews\r | |
694 | using <a href="http://www.gohome.org/wl/">Wanderlust</a> on Emacs at home.\r | |
695 | \r | |
696 | </p>\r | |
697 | \r | |
698 | <pre class="example">\r | |
699 | |\r | |
700 | External (internet) | Internal (office)\r | |
701 | |\r | |
702 | +------+ +----------+ +-------+ +-----------+\r | |
703 | | HOME | | firewall | | host1 | | NNTP host |\r | |
704 | +------+ +----------+ +-------+ +-----------+\r | |
705 | emacs <-------------- ssh ---------------> sshd <-- connect --> nntpd\r | |
706 | <-- connect --> socksd <-- SOCKS -->\r | |
707 | </pre>\r | |
708 | \r | |
709 | <h2><a name="sec20">F</a>.Y.I.</h2>\r | |
710 | \r | |
711 | <h3><a name="sec21">Difference</a> between SOCKS versions.</h3>\r | |
712 | \r | |
713 | <p>\r | |
714 | SOCKS version 4 is first popular implementation which is documented\r | |
715 | <a href="http://www.socks.nec.com/protocol/socks4.protocol">here</a>. Since\r | |
716 | this protocol provide IP address based requesting, client program\r | |
717 | should resolve name of outer host by itself. Version 4a (documented\r | |
718 | <a href="http://www.socks.nec.com/protocol/socks4a.protocol">here</a>) is\r | |
719 | enhanced to allow request by hostname instead of IP address.\r | |
720 | \r | |
721 | </p>\r | |
722 | \r | |
723 | <p>\r | |
724 | SOCKS version 5 is re-designed protocol stands on experience of\r | |
725 | version 4 and 4a. There is no compativility with previous\r | |
726 | versions. Instead, there's some improvement: IPv6 support, request by\r | |
727 | hostname, UDP proxying, etc.\r | |
728 | \r | |
729 | </p>\r | |
730 | \r | |
731 | <h3><a name="sec22">Configuration</a> to use HTTPS</h3>\r | |
732 | \r | |
733 | <p>\r | |
734 | Many http proxy servers implementation supports https <code>CONNECT</code> method\r | |
735 | (SLL). You might add configuration to allow using https. For the\r | |
736 | example of <a href="http://www.delegate.org/delegate/">DeleGate</a> (\r | |
737 | DeleGate is a multi-purpose application level gateway, or a proxy\r | |
738 | server) , you should add '<code>https</code>' to '<code>REMITTABLE</code>' parameter to\r | |
739 | allow HTTP-Proxy like this:\r | |
740 | \r | |
741 | </p>\r | |
742 | \r | |
743 | <pre class="example">\r | |
744 | delegated -Pxxxx ...... REMITTABLE='+,https' ...\r | |
745 | </pre>\r | |
746 | \r | |
747 | <p>\r | |
748 | For the case of Squid, you should allow target ports via https by ACL,\r | |
749 | and so on.\r | |
750 | \r | |
751 | </p>\r | |
752 | \r | |
753 | <h3><a name="sec23">SOCKS5</a> Servers</h3>\r | |
754 | \r | |
755 | <dl>\r | |
756 | <dt><a href="http://www.socks.nec.com/refsoftware.html">NEC SOCKS Reference Implementation</a></dt>\r | |
757 | <dd>\r | |
758 | Reference implementation of SOKCS server and library.\r | |
759 | </dd>\r | |
760 | <dt><a href="http://www.inet.no/dante/index.html">Dante</a></dt>\r | |
761 | <dd>\r | |
762 | Dante is free implementation of SOKCS server and library.\r | |
763 | Many enhancements and modulalized.\r | |
764 | </dd>\r | |
765 | <dt><a href="http://www.delegate.org/delegate/">DeleGate</a></dt>\r | |
766 | <dd>\r | |
767 | DeleGate is multi function proxy service provider.\r | |
768 | DeleGate 5.x.x or earlier can be SOCKS4 server,\r | |
769 | and 6.x.x can be SOCKS5 and SOCKS4 server.\r | |
770 | and 7.7.0 or later can be SOCKS5 and SOCKS4a server.\r | |
771 | </dd>\r | |
772 | </dl>\r | |
773 | \r | |
774 | <h3><a name="sec24">Specifications</a></h3>\r | |
775 | \r | |
776 | <dl>\r | |
777 | <dt><a href="http://www.socks.nec.com/protocol/socks4.protocol">socks4.protocol.txt</a></dt>\r | |
778 | <dd>\r | |
779 | SOCKS: A protocol for TCP proxy across firewalls\r | |
780 | </dd>\r | |
781 | <dt><a href="http://www.socks.nec.com/protocol/socks4a.protocol">socks4a.protocol.txt</a></dt>\r | |
782 | <dd>\r | |
783 | SOCKS 4A: A Simple Extension to SOCKS 4 Protocol\r | |
784 | </dd>\r | |
785 | <dt><a href="http://www.socks.nec.com/rfc/rfc1928.txt">RFC 1928</a></dt>\r | |
786 | <dd>\r | |
787 | SOCKS Protocol Version 5\r | |
788 | </dd>\r | |
789 | <dt><a href="http://www.socks.nec.com/rfc/rfc1929.txt">RFC 1929</a></dt>\r | |
790 | <dd>\r | |
791 | Username/Password Authentication for SOCKS V5\r | |
792 | </dd>\r | |
793 | <dt><a href="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616</a></dt>\r | |
794 | <dd>\r | |
795 | Hypertext Transfer Protocol -- HTTP/1.1\r | |
796 | </dd>\r | |
797 | <dt><a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a></dt>\r | |
798 | <dd>\r | |
799 | HTTP Authentication: Basic and Digest Access Authentication\r | |
800 | </dd>\r | |
801 | </dl>\r | |
802 | \r | |
803 | <h3><a name="sec25">Related</a> Links</h3>\r | |
804 | \r | |
805 | <ul>\r | |
806 | <li><a href="http://www.openssh.org">OpenSSH Home</a>\r | |
807 | </li>\r | |
808 | <li><a href="http://www.ssh.com/">Proprietary SSH</a>\r | |
809 | </li>\r | |
810 | <li><a href="http://www.imasy.or.jp/~gotoh/ssh/openssh-socks.html">Using OpenSSH through a SOCKS compatible PROXY on your LAN</a> (J. Grant)\r | |
811 | </li>\r | |
812 | </ul>\r | |
813 | \r | |
814 | <h3><a name="sec26">Similars</a></h3>\r | |
815 | \r | |
816 | <ul>\r | |
817 | <li><a href="http://proxytunnel.sourceforge.net/">Proxy Tunnel</a> -- Proxying command using https CONNECT.\r | |
818 | </li>\r | |
819 | <li><a href="http://www.snurgle.org/~griffon/ssh-https-tunnel">stunnel</a> -- Proxy through an https tunnel (Perl script)\r | |
820 | </li>\r | |
821 | </ul>\r | |
822 | <br>\r | |
823 | \r | |
824 | <!-- Page published by Emacs Wiki ends here -->\r | |
825 | <div class="navfoot">\r | |
826 | <hr/>\r | |
827 | <table width="100%" border="0" summary="Footer navigation">\r | |
828 | <tbody><tr>\r | |
829 | <td width="50%" align="left">\r | |
830 | <span class="footdate">Last Updated: 2003-06-17</span><br/>\r | |
831 | </td>\r | |
832 | <td width="50%" align="right">\r | |
833 | This page is authored by <a href="mailto:gotoh@taiyo.co.jp">Shun-ichi GOTO</a>\r | |
834 | using <a href="http://repose.cx/emacs/wiki">emacs-wiki.el</a><br/>\r | |
835 | </td>\r | |
836 | </tr></tbody>\r | |
837 | </table>\r | |
838 | </div>\r | |
839 | </body>\r | |
840 | </html>\r |