+++ /dev/null
-<?xml version="1.0" encoding="us-ascii"?>\r
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\r
- "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">\r
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\r
- <head>\r
- <title>SSH Proxy Command -- connect.c</title>\r
- <meta name="generator" content="emacs-wiki.el" />\r
- <meta http-equiv="Content-Type"\r
- content="us-ascii" />\r
- <link rev="made" href="mailto:gotoh@taiyo.co.jp" />\r
- <link rel="home" href="http://www.taiyo.co.jp/~gotoh/" />\r
- <link rel="index" href="http://www.taiyo.co.jp/~gotoh/SiteIndex.html" />\r
- <link rel="stylesheet" type="text/css" href="emacs-wiki.css" />\r
- </head>\r
- <body>\r
- <h1>SSH Proxy Command -- connect.c</h1>\r
- <!-- Page published by Emacs Wiki begins here -->\r
-<p>\r
-<strong>connect.c</strong> is the simple relaying command to make network\r
-connection via SOCKS and https proxy. It is mainly intended to\r
-be used as <strong>proxy command</strong> of OpenSSH. You can make SSH session\r
-beyond the firewall with this command,\r
-\r
-</p>\r
-\r
-<p>\r
-Features of <strong>connect.c</strong> are:\r
-\r
-</p>\r
-\r
-<ul>\r
-<li>Supports SOCKS (version 4/4a/5) and https CONNECT method.\r
-</li>\r
-<li>Supports NO-AUTH and USERPASS authentication of SOCKS\r
-</li>\r
-<li>Partially supports telnet proxy (experimental).\r
-</li>\r
-<li>You can input password from tty, ssh-askpass or\r
- environment variable.\r
-</li>\r
-<li>Run on UNIX or Windows platform.\r
-</li>\r
-<li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.)\r
-</li>\r
-<li>Simple and general program independent from OpenSSH.\r
-</li>\r
-<li>You can also relay local socket stream instead of standard I/O.\r
-</li>\r
-</ul>\r
-\r
-<p>\r
-Download source code from:\r
-<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">http://www.taiyo.co.jp/~gotoh/ssh/connect.c</a>\r
-<br/>\r
-For windows user, pre-compiled binary is also available:\r
-<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">http://www.taiyo.co.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC)\r
-\r
-</p>\r
-\r
-<h2>Contents</h2>\r
-<dl class="contents">\r
-<dt class="contents">\r
-<a href="#sec1">News</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec2">What is 'proxy command'</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec3">How to Use</a>\r
-</dt>\r
-<dd>\r
-<dl class="contents">\r
-<dt class="contents">\r
-<a href="#sec4">Get Source</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec5">Compile and Install</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec6">Modify your ~/.ssh/config</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec7">Use SSH</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec8">Have trouble?</a>\r
-</dt>\r
-</dl>\r
-</dd>\r
-<dt class="contents">\r
-<a href="#sec9">More Detail</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec10">Specifying user name via environment variables</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec11">Specifying password via environment variables</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec12">Limitations</a>\r
-</dt>\r
-<dd>\r
-<dl class="contents">\r
-<dt class="contents">\r
-<a href="#sec13">SOCKS5 authentication</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec14">HTTP authentication</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec15">Switching proxy server</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec16">Telnet Proxy</a>\r
-</dt>\r
-</dl>\r
-</dd>\r
-<dt class="contents">\r
-<a href="#sec17">Tips</a>\r
-</dt>\r
-<dd>\r
-<dl class="contents">\r
-<dt class="contents">\r
-<a href="#sec18">Proxying socket connection</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec19">Use with ssh-askpass command</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec20">Use for Network Stream of Emacs</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec21">Remote resolver</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec22">Hopping Connection via SSH</a>\r
-</dt>\r
-</dl>\r
-</dd>\r
-<dt class="contents">\r
-<a href="#sec23">Break The More Restricted Wall</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec24">F.Y.I.</a>\r
-</dt>\r
-<dd>\r
-<dl class="contents">\r
-<dt class="contents">\r
-<a href="#sec25">Difference between SOCKS versions.</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec26">Configuration to use HTTPS</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec27">SOCKS5 Servers</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec28">Specifications</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec29">Related Links</a>\r
-</dt>\r
-<dt class="contents">\r
-<a href="#sec30">Similars</a>\r
-</dt>\r
-</dl>\r
-</dd>\r
-<dt class="contents">\r
-<a href="#sec31">hisotry</a>\r
-</dt>\r
-</dl>\r
-\r
-\r
-<h2><a name="sec1" id="sec1"></a>News</h2>\r
-<dl>\r
-<dt>2005-03-04</dt>\r
-<dd>\r
-Updated compile option for Mac OS X.\r
-</dd>\r
-<dt>2005-02-21</dt>\r
-<dd>\r
-Rev.1.92. Removed assertions which has no mean and worse for windows\r
- suggested by OZAWA Takahiro.\r
-</dd>\r
-<dt>2005-01-12</dt>\r
-<dd>\r
-Rev.1.90. Fixed not to cause seg-fault on accessing to non HTTP\r
- port. This problem is reported by Jason Armstrong <ja at riverdrums.com>.\r
-</dd>\r
-<dt>2004-10-30</dt>\r
-<dd>\r
-Rev.1.89. Partial support for telnet proxy.\r
- Thanks to Gregory Shimansky <gshimansky at mail dot ru>. \r
- (Note: This is ad-hoc implementation, so it is not enough for\r
- various type of telnet proxies.\r
- And password interaction is not supported.)\r
-</dd>\r
-</dl>\r
-\r
-<h2><a name="sec2" id="sec2"></a>What is 'proxy command'</h2>\r
-\r
-<p>\r
-OpenSSH development team decides to stop supporting SOCKS and any\r
-other tunneling mechanism. It was aimed to separate complexity to\r
-support various mechanism of proxying from core code. And they\r
-recommends more flexible mechanism: <strong>ProxyCommand</strong> option\r
-instead.\r
-\r
-</p>\r
-\r
-<p>\r
-Proxy command mechanism is delegation of network stream\r
-communication. If <strong>ProxyCommand</strong> options is specified, SSH\r
-invoke specified external command and talk with standard I/O of thid\r
-command. Invoked command undertakes network communication with\r
-relaying to/from standard input/output including iniitial\r
-communication or negotiation for proxying. Thus, ssh can split out\r
-proxying code into external command.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>connect.c</strong> program was made for this purpose.\r
-\r
-</p>\r
-\r
-<h2><a name="sec3" id="sec3"></a>How to Use</h2>\r
-\r
-<h3><a name="sec4" id="sec4"></a>Get Source</h3>\r
-\r
-<p>\r
-Download source code from <a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">here</a>.\r
-<br/>\r
-If you are MS Windows user, you can get pre-compiled binary from\r
-<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">here</a>.\r
-\r
-</p>\r
-\r
-<h3><a name="sec5" id="sec5"></a>Compile and Install</h3>\r
-\r
-<p>\r
-In most environment, you can compile <strong>connect.c</strong> simply.\r
-On UNIX environment, you can use cc or gcc.\r
-On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc.\r
-\r
-</p>\r
-\r
-<table border="2" cellpadding="5">\r
-<thead>\r
-<tr>\r
-<th>Compiler</th><th>command line to compile</th>\r
-</tr>\r
-</thead>\r
-<tbody>\r
-<tr>\r
-<td>UNIX cc</td><td>cc connect.c -o connect</td>\r
-</tr>\r
-<tr>\r
-<td>UNIX gcc</td><td>gcc connect.c -o connect</td>\r
-</tr>\r
-<tr>\r
-<td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td>\r
-</tr>\r
-<tr>\r
-<td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td>\r
-</tr>\r
-<tr>\r
-<td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td>\r
-</tr>\r
-<tr>\r
-<td>Cygwin gcc</td><td>gcc connect.c -o connect</td>\r
-</tr>\r
-<tr>\r
-<td>Mac OS X</td><td>gcc connect.c -o connect -lresolv<br/>or<br/>gcc connect.c -o connect -DBIND_8_COMPAT=1</td>\r
-</tr>\r
-</tbody>\r
-</table>\r
-\r
-<p>\r
-To install <strong>connect</strong> command, simply copy compiled binary to directory\r
-in your PATH (ex. /usr/local/bin). Like this:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ cp connect /usr/local/bin\r
-</pre>\r
-\r
-<h3><a name="sec6" id="sec6"></a>Modify your ~/.ssh/config</h3>\r
-\r
-<p>\r
-Modify your <code>~/.ssh/config</code> file to use <strong>connect</strong> command as\r
-<strong>proxy command</strong>. For the case of SOCKS server is running on\r
-firewall host <code>socks.local.net</code> with port 1080, you can add\r
-<strong>ProxyCommand</strong> option in <code>~/.ssh/config</code>, like this:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-Host remote.outside.net\r
- ProxyCommand connect -S socks.local.net %h %p\r
-</pre>\r
-\r
-<p>\r
-<code>%h</code> and <code>%p</code> will be replaced on invoking proxy command with\r
-target hostname and port specified to SSH command.\r
-\r
-</p>\r
-\r
-<p>\r
-If you hate writing many entries of remote hosts, following example\r
-may help you.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-## Outside of the firewall, use connect command with SOCKS conenction.\r
-Host *\r
- ProxyCommand connect -S socks.local.net %h %p\r
-\r
-## Inside of the firewall, use connect command with direct connection.\r
-Host *.local.net\r
- ProxyCommand connect %h %p\r
-</pre>\r
-\r
-<p>\r
-If you want to use http proxy, use <strong>-H</strong> option instead of <strong>-S</strong>\r
-option in examle above, like this:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-## Outside of the firewall, with HTTP proxy\r
-Host *\r
- ProxyCommand connect -H proxy.local.net:8080 %h %p\r
-\r
-## Inside of the firewall, direct\r
-Host *.local.net\r
- ProxyCommand connect %h %p\r
-</pre>\r
-\r
-<h3><a name="sec7" id="sec7"></a>Use SSH</h3>\r
-\r
-<p>\r
-After editing your <code>~/.ssh/config</code> file, you are ready to use ssh.\r
-You can execute ssh without any special options as if remote host is\r
-IP reachable host. Following is an example to execute <code>hostname</code>\r
-command on host <code>remote.outside.net</code>.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ ssh remote.outside.net hostname\r
-remote.outside.net\r
-$\r
-</pre>\r
-\r
-<h3><a name="sec8" id="sec8"></a>Have trouble?</h3>\r
-\r
-<p>\r
-If you have trouble, execute <strong>connect</strong> command from command line\r
-with <code>-d</code> option to see what is happened. Some debug message may\r
-appear and reports progress. This information may tell you what is\r
-wrong. In this example, error has occurred on authentication stage of\r
-SOCKS5 protocol.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ connect -d -S socks.local.net unknown.remote.outside.net 110\r
-DEBUG: relay_method = SOCKS (2)\r
-DEBUG: relay_host=socks.local.net\r
-DEBUG: relay_port=1080\r
-DEBUG: relay_user=gotoh\r
-DEBUG: socks_version=5\r
-DEBUG: socks_resolve=REMOTE (2)\r
-DEBUG: local_type=stdio\r
-DEBUG: dest_host=unknown.remote.outside.net\r
-DEBUG: dest_port=110\r
-DEBUG: Program is $Revision$\r
-DEBUG: connecting to xxx.xxx.xxx.xxx:1080\r
-DEBUG: begin_socks_relay()\r
-DEBUG: atomic_out() [4 bytes]\r
-DEBUG: >>> 05 02 00 02\r
-DEBUG: atomic_in() [2 bytes]\r
-DEBUG: <<< 05 02\r
-DEBUG: auth method: USERPASS\r
-DEBUG: atomic_out() [some bytes]\r
-DEBUG: >>> xx xx xx xx ...\r
-DEBUG: atomic_in() [2 bytes]\r
-DEBUG: <<< 01 01\r
-ERROR: Authentication faield.\r
-FATAL: failed to begin relaying via SOCKS.\r
-</pre>\r
-\r
-<h2><a name="sec9" id="sec9"></a>More Detail</h2>\r
-\r
-<p>\r
-Command line usage is here:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-usage: connect [-dnhst45] [-R resolve] [-p local-port] [-w sec]\r
- [-H [user@]proxy-server[:port]]\r
- [-S [user@]socks-server[:port]]\r
- [-T socks-server:[port]]\r
- [-c telnet-proxy-command]\r
- host port\r
-</pre>\r
-\r
-<p>\r
-<strong><em>host</em></strong> and <strong><em>port</em></strong> is target hostname and port-number to connect.\r
-\r
-</p>\r
-\r
-<p>\r
-<strong>-H</strong> option specify hostname and port number of http proxy server to\r
-relay. If port is omitted, 80 is used. You can specify this value by\r
-environment variable <code>HTTP_PROXY</code> and give <strong>-h</strong> option to use it.\r
-\r
-</p>\r
-\r
-<p>\r
-<strong>-S</strong> option specify hostname and port number of SOCKS server to\r
-relay. Like <strong>-H</strong> option, port number can be omit and default is 1080. \r
-You can also specify this value pair by environment variable\r
-<code>SOCKS5_SERVER</code> and give <strong>-s</strong> option to use it.\r
-\r
-</p>\r
-\r
-<p>\r
-<strong>-T</strong> option specify hostname and port number of telnet proxy to\r
-relay. The port number can be omit and default is 23.\r
-You can also specify this value pair by environment variable\r
-<code>TELNET_PROXY</code> and give <strong>-t</strong> option to use it.\r
-\r
-</p>\r
-\r
-<p>\r
-<strong>-4</strong> and <strong>-5</strong> is for specifying SOCKS protocol version. It is\r
-valid only using with <strong>-s</strong> or <strong>-S</strong>. Default is <strong>-5</strong>\r
-(protocol version 5)\r
-\r
-</p>\r
-\r
-<p>\r
-<strong>-R</strong> is for specifying method to resolve hostname. 3 keywords\r
-(<code>local</code>, <code>remote</code>, <code>both</code>) or dot-notation IP address is\r
-allowed. Keyword <code>both</code> means; "Try local first, then\r
-remote". If dot-notation IP address is specified, use this host as\r
-nameserver (UNIX only). Default is <code>remote</code> for SOCKS5 or <code>local</code>\r
-for others. On SOCKS4 protocol, remote resolving method (<code>remote</code>\r
-and <code>both</code>) use protocol version 4a.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>-p</strong> option specifys to wait a local TCP port and make relaying\r
-with it instead of standard input and output.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>-w</strong> option specifys timeout seconds on making connection with\r
-target host.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>-c</strong> option specifys request string against telnet\r
-proxy server. The special word '%h' and '%p' in this string are replaced\r
-as hostname and port number before sending. \r
-For telnet proxy by <a class="nonexistent" href="mailto:gotoh@taiyo.co.jp">DeleGate</a>, both "telnet %h %p" and "%h:%p"\r
-are acceptable.\r
-Default is "telnet %h %p".\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>-a</strong> option specifiys user intended authentication methods\r
-separated by comma. Currently <code>userpass</code> and <code>none</code> are\r
-supported. Default is <code>userpass</code>. You can also specifying this\r
-parameter by the environment variable <code>SOCKS5_AUTH</code>.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>-d</strong> option is used for debug. If you fail to connect, use this\r
-and check request to and response from server.\r
-\r
-</p>\r
-\r
-<p>\r
-You can omit <strong><em>port</em></strong> argument when program name is special format\r
-containing port number itself. For example, \r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ ln -s connect connect-25\r
-$ ./connect-25 smtphost.outside.net\r
-220 smtphost.outside.net ESMTP Sendmail\r
-QUIT\r
-221 2.0.0 smtphost.remote.net closing connection\r
-$\r
-</pre>\r
-\r
-<p>\r
-This example means that the command name "<code>connect-25</code>" contains port number\r
-25 so you can omit 2nd argument (and used if specified explicitly).\r
-\r
-</p>\r
-\r
-<h2><a name="sec10" id="sec10"></a>Specifying user name via environment variables</h2>\r
-\r
-<p>\r
-There are 5 environemnt variables to specify\r
-user name without command line option. This mechanism is usefull\r
-for the user who using another user name different from system account.\r
-\r
-</p>\r
-\r
-<dl>\r
-<dt>SOCKS5_USER</dt>\r
-<dd>\r
-Used for SOCKS v5 access.\r
-</dd>\r
-<dt>SOCKS4_USER</dt>\r
-<dd>\r
-Used for SOCKS v4 access.\r
-</dd>\r
-<dt>SOCKS_USER</dt>\r
-<dd>\r
-Used for SOCKS v5 or v4 access and varaibles above are not defined.\r
-</dd>\r
-<dt>HTTP_PROXY_USER</dt>\r
-<dd>\r
-Used for HTTP proxy access.\r
-</dd>\r
-<dt>CONNECT_USER</dt>\r
-<dd>\r
-Used for all type of access if all above are not defined.\r
-</dd>\r
-</dl>\r
-\r
-<p>\r
-Following table describes how user name is determined.\r
-Left most number is order to check. If variable is not defined,\r
-check next variable, and so on.\r
-\r
-</p>\r
-\r
-<table border=1>\r
-<tr align=center><th></th><th>SOCKS v5</th><th>SOCKS v4</th><th>HTTP proxy</th></tr>\r
-<tr align=center><td>1</td><td>SOCKS5_USER</td><td>SOCKS4_USER</td><td rowspan=2>HTTP_PROXY_USER</td></tr>\r
-<tr align=center><td>2</td><td colspan=2>SOCKS_USER</td></tr>\r
-<tr align=center><td>3</td><td colspan=3>CONNECT_USER</td></tr>\r
-<tr align=center><td>4</td><td colspan=3><i>(query user name to system)</i></td></tr>\r
-</table>\r
-\r
-<h2><a name="sec11" id="sec11"></a>Specifying password via environment variables</h2>\r
-\r
-<p>\r
-There are 5 environemnt variables to specify\r
-password. If you use this feature, please note that it is\r
-not secure way.\r
-\r
-</p>\r
-\r
-<dl>\r
-<dt>SOCKS5_PASSWD</dt>\r
-<dd>\r
-Used for SOCKS v5 access. This variables is compatible\r
- with NEC SOCKS implementation.\r
-</dd>\r
-<dt>SOCKS5_PASSWORD</dt>\r
-<dd>\r
-Used for SOCKS v5 access if SOCKS5_PASSWD is not defined.\r
-</dd>\r
-<dt>SOCKS_PASSWORD</dt>\r
-<dd>\r
-Used for SOCKS v5 (or v4) access all above is not defined.\r
-</dd>\r
-<dt>HTTP_PROXY_PASSWORD</dt>\r
-<dd>\r
-Used for HTTP proxy access.\r
-</dd>\r
-<dt>CONNECT_PASSWORD</dt>\r
-<dd>\r
-Used for all type of access if all above are not defined.\r
-</dd>\r
-</dl>\r
-\r
-<p>\r
-Following table describes how password is determined.\r
-Left most number is order to check. If variable is not defined,\r
-check next variable, and so on. Finally ask to user interactively\r
-using external program or tty input.\r
-\r
-</p>\r
-\r
-<table border=1>\r
-<tr align=center><th></th><th>SOCKS v5</th><th>HTTP proxy</th></tr>\r
-<tr align=center><td>1</td><td>SOCKS5_PASSWD</td><td rowspan=2>HTTP_PROXY_PASSWORD</td></tr>\r
-<tr align=center><td>2</td><td>SOCKS_PASSWORD</td></tr>\r
-<tr align=center><td>3</td><td colspan=2>CONNECT_PASSWORD</td></tr>\r
-<tr align=center><td>4</td><td colspan=2><i>(ask to user interactively)</i></td></tr>\r
-</table>\r
-\r
-<h2><a name="sec12" id="sec12"></a>Limitations</h2>\r
-\r
-<h3><a name="sec13" id="sec13"></a>SOCKS5 authentication</h3>\r
-\r
-<p>\r
-Only NO-AUTH and USER/PASSWORD authentications are supported.\r
-GSSAPI authentication (RFC 1961) and other draft authentications (CHAP,\r
-EAP, MAF, etc.) is not supported.\r
-\r
-</p>\r
-\r
-<h3><a name="sec14" id="sec14"></a>HTTP authentication</h3>\r
-\r
-<p>\r
-BASIC authentication is supported but DIGEST authentication is not.\r
-\r
-</p>\r
-\r
-<h3><a name="sec15" id="sec15"></a>Switching proxy server</h3>\r
-\r
-<p>\r
-There is no mechanism to switch proxy server regarding to PC environment.\r
-This limitation might be bad news for mobile user.\r
-Since I do not want to make this program complex, I do not want to\r
-support although this feature is already requested. Please advice me\r
-if there is good idea of detecting environment to swich and simple way\r
-to specify conditioned directive of servers.\r
-\r
-</p>\r
-\r
-<p>\r
-One tricky workaround exists. It is replacing ~/.ssh/config file\r
-by script on ppp up/down.\r
-\r
-</p>\r
-\r
-<p>\r
-There's another example of wrapper script (contributed by Darren Tucker).\r
-This script costs executing ifconfig and grep to detect\r
-current environment, but it works. (NOTE: you should modify addresses\r
-if you use it.)\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-#!/bin/sh\r
-## ~/bin/myconnect --- Proxy server switching wrapper\r
-\r
-if ifconfig eth0 |grep "inet addr:192\.168\.1" >/dev/null; then\r
- opts="-S 192.168.1.1:1080" \r
-elif ifconfig eth0 |grep "inet addr:10\." >/dev/null; then\r
- opts="-H 10.1.1.1:80"\r
-else\r
- opts="-s"\r
-fi\r
-exec /usr/local/bin/connect $opts $@\r
-</pre>\r
-\r
-<h3><a name="sec16" id="sec16"></a>Telnet Proxy</h3>\r
-\r
-<p>\r
-At first, note that the telnet proxy support is an partial feature.\r
-In this implementation, <strong>connect</strong> single requestinting and proxy\r
-returns some success/error detective in talked back lines including\r
-greeting, prompt and connected messages.\r
-\r
-</p>\r
-\r
-<p>\r
-The <strong>connect</strong> simply send request after connection to proxy is\r
-established before any response reading, then repeat reading response\r
-strings from proxy to decide remote connection request is succeeded or\r
-not by checking pre-defined phrase in each lines. There are\r
-pre-defined phrases which are good-phrase and bad-phrases. First\r
-good-phrase is checked and change state as relaying if exist.\r
-<strong>connect</strong> treat this line as final response from proxy before\r
-starting acutal communication with remote host. Or if good-phrase is\r
-not matched, bad-phrases will be checked. If one of bad-phrase\r
-matched, it cause connection error immediately.\r
-\r
-</p>\r
-\r
-<p>\r
-The pre-defined phrases are currently fixed string so you cannot\r
-change without modifying and compiling. The good-phrase is:\r
-"connected to". The bad-phrases are: " failed", " refused", "\r
-rejected", " closed".\r
-\r
-</p>\r
-\r
-<h2><a name="sec17" id="sec17"></a>Tips</h2>\r
-\r
-<h3><a name="sec18" id="sec18"></a>Proxying socket connection</h3>\r
-\r
-<p>\r
-In usual, <strong>connect.c</strong> relays network connection to/from standard\r
-input/output. By specifying <strong>-p</strong> option, however, <strong>connect.c</strong>\r
-relays local network stream instead of standard input/output.\r
-With this option, <strong>connect</strong> command waits connection\r
-from other program, then start relaying between both network stream.\r
-\r
-</p>\r
-\r
-<p>\r
-This feature may be useful for the program which is hard to SOCKSify.\r
-\r
-</p>\r
-\r
-<h3><a name="sec19" id="sec19"></a>Use with ssh-askpass command</h3>\r
-\r
-<p>\r
-<strong>connect.c</strong> ask you password when authentication is required. If\r
-you are using on tty/pty terminal, connect can input from terminal\r
-with prompt. But you can also use <code>ssh-askpass</code> program to input\r
-password. If you are graphical environment like X Window or MS\r
-Windows, and program does not have tty/pty, and environment variable\r
-SSH_ASKPASS is specified, then <strong>connect.c</strong> invoke command\r
-specified by environment variable <code>SSH_ASKPASS</code> to input password.\r
-<code>ssh-askpass</code> program might be installed if you are using OpenSSH on\r
-UNIX environment. On Windows environment, pre-compiled binary is\r
-available from\r
-<a href="http://www.taiyo.co.jp/~gotoh/ssh/ssh-askpass.exe">here</a>.\r
-\r
-</p>\r
-\r
-<p>\r
-This feature is limited on window system environment.\r
-\r
-</p>\r
-\r
-<p>\r
-And also useful on Emacs on MS Windows (NT Emacs or Meadow). It is\r
-hard to send passphrase to <strong>connect</strong> command (and also ssh)\r
-because external command is invoked on hidden terminal and do I/O with\r
-this terminal. Using ssh-askpass avoids this problem.\r
-\r
-</p>\r
-\r
-<h3><a name="sec20" id="sec20"></a>Use for Network Stream of Emacs</h3>\r
-\r
-<p>\r
-Although <strong>connect.c</strong> is made for OpenSSH, it is generic and\r
-independent from OpenSSH. So we can use this for other purpose. For\r
-example, you can use this command in Emacs to open network connection\r
-with remote host over the firewall via SOCKS or HTTP proxy without\r
-SOCKSifying Emacs itself.\r
-\r
-</p>\r
-\r
-<p>\r
-There is sample code: \r
-<a href="http://www.taiyo.co.jp/~gotoh/lisp/relay.el">http://www.taiyo.co.jp/~gotoh/lisp/relay.el</a>\r
-\r
-</p>\r
-\r
-<p>\r
-With this code, you can use <code>relay-open-network-stream</code> function\r
-instead of <code>open-network-stream</code> to make network connection. See top\r
-comments of source for more detail.\r
-\r
-</p>\r
-\r
-<h3><a name="sec21" id="sec21"></a>Remote resolver</h3>\r
-\r
-<p>\r
-If you are SOCKS4 user on UNIX environment, you might want specify\r
-nameserver to resolve remote hostname. You can do it specifying\r
-<strong>-R</strong> option followed by IP address of resolver.\r
-\r
-</p>\r
-\r
-<h3><a name="sec22" id="sec22"></a>Hopping Connection via SSH</h3>\r
-\r
-<p>\r
-Conbination of ssh and <strong>connect</strong> command have more interesting usage.\r
-Following command makes indirect connection to host2:port from your\r
-current host via host1.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-ssh host1 connect host2 port\r
-</pre>\r
-\r
-<p>\r
-This method is useful for the situations like:\r
-\r
-</p>\r
-\r
-<ul>\r
-<li>You are outside of organizasion now, but you want to access an\r
- internal host barriered by firewall.\r
-</li>\r
-<li>You want to use some service which is allowed only from some\r
- limited hosts.\r
-</li>\r
-</ul>\r
-\r
-<p>\r
-For example, I want to use local NetNews service in my office\r
-from home. I cannot make NNTP session directly because NNTP host is\r
-barriered by firewall. Fortunately, I have ssh account on internal\r
-host and allowed using SOCKS5 on firewall from outside. So I use\r
-following command to connect to NNTP service.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ ssh host1 connect news 119\r
-200 news.my-office.com InterNetNews NNRP server INN 2.3.2 ready (posting ok).\r
-quit\r
-205 .\r
-$\r
-</pre>\r
-\r
-<p>\r
-By combinating hopping connection and relay.el, I can read NetNews\r
-using <a href="http://www.gohome.org/wl/">Wanderlust</a> on Emacs at home.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
- |\r
- External (internet) | Internal (office)\r
- |\r
-+------+ +----------+ +-------+ +-----------+\r
-| HOME | | firewall | | host1 | | NNTP host |\r
-+------+ +----------+ +-------+ +-----------+\r
- emacs <-------------- ssh ---------------> sshd <-- connect --> nntpd\r
- <-- connect --> socksd <-- SOCKS -->\r
-</pre>\r
-\r
-<p>\r
-As an advanced example, you can use SSH hopping as fetchmail's plug-in\r
-program to access via secure tunnel. This method requires that\r
-<strong>connect</strong> program is insatalled on remote host. There's example\r
-of .fetchmailrc bellow. When fetchmail access to mail-server, you will\r
-login to remote host using SSH then execute <strong>connect</strong> program on\r
-remote host to relay conversation with pop server. Thus fetchmail can\r
-retrieve mails in secure.\r
-\r
-</p>\r
-\r
-<blockquote>\r
-<p>\r
- poll mail-server\r
- protocol pop3\r
- plugin "ssh %h connect localhost %p"\r
- username "username"\r
- password "password"\r
-\r
-</p>\r
-</blockquote>\r
-\r
-<h2><a name="sec23" id="sec23"></a>Break The More Restricted Wall</h2>\r
-\r
-<p>\r
-If firewall does not provide SOCKS nor HTTPS other than port 443, you\r
-cannot break the wall in usual way. But if you have you own host\r
-which is accessible from internet, you can make ssh connection to your\r
-own host by configuring sshd as waiting at port 443 instead of\r
-standard 22. By this, you can login to your own host via port 443.\r
-Once you have logged-in to extenal home machine, you can execute\r
-<strong>connect</strong> as second hop to make connection from your own host to\r
-final target host, like this:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-$ cat ~/.ssh/config\r
-Host home\r
- ProxyCommand connect -H firewall:8080 %h 443\r
-\r
-Host server\r
- ProxyCommand ssh home connect %h %p\r
-...\r
-internal$ ssh home\r
-You are logged in to home!\r
-home# exit\r
-internal$ ssh server\r
-You are logged in to server!\r
-server# exit\r
-internal$\r
-</pre>\r
-\r
-<p>\r
-This way is similar to "Hopping connection via SSH" except configuring\r
-outer sshd as waiting at port 443 (https). This means that you have a\r
-capability to break the strongly restricted wall if you have own host\r
-out side of the wall.\r
-\r
-</p>\r
-\r
-<pre class="example">\r
- |\r
- Internal (office) | External (internet)\r
- |\r
-+--------+ +----------+ +------+ +--------+\r
-| office | | firewall | | home | | server |\r
-+--------+ +----------+ +------+ +--------+\r
- <------------------ ssh --------------------->sshd:443\r
- <-- connect --> http-proxy <-- https:443 --> any\r
- connect <-- tcp --> port\r
-</pre>\r
-\r
-<p>\r
-NOTE: If you wanna use this, you should give up hosting https service\r
-at port 443 on you external host 'home'.\r
-\r
-</p>\r
-\r
-<h2><a name="sec24" id="sec24"></a>F.Y.I.</h2>\r
-\r
-<h3><a name="sec25" id="sec25"></a>Difference between SOCKS versions.</h3>\r
-\r
-<p>\r
-SOCKS version 4 is first popular implementation which is documented\r
-<a href="http://www.socks.nec.com/protocol/socks4.protocol">here</a>. Since\r
-this protocol provide IP address based requesting, client program\r
-should resolve name of outer host by itself. Version 4a (documented\r
-<a href="http://www.socks.nec.com/protocol/socks4a.protocol">here</a>) is\r
-enhanced to allow request by hostname instead of IP address.\r
-\r
-</p>\r
-\r
-<p>\r
-SOCKS version 5 is re-designed protocol stands on experience of\r
-version 4 and 4a. There is no compativility with previous\r
-versions. Instead, there's some improvement: IPv6 support, request by\r
-hostname, UDP proxying, etc.\r
-\r
-</p>\r
-\r
-<h3><a name="sec26" id="sec26"></a>Configuration to use HTTPS</h3>\r
-\r
-<p>\r
-Many http proxy servers implementation supports https <code>CONNECT</code> method\r
-(SLL). You might add configuration to allow using https. For the\r
-example of <a href="http://www.delegate.org/delegate/">DeleGate</a> (\r
-DeleGate is a multi-purpose application level gateway, or a proxy\r
-server) , you should add <code>https</code> to <code>REMITTABLE</code> parameter to\r
-allow HTTP-Proxy like this:\r
-\r
-</p>\r
-\r
-<pre class="example">\r
-delegated -Pxxxx ...... REMITTABLE='+,https' ...\r
-</pre>\r
-\r
-<p>\r
-For the case of Squid, you should allow target ports via https by ACL,\r
-and so on.\r
-\r
-</p>\r
-\r
-<h3><a name="sec27" id="sec27"></a>SOCKS5 Servers</h3>\r
-\r
-<dl>\r
-<dt><a href="http://www.socks.nec.com/refsoftware.html">NEC SOCKS Reference Implementation</a></dt>\r
-<dd>\r
-Reference implementation of SOKCS server and library.\r
-</dd>\r
-<dt><a href="http://www.inet.no/dante/index.html">Dante</a></dt>\r
-<dd>\r
-Dante is free implementation of SOKCS server and library.\r
- Many enhancements and modulalized.\r
-</dd>\r
-<dt><a href="http://www.delegate.org/delegate/">DeleGate</a></dt>\r
-<dd>\r
-DeleGate is multi function proxy service provider.\r
- DeleGate 5.x.x or earlier can be SOCKS4 server,\r
- and 6.x.x can be SOCKS5 and SOCKS4 server.\r
- and 7.7.0 or later can be SOCKS5 and SOCKS4a server.\r
-</dd>\r
-</dl>\r
-\r
-<h3><a name="sec28" id="sec28"></a>Specifications</h3>\r
-\r
-<dl>\r
-<dt><a href="http://www.socks.nec.com/protocol/socks4.protocol">socks4.protocol.txt</a></dt>\r
-<dd>\r
-SOCKS: A protocol for TCP proxy across firewalls\r
-</dd>\r
-<dt><a href="http://www.socks.nec.com/protocol/socks4a.protocol">socks4a.protocol.txt</a></dt>\r
-<dd>\r
-SOCKS 4A: A Simple Extension to SOCKS 4 Protocol\r
-</dd>\r
-<dt><a href="http://www.socks.nec.com/rfc/rfc1928.txt">RFC 1928</a></dt>\r
-<dd>\r
-SOCKS Protocol Version 5\r
-</dd>\r
-<dt><a href="http://www.socks.nec.com/rfc/rfc1929.txt">RFC 1929</a></dt>\r
-<dd>\r
-Username/Password Authentication for SOCKS V5\r
-</dd>\r
-<dt><a href="http://www.ietf.org/rfc/rfc2616.txt">RFC 2616</a></dt>\r
-<dd>\r
-Hypertext Transfer Protocol -- HTTP/1.1\r
-</dd>\r
-<dt><a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a></dt>\r
-<dd>\r
-HTTP Authentication: Basic and Digest Access Authentication\r
-</dd>\r
-</dl>\r
-\r
-<h3><a name="sec29" id="sec29"></a>Related Links</h3>\r
-\r
-<ul>\r
-<li><a href="http://www.openssh.org">OpenSSH Home</a>\r
-</li>\r
-<li><a href="http://www.ssh.com/">Proprietary SSH</a>\r
-</li>\r
-<li><a href="http://www.taiyo.co.jp/~gotoh/ssh/openssh-socks.html">Using OpenSSH through a SOCKS compatible PROXY on your LAN</a> (J. Grant)\r
-</li>\r
-</ul>\r
-\r
-<h3><a name="sec30" id="sec30"></a>Similars</h3>\r
-\r
-<ul>\r
-<li><a href="http://proxytunnel.sourceforge.net/">Proxy Tunnel</a> -- Proxying command using https CONNECT.\r
-</li>\r
-<li><a href="http://www.snurgle.org/~griffon/ssh-https-tunnel">stunnel</a> -- Proxy through an https tunnel (Perl script)\r
-</li>\r
-</ul>\r
-\r
-<h2><a name="sec31" id="sec31"></a>hisotry</h2>\r
-\r
-<dl>\r
-<dt>2004-07-21</dt>\r
-<dd>\r
-Rev.1.84. Fixed some typo.\r
-</dd>\r
-<dt>2004-05-18</dt>\r
-<dd>\r
-Rev.1.83. Fixed problem not work on Solaris.\r
-</dd>\r
-<dt>2004-04-27</dt>\r
-<dd>\r
-Rev.1.82. Bug fix of memory clear on http proxying.\r
-</dd>\r
-<dt>2004-04-22</dt>\r
-<dd>\r
-Rev. 1.81. Fixed memory violation and memory leak bug. New environment\r
- variable SOCKS5_PASSWD for sharing value with NEC SOCKS implementation.\r
- And document (this page) is updated.\r
-</dd>\r
-<dt>2004-03-30</dt>\r
-<dd>\r
-Rev. 1.76. Fixed to accept multiple 'Proxy-Authorization' response.\r
-</dd>\r
-<dt>2003-01-07</dt>\r
-<dd>\r
-Rev. 1.68. Fixed a trouble around timeout support.\r
-</dd>\r
-<dt>2002-11-21</dt>\r
-<dd>\r
-Rev. 1.64 supports reading parameters from file /etc/connectrc or\r
- ~/.connectrc instead of specifying via environment variables. For\r
- examle, you can use this feature to switch setting by replacing file\r
- when network environment is changed. And added SOCKS_DIRECT,\r
- SOCKS5_DIRECT, SOCKS4_DIRECT, HTTP_DIRECT, SOCKS5_AUTH, environment\r
- parameters. (Thanks Masatoshi TSUCHIYA)\r
-</dd>\r
-<dt>2002-11-20</dt>\r
-<dd>\r
-Rev. 1.63 supports some old proxies which make response 401 with\r
- WWW-Authenticate: header. And fixed to use username specified in\r
- proxy host by -H option correctly. (contributed from Des Herriott, thanks)\r
-</dd>\r
-<dt>2002-10-14</dt>\r
-<dd>\r
-Rev. 1.61 with New option -w for specifying connection timeout.\r
- Currently, it works on UNIX only. (contributed from Darren Tucker, thanks)\r
-</dd>\r
-<dt>2002-09-29</dt>\r
-<dd>\r
-Add sample script for switching proxy server\r
- advised from Darren Tucker, thanks.\r
-</dd>\r
-<dt>2002-08-27</dt>\r
-<dd>\r
-connect.c is updataed to rev. 1.60.\r
-</dd>\r
-<dt>2002-04-08</dt>\r
-<dd>\r
-Updated <a href="http://www.taiyo.co.jp/~gotoh/ssh/openssh-socks.html">"Using OpenSSH through a SOCKS compatible PROXY on your LAN"</a> written by J. Grant. (version 0.8)\r
-</dd>\r
-<dt>2002-02-20</dt>\r
-<dd>\r
-Add link of new document "Using OpenSSH through a SOCKS compatible PROXY on your LAN"\r
- written by J. Grant.\r
-</dd>\r
-<dt>2002-01-31</dt>\r
-<dd>\r
-Rev. 1.53 -- On Win32 and with MSVC, handle password\r
- input from console correctly.\r
-</dd>\r
-<dt>2002-01-30</dt>\r
-<dd>\r
-Rev. 1.50 -- [Security Fix] Do not print secure info in debug mode.\r
-</dd>\r
-<dt>2002-01-09</dt>\r
-<dd>\r
-Web page was made.\r
- connect.c is rev. 1.48.\r
-</dd>\r
-</dl>\r
-<br>\r
-\r
- <!-- Page published by Emacs Wiki ends here -->\r
- <div class="navfoot">\r
- <hr/>\r
- <table width="100%" border="0" summary="Footer navigation">\r
- <tbody><tr>\r
- <td width="50%" align="left">\r
- <span class="footdate">Last Updated: 2005-03-07</span><br/>\r
- </td>\r
- <td width="50%" align="right">\r
- This page is authored by <a href="mailto:gotoh@taiyo.co.jp">Shun-ichi GOTO</a>\r
- using <a href="http://repose.cx/emacs/wiki">emacs-wiki.el</a><br/>\r
- </td>\r
- </tr></tbody>\r
- </table>\r
- </div>\r
- </body>\r
-</html>\r
projects / packages / openssh.git / blobdiff