From cef3726d0846389d72df83ad348afafc4542baa2 Mon Sep 17 00:00:00 2001 From: ankry Date: Wed, 27 Aug 2003 10:40:16 +0000 Subject: [PATCH] f14cb61fafd067a3f5ce4eaa9643bf05 connect.html Changed files: connect.html -> 1.1 --- connect.html | 840 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 840 insertions(+) create mode 100644 connect.html diff --git a/connect.html b/connect.html new file mode 100644 index 0000000..0a58f1c --- /dev/null +++ b/connect.html @@ -0,0 +1,840 @@ + + + + + SSH Proxy Command -- connect.c + + + + + + + + +

SSH Proxy Command -- connect.c

+ +

+connect.c is the simple relaying command to make network +connection via SOCKS and https proxy. It is mainly intended to +be used as proxy command of OpenSSH. You can make SSH session +beyond the firewall with this command, + +

+ +

+Features of connect.c are: + +

+ +

Supports SOCKS (version 4/4a/5) and https CONNECT method. +
Supports NO-AUTH and USERPASS authentication of SOCKS +
You can input password from tty, ssh-askpass or + environment variable. +
Run on UNIX or Windows platform. +
You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.) +
Simple and general program independent from OpenSSH. +
You can also relay local socket stream instead of standard I/O. +

+ +

+Download source code from: +http://www.imasy.or.jp/~gotoh/ssh/connect.c +
+For windows user, pre-compiled binary is also available: +http://www.imasy.or.jp/~gotoh/ssh/connect.exe (compiled with MSVC) + +

+ +

+News +

+What is 'proxy command' +

+How to Use +

+Get Source +
+Compile and Install +
+Modify your ~/.ssh/config +
+Use SSH +
+Have trouble? +

+More Detail +

+Limitations +

+SOCKS5 authentication +
+HTTP authentication +
+Switching proxy server +

+Tips +

+Proxying socket connection +
+Use with ssh-askpass command +
+Use for Network Stream of Emacs +
+Remote resolver +
+Hopping Connection via SSH +

+F.Y.I. +

+Difference between SOCKS versions. +
+Configuration to use HTTPS +
+SOCKS5 Servers +
+Specifications +
+Related Links +
+Similars +

+ +

News

+ +

2003-01-07: +Rev. 1.68. Fixed a trouble around timeout support. +
2002-11-21: +Rev. 1.64 supports reading parameters from file /etc/connectrc or + ~/.connectrc instead of specifying via environment variables. For + examle, you can use this feature to switch setting by replacing file + when network environment is changed. And added SOCKS_DIRECT, + SOCKS5_DIRECT, SOCKS4_DIRECT, HTTP_DIRECT, SOCKS5_AUTH, environment + parameters. (Thanks Masatoshi TSUCHIYA) +
2002-11-20: +Rev. 1.63 supports some old proxies which make response 401 with + WWW-Authenticate: header. And fixed to use username specified in + proxy host by -H option correctly. (contributed from Des Herriott, thanks) +
2002-10-14: +Rev. 1.61 with New option -w for specifying connection timeout. + Currently, it works on UNIX only. (contributed from Darren Tucker, thanks) +
2002-09-29: +Add sample script for switching proxy server + advised from Darren Tucker, thanks. +
2002-08-27: +connect.c is updataed to rev. 1.60. +
2002-04-08: +Updated "Using OpenSSH through a SOCKS compatible PROXY on your LAN" written by J. Grant. (version 0.8) +
2002-02-20: +Add link of new document "Using OpenSSH through a SOCKS compatible PROXY on your LAN" + written by J. Grant. +
2002-01-31: +Rev. 1.53 -- On Win32 and with MSVC, handle password + input from console correctly. +
2002-01-30: +Rev. 1.50 -- [Security Fix] Do not print secure info in debug mode. +
2002-01-09: +Web page was made. + connect.c is rev. 1.48. +

+ +

What is 'proxy command'

+ +

+OpenSSH development team decides to stop supporting SOCKS and any +other tunneling mechanism. It was aimed to separate complexity to +support various mechanism of proxying from core code. And they +recommends more flexible mechanism: 'ProxyCommand' option +instead. + +

+ +

+Proxy command mechanism is delegation of network stream +communication. If 'ProxyCommand' options is specified, SSH +invoke specified external command and talk with standard I/O of thid +command. Invoked command undertakes network communication with +relaying to/from standard input/output including iniitial +communication or negotiation for proxying. Thus, ssh can split out +proxying code into external command. + +

+ +

+'connect.c' was made for this purpose. + +

+ +

How to Use

+ +

Get Source

+ +

+Download source code from here. +
+If you are MS Windows user, you can get pre-compiled binary from +here. + +

+ +

Compile and Install

+ +

+In most environment, you can compile 'connect.c' simply. +On UNIX environment, you can use cc or gcc. +On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc. + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Compiler	command line to compile
UNIX cc	cc connect.c -o connect
UNIX gcc	gcc connect.c -o connect
Solaris	gcc connect.c -o connect -lnsl -lsocket -lresolv
Microsoft Visual C/C++	cl connect.c wsock32.lib advapi32.lib
Borland C	bcc32 connect.c wsock32.lib advapi32.lib
Cygwin gcc	gcc connect.c -o connect

+ +

+To install 'connect' command, simply copy compiled binary to directory +in your PATH (ex. /usr/local/bin). Like this: + +

+ +

+$ cp connect /usr/local/bin
+

+ +

Modify your ~/.ssh/config

+ +

+Modify your ~/.ssh/config file to use 'connect' command as +'proxy command'. For the case of SOCKS server is running on +firewall host 'socks.local.net' with port 1080, you can add +'ProxyCommand' option in ~/.ssh/config, like this: + +

+ +

+Host remote.outside.net
+  ProxyCommand connect -S socks.local.net %h %p
+

+ +

+'%h' and '%p' will be replaced on invoking proxy command with +target hostname and port specified to SSH command. + +

+ +

+If you hate writing many entries of remote hosts, following example +may help you. + +

+ +

+## Outside of the firewall, use connect command with SOCKS conenction.
+Host *
+  ProxyCommand connect -S socks.local.net %h %p
+
+## Inside of the firewall, use connect command with direct connection.
+Host *.local.net
+  ProxyCommand connect %h %p
+

+ +

+If you want to use http proxy, use '-H' option instead of '-S' +option in examle above, like this: + +

+ +

+## Outside of the firewall, with HTTP proxy
+Host *
+  ProxyCommand connect -H proxy.local.net:8080 %h %p
+
+## Inside of the firewall, direct
+Host *.local.net
+  ProxyCommand connect %h %p
+

+ +

Use SSH

+ +

+After editing your ~/.ssh/config file, you are ready to use ssh. +You can execute ssh without any special options as if remote host is +IP reachable host. Following is an example to execute 'hostname' +command on host 'remote.outside.net'. + +

+ +

+$ ssh remote.outside.net hostname
+remote.outside.net
+$
+

+ +

Have trouble?

+ +

+If you have trouble, execute 'connect' command from command line +with '-d' option to see what is happened. Some debug message may +appear and reports progress. This information may tell you what is +wrong. In this example, error has occurred on authentication stage of +SOCKS5 protocol. + +

+ +

+$ connect -d -S socks.local.net unknown.remote.outside.net 110
+DEBUG: relay_method = SOCKS (2)
+DEBUG: relay_host=socks.local.net
+DEBUG: relay_port=1080
+DEBUG: relay_user=gotoh
+DEBUG: socks_version=5
+DEBUG: socks_resolve=REMOTE (2)
+DEBUG: local_type=stdio
+DEBUG: dest_host=unknown.remote.outside.net
+DEBUG: dest_port=110
+DEBUG: Program is $Revision$
+DEBUG: connecting to xxx.xxx.xxx.xxx:1080
+DEBUG: begin_socks_relay()
+DEBUG: atomic_out()  [4 bytes]
+DEBUG: >>> 05 02 00 02
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 05 02
+DEBUG: auth method: USERPASS
+DEBUG: atomic_out()  [some bytes]
+DEBUG: >>> xx xx xx xx ...
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 01 01
+ERROR: Authentication faield.
+FATAL: failed to begin relaying via SOCKS.
+

+ +

More Detail

+ +

+Command line usage is here: + +

+ +

+usage:  connect [-dnhs45] [-R resolve] [-p local-port] [-w sec]
+		[-H [user@]proxy-server[:port]]
+		[-S [user@]socks-server[:port]]
+		host port
+

+ +

+'host' and 'port' is target hostname and port-number to connect. + +

+ +

+'-H' option specify hostname and port number of http proxy server to +relay. If port is omitted, 80 is used. You can specify this value by +environment variable HTTP_PROXY and give '-h' option to use it. + +

+ +

+'-S' option specify hostname and port number of SOCKS server to +relay. Like '-H' option, port number can be omit and default is 1080. +You can also specify this value pair by environment variable +SOCKS5_SERVER and give '-s' option to use it. + +

+ +

+'-4' and '-5' is for specifying SOCKS protocol version. It is +valid only using with '-s' or '-S'. Default is '-5' +(protocol version 5) + +

+ +

+'-R' is for specifying method to resolve hostname. 3 keywords +('local', 'remote', 'both') or dot-notation IP address is +allowed. Keyword 'both' means; "Try local first, then +remote". If dot-notation IP address is specified, use this host as +nameserver (UNIX only). Default is 'remote' for SOCKS5 or 'local' +for others. On SOCKS4 protocol, remote resolving method ('remote' +and 'both') use protocol version 4a. + +

+ +

+The '-p' option will forward a local TCP port instead of using the +standard input and output. + +

+ +

+The '-w' option specifys timeout seconds for making connection with +TARGET host. + +

+ +

+The '-a' option specifiys user intended authentication methods +separated by comma. Currently 'userpass' and 'none' are +supported. Default is 'userpass'. You can also specifying this +parameter by the environment variable SOCKS5_AUTH. + +

+ +

+The '-d' option is used for debug. If you fail to connect, use this +and check request to and response from server. + +

+ +

+You can omit 'port' argument when program name is special format +containing port number itself. For example, + +

+ +

+$ ln -s connect connect-25
+$ ./connect-25 smtphost.outside.net
+220 smtphost.outside.net ESMTP Sendmail
+QUIT
+221 2.0.0 smtphost.remote.net closing connection
+$
+

+ +

+This example means that the command name "connect-25" contains port number +25 so you can omit 2nd argument (and used if specified explicitly). + +

+ +

Limitations

+ +

SOCKS5 authentication

+ +

+Only NO-AUTH and USER/PASSWORD authentications are supported. +GSSAPI authentication (RFC 1961) and other draft authentications (CHAP, +EAP, MAF, etc.) is not supported. + +

+ +

HTTP authentication

+ +

+BASIC authentication is supported but DIGEST authentication is not. + +

+ +

Switching proxy server

+ +

+There is no mechanism to switch proxy server regarding to PC environment. +This limitation might be bad news for mobile user. +Since I do not want to make this program complex, I do not want to +support although this feature is already requested. Please advice me +if there is good idea of detecting environment to swich and simple way +to specify conditioned directive of servers. + +

+ +

+One tricky workaround exists. It is replacing ~/.ssh/config file +by script on ppp up/down. + +

+ +

+There's another example of wrapper script (contributed by Darren Tucker). +This script costs executing ifconfig and grep to detect +current environment, but it works. (NOTE: you should modify addresses +if you use it.) + +

+ +

+#!/bin/sh
+## ~/bin/myconnect --- Proxy server switching wrapper
+
+if ifconfig eth0 |grep "inet addr:192\.168\.1" >/dev/null; then
+	opts="-S 192.168.1.1:1080"  
+elif ifconfig eth0 |grep "inet addr:10\." >/dev/null; then
+	opts="-H 10.1.1.1:80"
+else
+	opts="-s"
+fi
+exec /usr/local/bin/connect $opts $@
+

+ +

Tips

+ +

Proxying socket connection

+ +

+In usual, 'connect.c' relays network connection to/from standard +input/output. By specifying '-p' option, however, 'connect.c' +relays local network stream instead of standard input/output. +With this option, 'connect' command waits connection +from other program, then start relaying between both network stream. + +

+ +

+This feature may be useful for the program which is hard to SOCKSify. + +

+ +

Use with `ssh-askpass` command

+ +

+'connect.c' ask you password when authentication is required. If +you are using on tty/pty terminal, connect can input from terminal +with prompt. But you can also use 'ssh-askpass' program to input +password. If you are graphical environment like X Window or MS +Windows, and program does not have tty/pty, and environment variable +SSH_ASKPASS is specified, then 'connect.c' invoke command +specified by environment variable 'SSH_ASKPASS' to input password. +ssh-askpass program might be installed if you are using OpenSSH on +UNIX environment. On Windows environment, pre-compiled binary is +available from +here. + +

+ +

+This feature is limited on window system environment. + +

+ +

+And also useful on Emacs on MS Windows (NT Emacs or Meadow). It is +hard to send passphrase to 'connect' command (and also ssh) +because external command is invoked on hidden terminal and do I/O with +this terminal. Using ssh-askpass avoids this problem. + +

+ +

Use for Network Stream of Emacs

+ +

+Although 'connect.c' is made for OpenSSH, it is generic and +independent from OpenSSH. So we can use this for other purpose. For +example, you can use this command in Emacs to open network connection +with remote host over the firewall via SOCKS or HTTP proxy without +SOCKSifying Emacs itself. + +

+ +

+There is sample code: +http://www.imasy.or.jp/~gotoh/lisp/relay.el + +

+ +

+With this code, you can use relay-open-network-stream function +instead of open-network-stream to make network connection. See top +comments of source for more detail. + +

+ +

Remote resolver

+ +

+If you are SOCKS4 user on UNIX environment, you might want specify +nameserver to resolve remote hostname. You can do it specifying +'-R' option followed by IP address of resolver. + +

+ +

Hopping Connection via SSH

+ +

+Conbination of ssh and 'connect' command have more interesting usage. +Following command makes indirect connection to host2:port from your +current host via host1. + +

+ +

+ssh host1 connect host2 port
+

+ +

+This method is useful for the situations like: + +

+ +

You are outside of organizasion now, but you want to access an + internal host barriered by firewall. +
You want to use some service which is allowed only from some + limited hosts. +

+ +

+For example, I want to use local NetNews service in my office +from home. I cannot make NNTP session directly because NNTP host is +barriered by firewall. Fortunately, I have ssh account on internal +host and allowed using SOCKS5 on firewall from outside. So I use +following command to connect to NNTP service. + +

+ +

+$ ssh host1 connect news 119
+200 news.my-office.com InterNetNews NNRP server INN 2.3.2 ready (posting ok).
+quit
+205 .
+$
+

+ +

+By combinating hopping connection and relay.el, I can read NetNews +using Wanderlust on Emacs at home. + +

+ +

+                        |
+    External (internet) | Internal (office)
+                        |
++------+           +----------+          +-------+           +-----------+
+| HOME |           | firewall |          | host1 |           | NNTP host |
++------+           +----------+          +-------+           +-----------+
+ emacs <-------------- ssh ---------------> sshd <-- connect --> nntpd
+       <-- connect --> socksd <-- SOCKS -->
+

+ +

F.Y.I.

+ +

Difference between SOCKS versions.

+ +

+SOCKS version 4 is first popular implementation which is documented +here. Since +this protocol provide IP address based requesting, client program +should resolve name of outer host by itself. Version 4a (documented +here) is +enhanced to allow request by hostname instead of IP address. + +

+ +

+SOCKS version 5 is re-designed protocol stands on experience of +version 4 and 4a. There is no compativility with previous +versions. Instead, there's some improvement: IPv6 support, request by +hostname, UDP proxying, etc. + +

+ +

Configuration to use HTTPS

+ +

+Many http proxy servers implementation supports https CONNECT method +(SLL). You might add configuration to allow using https. For the +example of DeleGate ( +DeleGate is a multi-purpose application level gateway, or a proxy +server) , you should add 'https' to 'REMITTABLE' parameter to +allow HTTP-Proxy like this: + +

+ +

+delegated -Pxxxx ...... REMITTABLE='+,https' ...
+

+ +

+For the case of Squid, you should allow target ports via https by ACL, +and so on. + +

+ +

SOCKS5 Servers

+ +

NEC SOCKS Reference Implementation: +Reference implementation of SOKCS server and library. +
Dante: +Dante is free implementation of SOKCS server and library. + Many enhancements and modulalized. +
DeleGate: +DeleGate is multi function proxy service provider. + DeleGate 5.x.x or earlier can be SOCKS4 server, + and 6.x.x can be SOCKS5 and SOCKS4 server. + and 7.7.0 or later can be SOCKS5 and SOCKS4a server. +

+ +

Specifications

+ +

socks4.protocol.txt: +SOCKS: A protocol for TCP proxy across firewalls +
socks4a.protocol.txt: +SOCKS 4A: A Simple Extension to SOCKS 4 Protocol +
RFC 1928: +SOCKS Protocol Version 5 +
RFC 1929: +Username/Password Authentication for SOCKS V5 +
RFC 2616: +Hypertext Transfer Protocol -- HTTP/1.1 +
RFC 2617: +HTTP Authentication: Basic and Digest Access Authentication +

+ +

Similars

+ +

Proxy Tunnel -- Proxying command using https CONNECT. +
stunnel -- Proxy through an https tunnel (Perl script) +

+
+ + +

+ + + + + +

+ Last Updated: 2003-06-17
+

+ This page is authored by Shun-ichi GOTO + using emacs-wiki.el
+

+ + -- 2.44.0