Archive for February, 2010

Tunneling ssh – option 1

February 13th, 2010 3 comments

See the previous post for an explanation of what we’re trying to accomplish.

This is a diagram of what the setup looks like. The numbers shown are the TCP ports used by the various components.

SSH directly through Stunnel

SSH directly through Stunnel

Start by creating a certificate and key to be used by Stunnel (or reuse the web server certificate if you already have one).

Configure Stunnel on the server (/etc/stunnel/stunnel.conf) as follows:

cert = /etc/ssl/certs/
key = /etc/ssl/private/
sslVersion = SSLv3

chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /

; Service-level configuration
accept  = 70
connect = 22
Also on the server, configure libwrap In /etc/hosts.allow:
stunnel-ssh: ALL
On the client PC, this is the proxytunnel command line you'll need to use:
C:\>proxytunnel.exe -p -d -a 70
Configure the stunnel:
sslVersion = SSLv3

; Use it for client mode
client = yes

accept	= 22
connect	= 70

Restart stunnel on the server side, and open up port 70 on the firewall.

On the client side:

  1. Start proxytunnel using the command shown above.
  2. Start stunnel. If the stunnel.conf file is in the default location, no command line arguments are needed. If not, pass the config line as a command line argument to stunnel.
  3. Start your ssh client and connect to

Here’s what’s going on:

  • The ssh client connects to port 22 on the localhost
  • Stunnel is listening on port 22 on the localhost, so it receives that connection and sends it on to port 70 also on the localhost
  • ProxyTunnel is listening on port 70, so it takes that connection from Stunnel and sends it to through
  • Stunnel is listening on port 70 at and when it receives the connection from Apache, it sends it to port 22 on
  • Finally, sshd is listening on so it receives the connection from Stunnel, allowing the user to log in

This is by no means optimal. Packets are encrypted twice: once by ssh and once by stunnel. In the end though, if you have no other option, this should work.

Categories: Uncategorized Tags: , ,

Tunneling ssh over an http proxy

February 13th, 2010 No comments

Let’s say you want to ssh from your PC to using the HTTP(S) proxy. If the admins are lenient, you can use ProxyTunnel as described here and be done. If they’re more aggressive, they can block you because the protocol exchange will go something like this:

Your PC says:

  • Proxy-Connection: Keep-Alive responds with:

  • SSH-2.0-OpenSSH …

At this point is able to see that you’re trying to tunnel SSH and can block the connection.

Another option is to tunnel over HTTPS instead of HTTP. Apache however doesn’t currently (Feb. 2010) support this option. You can read more about it here and perhaps use one of the patches mentioned there to add that feature to your server.

If you don’t want to patch the web server, there’s an alternative option that involves Stunnel. That’s what this post is about.

With stunnel in place, the protocol exchange will go something like this:Watch Full Movie Online Streaming Online and Download

  • Proxy-Connection: Keep-Alive responds with:

  • HTTP/1.0 200 Connection Established

At this point stunnel takes over and hides the SSH protocol handshake letting you pass through the proxy without a hassle.

There are two ways to accomplish this. The first way requires you to open another port in your firewall and allow connections to stunnel from outside. The second way uses your Apache server as a second proxy.

Categories: Uncategorized Tags: , ,