NOT YET OPERATIVE
Warning: tntunne.htm
page not yet 'consolidated'
You may ask the following question:
Is it possible to maintain a telnet session via a proxy?
I am stuck behind a corporate firewall with no way out to the outside world
(internet) except via a firewall proxy (it's not just a case of port 23
being killed, I've tried telnetting to a telnet server which supports port
80 and this fails too)
The idea would be to telnet on port 80 via the firewall proxy, so the proxy
thinks it's http traffic and let's it through.
And get the following answer:
A SSH telnet session can be proxies through an SSL Tunnelling proxy.
They don't check the protocol being proxied. A lot of port 8080 proxies
are SSL tunnelling on port 8080.
Perl can be used. In Windows 9x, selects rather than forking is used.
The Perl of choice for Win9x seeems to be Activestate's.
What needs to be done is to add a single CONNECT header and proxy out to an
SSL Tunnelling proxy.
A script to do that is printed below (in blue)
It contains:
socket(INC, PF_INET, SOCK_STREAM, $protocol) || die "socket:$!";
setsockopt (INC, SOL_SOCKET, SO_REUSEADDR, pack ("l", 1)) || die "setsockopt:$!";
bind(INC,sockaddr_in($dport,INADDR_ANY)) || die "bind: $!";
listen(INC,1) || die "listen:$!";
accept(OUT,INC) || die "accept:$!";
$fhin = $fhout = \*OUT;
...
# Send a "CONNECT" command to proxy:
print PROXY "CONNECT $destination:$destport HTTP/1.0\r\n\r\n";
# Wait for HTTP status code, bail out if you don't get back a 2xx code.
($status) = (split(/\s+/,))[1];
die "Received a bad status code \"$status\" from proxy server."
if ( int($status/100) != 2 );
# Skip through remaining part of HTTP header (until blank line)
1 until ( =~ /^[\r\n]+$/ );
# Start copying packets in both directions.
$s = IO::Select->new($fhin,\*PROXY);
while ( 1 ) {
foreach $fh ( $s->can_read(10) ) {
exit unless ( defined($num = sysread($fh,$_,4096)) );
syswrite(( (fileno($fh)==fileno($fhin)) ? PROXY : $fhout), $_, $num);
}
}
Sysread attempts to read 4096 bytes from filehandle $fh ino string $_.
Syswrite writes that the data in $_, to the SSL Tunnelling proxy if
the data came from the browser side connection ($fhin), otherwise
if the data came from the proxy, it is written to the $fhout. $fhout
is identical to $fhin
$s->can_read(10)
Activates when data is received from either $fhin (the browser
side connection, outoging data) or \*PROXY (the proxy, incoming
data)
can_read ( [ TIMEOUT ] )
Return an array of handles that are ready for reading. TIMEOUT
is the maximum amount of time to wait before returning an empty
list. If TIMEOUT is not given and any handles are registered
then the call will block.
$ARG, $_
The default input and pattern-searching space.
This method might have problems if loaded or the select part might
not run.
A perl script for maintaining a telnet session via a proxy
Since I didn't hear anything about a current SSH through SSL proxy "solution",
(specifically for windows clients), I went ahead a whipped up a Perl script
based on another script that I had sitting in the SSH mail directory.
It can either run as a UNIX or Windows tunnel script through a proxy server
supporting the "CONNECT" command. (note that a properly setup proxy will only
forward connections to the SSL ports (443 and 563)) The windows version was
only tested with the ActiveState perl interpretter (www.activestate.com), the
UNIX version works with the standard Perl interpretter.
It's fairly simple and works nicely from my tests.
Read the comments in the
script for more info.
Content-Type: text/plain ; name="ssh-tunnel.pl"; charset=us-ascii
Content-Description: ssh-tunnel.pl
Content-Disposition: attachment; filename="ssh-tunnel.pl"#!/usr/local/bin/perl#
# Usage: ssh-tunnel.pl [daemon port] ssl-proxy port destination_host port#
# This script can be used by ssh to traverse a www-proxy/firewall that
# supports the http CONNECT command. (Note: Properly setup proxies that allow
# CONNECT will only allow a connection through to SSL ports (443 and 563
# according to squid.))#
# Example-- connect to host named "remote" outside of your firewall:#
# $ ssh remote -o'ProxyCommand ssh-tunnel.pl www-proxy 8080 remote 443'#
# Better yet, insert the ProxyCommand definition for host "remote" in
# your $HOME/.ssh/config file:## .# .# Host remote
# ProxyCommand /usr/local/bin/ssh-tunnel.pl www-proxy 8080 %h %p# .
# .## Originally written by Urban Kaveus <urban@statt.ericsson.se>#
# Updated by Theo Van Dinter <tvd@chrysalis.com>,<felicity@kluge.net> 4/28/1999
# I use TTSSH under Windows which doesn't support the proxycommand option.
# I made some modifications to this script to help with that:
# 1- The script no longer forks to do IO. Now uses IO::Select to deal with
# multiple filehandles at once.
# 2- The script can optionally "daemonize" itself and sit on a port. When
# a connection is established, the tunnelling process will commence.
# Add in the optional port # to listen to as the first commandline param.
# Ex: "ssh-tunnel 2345 www-proxy 8080 remotehost 443", then start SSH:
# "ssh localhost -p 2345".
# 3- Tested with ActivePerl (Win32)/TeraTerm/TTSSH and UNIX Perl/SSH client.#
use Socket;use IO::Select;$dport = shift if ( $#ARGV > 3 );
($sslproxy,$proxyport,$destination,$destport) = @ARGV;
die "Usage: $0 [daemon port] ssl-proxy port destination port\n"
unless ( $sslproxy && $proxyport && $destination && $destport );
# Set up network communication$protocol = getprotobyname("tcp");
if ( $dport ) { # do "daemon" thing.
socket(INC, PF_INET, SOCK_STREAM, $protocol) || die "socket:$!";
setsockopt (INC, SOL_SOCKET, SO_REUSEADDR, pack ("l", 1)) || die "setsockopt:$!";
bind(INC,sockaddr_in($dport,INADDR_ANY)) || die "bind: $!";
listen(INC,1) || die "listen:$!"; accept(OUT,INC) || die "accept:$!";
$fhin = $fhout = \*OUT;}else { # STDIN/STDOUT used ... $fhin = \*STDIN;
$fhout = \*STDOUT;}# connect to proxy server ...
socket (PROXY, PF_INET, SOCK_STREAM, $protocol) or
die("Failed to create socket:$!");
connect (PROXY, sockaddr_in($proxyport,inet_aton($sslproxy))) or
die("Failed to connect to $sslproxy port $proxyport:$!");
# Force flushing of socket buffersforeach ( \*PROXY, $fhin, $fhout ) {
select($_); $|=1;}# Send a "CONNECT" command to proxy:
print PROXY "CONNECT $destination:$destport HTTP/1.0\r\n\r\n";
# Wait for HTTP status code, bail out if you don't get back a 2xx code.
($status) = (split(/\s+/,<PROXY>))[1];
die "Received a bad status code \"$status\" from proxy server."
if ( int($status/100) != 2 );
# Skip through remaining part of HTTP header (until blank line)
1 until ( <PROXY> =~ /^[\r\n]+$/ );# Start copying packets in both directions.
$s = IO::Select->new($fhin,\*PROXY);while ( 1 ) {
foreach $fh ( $s->can_read(10) ) {
exit unless ( defined($num = sysread($fh,$_,4096)) );
syswrite( ((fileno($fh)==fileno($fhin))?PROXY:$fhout),$_,$num); }}