Jephe Wu - http://linuxtechres.blogspot.com
Objective: explore advanced usage on Putty on Windows and OpenSSH on Linux
Environment: Putty, OpenSSH
Usage:
1. use putty or openssh client to create a secure socks web proxy tunnel
You can create socks proxy server by using putty or openssh.
Putty:
create a normal ssh session, enable compression and ssh version 2, under tunnel menu, create a auto and dynamic source port 8080.
then configure your favorite browser to use socks5 proxy at 127.0.0.1:8080,try socks4 proxy if socks5 doesn't work. Configure 'no proxy for' part with 'localhost,127.0.0.1'.
Note: For data you retrieved through browser, most of them is text or HTML data, the compression rate is very high, so, enable compression is better.
OpenSSH:
The following command uses compression, SSH2, Quite, Force pseudo-tty allocation, Redirect stdin from /dev/null, and use 'master' mode for ssh client for connection sharing.
ssh -C2qTnN -D 8080 jephe@server.domain.com
or
ssh -C2qTnN -L 8080:localhost:3333 jephe@server.domain.com
(ssh tunnel and local forwarding to ssh server at port 3333(squid proxy)
You can try to access http://www.whatismyip.com/ to get the external source IP.
login as root to your ssh server, then use above command to ssh into the destination server to create socks proxy tunnel, then use 127.0.0.1:8080 as socks5 proxy to access Internet.
DNS query issue:
when using above socks5 proxy, by default, firefox/thunderbird requires your local Windows pc must be able to resolve DNS request. If not, you can make changes for firefox/thunderbird to enable remote DNS (open the about:config page, and change network.proxy.socks_remote_dns to true), which also secure DNS queries)
Multiple tabs:
network.http.max-persistent-connections-per-proxy 25
Note: some socksifier program
a. http://widecap.com/
b. http://www.proxycap.com/
c. http://tsocks.sourceforge.net/(Linux)
2. use http proxy software in ssh proxycommand option to ssh into Internet server directly
In office environment, you might not be able to direct ssh into some servers on the Internet. If the ssh server is listening at port 80 or 443, usually squid proxy server is allowing that, if not, you might need to do something to establish ssh connection, either by changing the destination server port to port 80/443 or enabling the squid to allow port 22.
For openssh/cygwin, you can use http://proxytunnel.sourceforge.net/ to use squid proxy server to tunnel your ssh connection.
In /etc/ssh/ssh_config, put
Host jephe
Proxycommand /usr/bin/proxytunnel -p 10.0.0.1:8080 -d jephe.domain.com:22
then you can use 'ssh -v username@jephe -R 2222:localhost:22 -R 3389:10.0.0.2:3389' to do remote port forwarding to RDP/ssh to your office pc from home.
Another options is to use corkscrew - http://www.agroman.net/corkscrew/
Please refer to another article for details at How to access office server and admin desktop from home - http://linuxtechres.blogspot.com/2010/12/how-to-access-office-server-and-admin.html
3. use nc in proxycommand option to directly ssh into server on Internet through firewall
Case: You are not able to ssh directly to Internet , you have to ssh into firewall/proxy server, then you can ssh to Internet from firewall itself.
Solution: use nc to make it one step only.
on /etc/ssh/ssh_config, put the following line
Host external_ssh_server.domain.com
ServerAliveInterval 60
ServerAliveCountMax 600
ProxyCommand ssh jephe@firewall_ip nc %h %p
Then run 'ssh username@jephe' to ssh directly to host on the Internet.
Note:
You might need to configure public key authentication without password for firewall and external_ssh_server.domain.com, otherwise, you might get something like 'write pipe error'.
Note: OpenSSH 5.4 onwards supports netcat mode with option -W host:port. See
http://www.openssh.org/txt/release-5.4
* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.
The following example for using nc is by Fabian Arrotin from http://planet.centos.org/
You need to ssh/scp from your pc to HostC directly. (normal path: your pc->hostA->hostB->hostC)
==================================
Host HostB
Hostname the.known.fqdn.as.resolvable.by.HostA
User arrfab
ForwardAgent yes
Port 22
ProxyCommand ssh remoteuser@HostA.with.ssh.access nc %h %p
And what if you need to reach HostC, which itself is only reachable by HostB ? Let’s just define a new Host section in the ~/.ssh/config and another ProxyCommand !
Host HostC
Hostname the.known.fqdn.as.resolvable.by.HostB
User arrfab
ForwardAgent yes
Port 22
ProxyCommand ssh remoteuser@HostB nc %h %p
====================================
4. use zmodem transfer with leputty (http://leputty.sourceforge.net/)
It's much faster for you to upload/download files directly with putty, without opening winscp to do it.
You can use leputty, configuring sz/rz path for default putty settings so that all session created later on will have this settings automatically.
When you need to upload file from Windows pc to server, just use 'Zmodem upload' in Leputty.
When you need to download a file, ssh into server with Leputty, then type in 'sz filename', then click on menu 'Zmodem receive' to transfer to the predefined directory on Windows PC.
It's faster then using winscp.
References:
a. https://calomel.org/firefox_ssh_proxy.html