Tuesday, 22 May 2012

OpenSSH and Proxy drilling

For those you behind a very restrictive firewall where the only ports open to you are the local proxy port, port 80 and the SSL port 443... there is a way to drill a hole through and access your network/PC at home....

I won't go deeply into details of how to get the packages I'll leave that to you, if you can't use the apt-get install or synaptic yet.... then you probably shouldn't be even contemplating this......

This walk through is aimed at linux users .....

For the server side (your home PC) 

1. An OpenSSH server on your Linux box where the default port listening port of 22 has been changed to port 443....

sudo apt-get install openssh-server

once installed open up a nano/gedit session and load the following which can be found in /etc/.ssh/sshd_config

look down the config file until you see Port 22 and replace with Port 443 (there is nothing to stop you keeping both ports open if you so desire, but remember the more ports you have open especially default ports the more vulnerable you are)

# What ports, IPs and protocols we listen for
Port 443

save the file

restart your SSH server (reboot if you don't know how to restart it) to pick up the new listening port, then check you can SSH into your SSH server locally on that port.......

If all goes well and it should you then need to configure your router for port forwarding on port 443 to your internal IP address (obviously you will have to manually configure your PC's IP address and not use DHCP on your local LAN so it remains constant ), obviously this is router dependant and beyond the scope of this walk through....

That's it for your OpenSSH server side.

For your client side you will need to install 


once installed you will need to configure it and that can me done with the ~/.ssh/config file ......here is an example of a typical corkscrew configuration in the ssh config file, it's actually my config file but with personal stuff changed

(find/create that in ~/.ssh/  .... it's simply called "config" ) 

## Inside the firewall, with HTTPS proxy
Host home
hostname homepc.dyndns-at-home.com
ProxyCommand /usr/bin/corkscrew XXX.XXX.XXX.XXX 8080 %h 443 ~/.ssh/pass
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
ServerAliveInterval 30

XXX.XXX.XXX.XXX can be either a hostname or the IP address of the proxy server (at work)

The %h parameter replaces itself with your hostname or alias in this case "home" and lastly the ~/.ssh/passs simply parses the password file to the proxy server. Otherwise you will get Error 407 proxy Authentication required......

Obviously you need to replace "homepc.dyndns-at-home.com" with your own hostname (or IP address if it's a fixed IP address)  and if your proxy at work requires a password then you will need to create a separate password file (called pass or whatever) in the ~/.ssh directory in the format of username:password.... the first line in the config file is simply an alias for the full hostname you enter.

once that is done all you have to do to connect to your home PC is to drop to a terminal prompt and type the following

ssh username@home 

and corkscrew will do the rest for you... if all goes well you should be prompted to accept the keys from your home server and then be presented with a shell prompt.

If you want to use remote desktop such as Remmina, you will have to configure your home server to accept remote desktop requests and to NOT prompt you to accept (otherwise you'll be waiting all day)... you will also have to do some port mapping with SSH ... fortunately that is quite easy.... by entering the following you will be able to see your remote desktop at work   

ssh -C -c blowfish-cbc -L 5900: username@home (<-- @home picked up from ~/.ssh/config file)

(obviously put your own usual username in front of the @home)

all this line of gibberish does is :-

invoke ssh -C (with compression) -c blowfish (encryption type) -L (maps port 5900 on your remote PC to port 5900 on on your local machine) 5900: username@home (invokes the corkscrew script and reads the config file in ~/.ssh 

All being well should drop you back to a shell prompt on your remote PC with everything remapped and ready to go.

Fire up Remmina (or A.N.Other VNC client) and point it to (not localhost !!) on your PC at work and it should prompt you for your password which you will have previously set on your remote PC (you did do that right ?) 

Caveat lector ..... there are a few most of which are easily solvable please feel free to leave a question and I'll do my best to answer it for you :) 

No comments: