The sys admin's daily grind — Corkscrew

Dork Holiday

Article from Issue 166/2014
Author(s):

Sys admin columnist Charly never takes a vacation from the Internet. A beach bar with WiFi is quickly found, but it runs a forced proxy, which thinks that the SSH port (22) is in league with the devil and blocks the connection. Time to drill a tunnel.

The right tool for tunneling SSH through a proxy like Squid, Gauntlet, CacheFlow, Junkbuster, or Apache mod_proxy is Corkscrew. Why? Because the name corkscrew is well chosen, and because the program author introduces himself like this: "My name is Pat Padgett. I'm a dork." In my experience, such laconic people are great programmers.

Most distros have a Corkscrew in a back drawer somewhere; if not, you can pick it up online [1]. The SSH daemon should be running on port 443 on the target server, because many proxies refuse to connect to port 22. Incidentally, binding the SSH daemon to two or more ports simultaneously is not a problem. To do this, you just add another port line to your sshd_config:

[...]
Port 22
Port 443

If you are already running HTTPS on port 443, you can set up SSLH [2] on your server as a last resort. This is an SSH/SSL multiplexer that makes it possible to operate SSH and HTTPS simultaneously on port 443.

If the proxy asks for login credentials, you need to store them in a file. Its name does not matter; I would use, say, /home/charly/.proxy-auth. Then, you can populate the file with data as follows: <Username>:<Password>

Getting Corked

Now you have to talk your SSH client into using Corkscrew. Edit the .ssh/config file in your home directory for this. (If it does not exist, simply create it.) You will be adding two lines:

Host *
ProxyCommand corkscrew <myproxy.example.net> <3128>%h %p /home/<charly>/.proxy-auth

Of course, you need to change <myproxy.example.net> and the port number to suit your local situation. The variables %h and %p pass the parameters from the SSH call to Corkscrew. If you use a server without authentication, you just leave out the path to the username/password file.

Now, it's time for the premiere. The target server I use is a Raspberry Pi, whose sshd listens on port 443. The proxy is a standard Squid. As you can see from Figure 1, the login works fine  – there is nothing to suggest that Corkscrew has a hand in the game, unless someone has access to the proxy logs. You would find the following entry, if you looked:

Figure 1: All done with Corkscrew: perfect remote login on Charly's Raspberry Pi.
"CONNECT 10.0.0.5:443 HTTP/1.0" 200 <[...]>

But, who cares about logs while you're relaxing in a beach bar? Ah, they have WiFi.

Charly Kühnast

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Infos

  1. Corkscrew: http://www.agroman.net/corkscrew/
  2. "The sys admin's daily grind: sslh" by Charly Kühnast, Linux Magazine, Issue 111, 2010: http://www.linux-magazine.com/Issues/2010/111/Charly-s-Column/(language)/eng-US

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly’s Column: PortSentry

    To celebrate 10 years of his column, Charly sets up a sensitive detector that measures the cosmic background radiation of the Internet.

  • Charly's Column

    Leafnode is a Usenet server for small sites where just a few users need access to a large number of groups. The Leafnode server is designed to recover from errors autonomously and needs very little attention.

  • Charly’s Column: Cluster SSH

    Charly doesn’t relish the idea of searching through the logfiles of a dozen proxy servers when page requests fail. Now that he has deployed Cluster SSH, he can pull the strings on many machines at the same time.

  • Charly's Column

    Ornithologists already know that magpies don’t really deserve their reputation. The true kleptomaniac in the world of birds is the raven. And it’s worthwhile for data dealers to make the acquaintance of Munin, a monitoring tool named after one fabled raven.

  • Charly's Column: Glastopf

    Good traps catch mice, and honeypots catch malicious scripts. Sys admin Charly resorts to a honeypot in this issue, which, although difficult to install, is easy to manage.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia