The sys admin's daily grind — Corkscrew
Dork Holiday

Sys admin columnist Charly never takes a vacation from the Internet. A beach bar with WiFi is quickly found, but it runs a forced proxy, which thinks that the SSH port (22) is in league with the devil and blocks the connection. Time to drill a tunnel.
The right tool for tunneling SSH through a proxy like Squid, Gauntlet, CacheFlow, Junkbuster, or Apache mod_proxy is Corkscrew. Why? Because the name corkscrew is well chosen, and because the program author introduces himself like this: "My name is Pat Padgett. I'm a dork." In my experience, such laconic people are great programmers.
Most distros have a Corkscrew in a back drawer somewhere; if not, you can pick it up online [1]. The SSH daemon should be running on port 443 on the target server, because many proxies refuse to connect to port 22. Incidentally, binding the SSH daemon to two or more ports simultaneously is not a problem. To do this, you just add another port line to your sshd_config
:
[...] Port 22 Port 443
If you are already running HTTPS on port 443, you can set up SSLH [2] on your server as a last resort. This is an SSH/SSL multiplexer that makes it possible to operate SSH and HTTPS simultaneously on port 443.
If the proxy asks for login credentials, you need to store them in a file. Its name does not matter; I would use, say, /home/charly/.proxy-auth
. Then, you can populate the file with data as follows: <Username>:<Password>
Getting Corked
Now you have to talk your SSH client into using Corkscrew. Edit the .ssh/config
file in your home directory for this. (If it does not exist, simply create it.) You will be adding two lines:
Host * ProxyCommand corkscrew <myproxy.example.net> <3128>%h %p /home/<charly>/.proxy-auth
Of course, you need to change <myproxy.example.net>
and the port number to suit your local situation. The variables %h
and %p
pass the parameters from the SSH call to Corkscrew. If you use a server without authentication, you just leave out the path to the username/password file.
Now, it's time for the premiere. The target server I use is a Raspberry Pi, whose sshd
listens on port 443. The proxy is a standard Squid. As you can see from Figure 1, the login works fine – there is nothing to suggest that Corkscrew has a hand in the game, unless someone has access to the proxy logs. You would find the following entry, if you looked:
"CONNECT 10.0.0.5:443 HTTP/1.0" 200 <[...]>
But, who cares about logs while you're relaxing in a beach bar? Ah, they have WiFi.
Charly Kühnast
Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.
Infos
- Corkscrew: http://www.agroman.net/corkscrew/
- "The sys admin's daily grind: sslh" by Charly Kühnast, Linux Magazine, Issue 111, 2010: http://www.linux-magazine.com/Issues/2010/111/Charly-s-Column/(language)/eng-US
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
The GNU Project Celebrates Its 40th Birthday
September 27 marks the 40th anniversary of the GNU Project, and it was celebrated with a hacker meeting in Biel/Bienne, Switzerland.
-
Linux Kernel Reducing Long-Term Support
LTS support for the Linux kernel is about to undergo some serious changes that will have a considerable impact on the future.
-
Fedora 39 Beta Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.