Sometimes I find my access to the outside world blocked by over-zealous firewalls and proxies, most often when using hotel or free WiFi. Unfortunately, it's not normally possible to restart a broken website or monitor a server's load through just a web browser, and these are times when only an SSH connection to the outside world will do. And so it's necessary to find a way round the proxies.
I've found a pretty good solution to this, that works well on at least Windows and Macs: corkscrew.
I'll document how to use it here, just in case I'm not the last person on earth to figure this out. Note that I don't recommend or condone doing this to avoid corporate internet access restrictions: there may be very good reasons for unauthorised access to be blocked. That said, here's what you need to do.
Set up your server
You need to make a configuration change to at least one of the servers you want to reach on the outside: reconfiguring the SSH daemon to run on port 443, the default port for secure web connections. You're using port 443 because most web proxies allow certain types of traffic through on that port, which we can exploit to our advantage.
You can reconfigure your ssh daemon by editing your /etc/ssh/sshd_config and changing the port number from 22 to 443.
Be aware that this will break default ssh sessions to that server. You can no longer type 'ssh foo@my.server.com', you'll now have to type 'ssh -p443 foo@my.server.com'. If you want to continue to use port 22, add another port line, so your config should now read something like:
# What ports, IPs and protocols we listen for
Port 22
Port 443
Reload the sshd configuration (/etc/init.d/ssh reload on Debian-like systems), and test connecting to it on port 443 from outside the proxy.
Remember that port 443 is the default port for secure web connections (https://), so you might want to find another solution if you're already hosting or planning to host secure websites.
Set up your local machine
You need to install and configure corkscrew. If you're on Windows, this is best done using corkscrew in cygwin. If you're on the Mac, there's a corkscrew Darwin Port available.
Create an authentication credentials file (just a text file with your proxy username and password, to stop you having to type it each time you connect): ~/.ssh/your_auth_file. It should contain just one line, like this:
username:password
For security, make sure you're the only one that can read this file:
chown go-rwx ~/.ssh/your_auth_file
Next, in your ~/.ssh/config (create the file if it doesn't already exist), add the following to make ssh use corkscrew by default for ssh connections (all one line):
ProxyCommand /usr/bin/corkscrew your.local.proxy port %h %p ~/.ssh/your_auth_file
(Note that you should not do this if you also use ssh to access machines on the network inside the proxy.)
Test
That should be enough - you should now be able to connect to your remote server by typing:
ssh -p443 you@your.ssh.server
Note that you can only connect to servers where the ssh daemon is running on port 443 - but once you've connected to one, you can always connect from there to others...
Technorati Tags: apple, computing, cygwin, debian, howto, linux, mac, macosx, proxies, ubuntu, servers, software, ssh, sysadmin, tips, windows, workaround
Posted by savs at February 27, 2008 7:44 PMPutty supports proxies out-of-the-box and is easier to setup than corkscrew on windows.
Posted by: Ryan at February 28, 2008 4:02 PM