Extending an SSH SOCKS5 Proxy to the Far Endpoint

linuxopensshssh

I currently have this situation:

I have three machines. Call them:

host-client: Windows 7 running the OpenSSH 6.0p1 client under Cygwin
host-ssh-jump-server: Windows 7 running the OpenSSH 6.0p1 server under Cygwin
host-server: Debian 8.9 running the OpenSSH 6.7p1
server, and running an http server on port 8080

host-client opens a SOCKS5 proxy as follows:

ssh -D localhost:1080 -N my-username@host-ssh-jump-server

On host-client, the web browser is configured to use a SOCKS5 proxy at localhost:1080.

The user browses to the web server running on host-server from host-client by entering the following URL into the browser:

http://host-server:8080

The problem is that the connection between host-client and host-server is unencrypted on the hop between host-ssh-jump-server and host-server.

At this moment, getting HTTPS running on host-server is not an option. I need a stopgap. I need to extend the SSH tunnel all the way to host-server.

To minimize user disruption, I would like to do this with these constraints:

Don't change the SOCKS5 proxy they create on host-client.
Don't change the URL they use to browse to host-server, except possibly for the port number.
Other (unrelated) applications traverse the SOCKS5 proxy. They must not be disrupted.
Any new tunnels that would be created would need to have the listening port be bound to localhost for security.

How may I do this, or is it not possible?

Best Answer

ssh -L localhost:1080:localhost:1080 my-username@host-ssh-jump-server -t 'ssh -N -D localhost:1080 root@host-server'

Related Solutions

How to determine the port allocated on the server for a dynamically bound openssh reverse tunnel

If you set the 'LogLevel' in the sshd_config configuration file to DEBUG1 (or any DEBUG level), then sshd will log the port numbers in /var/log/auth.log.

Do remember, that using a LogLevel of DEBUG or higher could be a privacy risk, since much is logged.

(from /var/log/auth.log, removed a few lines to show relevant information)

Jun 24 06:18:24 radon sshd[9334]: Connection from 192.168.13.10 port 39193
Jun 24 06:18:24 radon sshd[9334]: Accepted publickey for lornix from 192.168.13.10 port 39193 ssh2
Jun 24 06:18:24 radon sshd[9334]: pam_unix(sshd:session): session opened for user lornix by (uid=0)
Jun 24 06:18:24 radon sshd[9334]: User child is on pid 9339
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on 0.0.0.0 port 0.
Jun 24 06:18:24 radon sshd[9339]: debug1: Allocated listen port 39813
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 0: new [port listener]
Jun 24 06:18:24 radon sshd[9339]: debug1: Local forwarding listening on :: port 39813.
Jun 24 06:18:24 radon sshd[9339]: debug1: channel 1: new [port listener]
Jun 24 06:18:27 radon sshd[9339]: Received disconnect from 192.168.13.10: 11: disconnected by user

If you follow it through, you can see where you could parse the connection information, and then the forwarded port (39813 in this case)

I used this command line between two of my machines, I do have ssh-key login set up, so no password prompts or delays

-xenon- lornix:~> ssh -R "*:0:radon:22" -N -T radon
Allocated port 39813 for remote forward to radon:22

-N specifies no command is given, and -T stops allocation of a tty for this connection.

Another way to disseminate the port connection information would be to parse it from the client side and send an email, jabber, text msg, smoke signals or pigeon to carry the port # to whomever needs it.

Linux – How to use SSH with a SOCKS 5 proxy

You are using 'connect' for HTTPS as your proxy version, this is from man nc:

-X proxy_version Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ''4'' (SOCKS v.4), ''5'' (SOCKS v.5) and 'connect' (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.

So you should use the following to use SOCKS 5:

ProxyCommand /usr/bin/nc -X 5 -x 127.0.0.1:7777 %h %p

Or simply:

ProxyCommand /usr/bin/nc -x 127.0.0.1:7777 %h %p

I hope it helps.

Related Question

Windows – How to set up HTTP/SOCKS5 tunneling proxy on Windows using freeSSHd