Using OpenSSH through a SOCKS compatible PROXY on your LAN
This guide has been written by J. Grant. 2002-04-15
Version 0.9 Copyleft J. Grant.
Including this in any other documents is permitted under the GNU
Free Documentation Licence, providing my name is given next to the section.
Distributing this any other way is permitted providing it is complete and
contains this message.
New versions can be found on the page hosted by Goto-san: http://www.imasy.or.jp/~gotoh/ssh/openssh-socks.html
This guide has been featured on the Mandrake website:
http://www.mandrakesecure.net/en/docs/openssh-socks.php
Tested on Linux Mandrake 8.1, this will not affect you providing
you have RPM support. This guide applys to other internet applications
as well.
Introduction
The SOCKS firewall protocol was fostered by NEC, they currently
DO NOT support a free version of their tools for UNIX (free as
in freedom, not beer). Many applications directly support the SOCKS 4/5
protocols, Netscape, Opera etc. The NEC software was previously available
at ftp://ftp.nec.com/pub/socks/socks5
before, now it is not. However there are other free solutions available
now, which means you have choices. (The way of UNIX)
There are 5 solutions covered in this SSH through a SOCKS PROXY
guide.
Currently I use Goto-san's connect.c and the wrapper "runsocks"
for other applications, read this whole FAQ before making your decision!
1) Using the old NEC software
The packages NEC previously made available on Linux were rpm/tgz
packages that implemented the server,
client programs and a wrapper program (for programs without compiled
in SOCKS support).
http://rpmfind.net/linux/rpm2html/search.php?query=socks
I installed runsocks-1.0r11-3.i386.rpm successfully.
rpm -ivh
I have also rpm --rebuild the src.rpm to make the whole packages
and installed those as well.
i rebuilt the source downloaded from
ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/
(sometimes this site not available, try later and it might work,
anyone know why?)
http://plf.zarb.org/rpm/8.2/i586/ is another link.
Do this in your shell
$ export SOCKS4_SERVER = mysocks4server
Or you can specify it in the conf file as follows.
Create this file /etc/libsocks5.conf
$ cat /etc/libsocks5.conf
socks4 - - - - mysocks4server
There are problems with this
You have to be root to use runsocks ssh -l myusername <host>
or you will get the
following error:
$ runsocks ssh -l myuser myhost.com
ssh: error while loading shared libraries: libsocks5_sh.so: cannot
open
shared object file: No such file or directory
DNS does not work, you get this error from ssh
$ su
$ runsocks ssh -l youruser yourhost.com
ssh: yourhost.com: Temporary failure in name resolution
The only way to connect is to be root and also use the IP. I can
connect, its just not good practice to have to be root and use the IP
address! Also you need to change the suid bit on the /usr/bin/ssh, type chmod
755. Wrapping suid is not allowed as a cracker could then get root on your
system!
Read the man pages for libsocks5.conf and runsocks for further
information.
These are the versions I have, I do not have ftp space to host
them, if anyone has perminant ftp space for them please contact me. (I
believe we are allowed to distribute them under the licence) I download
them from places such as ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/
runsocks-1.0r11-3.i386.rpm
socks-4.3.beta2-2.i386.rpm
socks-4.3.beta2-2.src.rpm
socks5-1.0r11-3.i386.rpm
socks5-1.0r11-3.src.rpm
socks5-clients-1.0r11-3.i386.rpm
socks5-devel-1.0r11-3.i386.rpm
export.socks.4.3.beta2.tar.gz
export.socks.cstc.4.2.2.tar.gz
socks.cstc.4.2.2.tar.gz
2) Use Goto-san's connect.c (works transparently)
OpenSSH SOCKS support was removed from the OpenSSH implementation
on 2000-02-07, using SSH through SOCKS firewalls is now ONLY supported
using a ProxyCommand from within the SSH configuration files.
I found how to use OpenSSH through socks.
a) Download and compile this URL's source code. And put the binary
in your path.
http://www.imasy.or.jp/~gotoh/connect.c
$ su
$ gcc -o sconnect connect.c
$ cp sconnect /usr/local/bin
b) Add the following line in your ssh_config, this is for a SOCKS4
server. Read his source for futher infomation.
ProxyCommand /usr/local/bin/sconnect -4 -S your-socks-server:1080
%h %p
That's it! Everything should work now
This is the best solution IMO.
3) Use the proprietary SSH.com trial version
Only possible for non-commercial 30 day use, supports the SOCKS
protocol.
export SSH_SOCKS_SERVER=socks://youruser@socks-server:1080/x.x.x.0/24
I gave up on proprietary solutions so I have not tested futher. SSH.com
is not open source, thus I would only use it in "legacy" systems that
required it.
4) Dante OSS version
This has not been tested, but i have received good feedback
about it. See http://www.inet.no/dante/
for further information or http://rpmfind.net/linux/rpm2html/search.php?query=dante
5) Using LD_PRELOAD
This is another option. Developed by Chris Maison at http://www.r00t3d.org.uk/ Linux SocksCap
v0.1.1 sockscap-0.1.1-linux.tar.gz
Extract the sockscap.so library and place somewhere on your system.
It does not really matter where you put it, but /usr/local/lib is usually
a good starting place. Load up a Socks 5 server or run a Bouncer running
in Socks 5 mode or alternatively have a Socks 5 server running on another
machine. You will need to type the following two commands in to enable it:
export LD_PRELOAD=/usr/local/lib/sockscap.so (Different if you placed
it elsewhere)
export SOCKS_PROXY="127.0.0.1:1080" (Or your alternative Socks 5 server)
Then (hopefully) all connections you make will go through the Socks
5 server. To see which connections are being sent to the Socks 5 server
then check syslog as it will output a single line status message on success.
To enable it for an application just make sure you export the two symbols
beforehand. BUT.. DO NOT export the symbols before loading the Socks 5
server otherwise it will get stuck in a loop. To disable it run the following
command:
unset LD_PRELOAD
Suid binaries will not run with LD_PRELOAD which means they will not
get sent through the proxy, unless you export LD_PRELOAD as root and run
the suid binary as root. This is because LD_PRELOAD could be used to create
a wrapper for the open() call and use that as a backdoor to gain root on
the machine. ??Also, static built binaries will not evaluate LD_PRELOAD either
as they will not attempt to dynamically load libraries and that defeats
the object of static.
This looks very promising despite the low version number. Some infomation
quoted from Chris Maison's site.
Misc.
NEC never replied to any of my emails so I think it is best
to not bother them anymore, there are enough solutions now anyway.
If you really want to contact them try, steve@syl.dl.nec.com and
socks5-comments@socks.nec.com
Links
http://www.funet.fi/pub/unix/security/firewalls/socks/socks4/
ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/
http://www.imasy.or.jp/~gotoh/connect.c
http://www.inet.no/dante/
http://www.r00t3d.org.uk/
Greetings
Thank you to the following people who helped me during my SOCKS
with SSH investigations:
(Ordered alphabetically by first name)
Avi Alkalay
Alex Feinberg (alex@freethinkers.net), author of "Using SOCKS
Proxy Firewalls on Linux". Introduction is based on his.
David Knight French
OpenSSH.com - You have a great application, thank you to all
the team.
Satoru Takeuchi <- Testing and general info
Shun-ichi Goto <- connect.c and hosting this guide!
Also, thank you to the other people who replied to my emails
about these problems and offered sugestions.