Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Jens Müller
September 30, 2003, 4:05 pm
rate this thread
Re: Not able to connect to SSH server through a proxy
The proxy is there for your company's protection. Your network admin would
probably not be happy if he knew you were doing this which could and
probably does violate company policy (leading to your immediate dismissal).
The communication possibilities are pretty endless when you "punch holes" in
this way if you're fairly familiar with SSH, which means there is a
potential for exposure of your company's network --which is why the policy
exists in the first place. As always, use your head.
With that said...
Proxy servers often restrict the types of outbound requests...some can even
analyze the actual contents of the request...to verify that the client is
using an approved protocol, it all depends on the product and the complexity
of the configuration that your network admin has set up. In the past, I was
behind an MS ISA Server that limited protocols by the destination port of
the request. Pretty rudimentary, but it keeps most people using the network
exactly how the admin intended. In order to connect to a remote SSHd
through the proxy I found that I needed to do the following:
1) use PuTTY 0.53b.
2) The remote SSH daemon needs to be listening on 443 (so when you connect,
the proxy server thinks your making an outbound https connection). Of
course you could also have the daemon listening on 80 or 21 since those are
commonly permitted, but 443 makes the most sense to me. After all, that
traffic would usually be encrypted also (if it *were* https traffic), and it
makes the fact that it is SSH traffic a little less obvious if someone gets
curious and starts up a sniffer to find out why the proxy is so busy.
3) Under the proxy section of your session settings, select telnet as the
4) Enter the proxy host and port.
5) If your proxy requires authentication, enter your username and password
(if this *is* an MS ISA Server, don't forget that you *might* have to prefix
your username with the correct NT Domain of whatever account is permitted to
use the proxy server. Also, note, authentication from PuTTY will always
fail if your admin only allows NTLM authentication. If this is the case,
you're screwed as far as I know, unless you want to pull the source for
PuTTY and put that support in yourself. However, you may be able to
convince him/her that you *need* basic authentication to be allowed for ftp
clients and other non-NTLM aware software that *is* legitimate). Of course,
turning on profuse logging in PuTTY, connecting a few times and reviewing
the logs will help you determine what is required.
Give that a try. If that doesn't work, keep tinkering around in the proxy
settings and reviewing the logs. It always helps to identify what type of
proxy you are trying to connect through and what the requirements are. You
can typically find some of this out by reviewing your browser settings
(since it is probably set up to use the proxy as well). A little "social
engineering" is also useful...nonchalantly tell one of your network
engineers that you occasionally have trouble connecting through the proxy
and request the necessary configuration info from them...but that should all
be common sense, now shouldn't it?
Also keep in mind that this may not be possible behind all proxies...my
example was highly specific since I've only had to wrestle with an ISA
Server. ...you really should get back to work instead of spending your
entire day trying to make unauthorized network connections to remote
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum