Author: qboosh Date: Wed Nov 15 09:16:52 2006 GMT Module: SOURCES Tag: HEAD ---- Log message: b856937f1cdfca7a3ccfb2fac36ef726 connect.c bb972b3a9d435c62023b355960d78f78 connect.html
---- Files affected: SOURCES: connect.html (1.3 -> 1.4) (NEW), connect.c (1.3 -> 1.4) (NEW) ---- Diffs: ================================================================ Index: SOURCES/connect.html diff -u /dev/null SOURCES/connect.html:1.4 --- /dev/null Wed Nov 15 10:16:52 2006 +++ SOURCES/connect.html Wed Nov 15 10:16:47 2006 @@ -0,0 +1,1142 @@ +<?xml version="1.0" encoding="us-ascii"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>SSH Proxy Command -- connect.c</title> + <meta name="generator" content="emacs-wiki.el" /> + <meta http-equiv="Content-Type" + content="us-ascii" /> + <link rev="made" href="mailto:[EMAIL PROTECTED]" /> + <link rel="home" href="http://www.taiyo.co.jp/~gotoh/" /> + <link rel="index" href="http://www.taiyo.co.jp/~gotoh/SiteIndex.html" /> + <link rel="stylesheet" type="text/css" href="emacs-wiki.css" /> + </head> + <body> + <h1>SSH Proxy Command -- connect.c</h1> + <!-- Page published by Emacs Wiki begins here --> +<p> +<strong>connect.c</strong> is the simple relaying command to make network +connection via SOCKS and https proxy. It is mainly intended to +be used as <strong>proxy command</strong> of OpenSSH. You can make SSH session +beyond the firewall with this command, + +</p> + +<p> +Features of <strong>connect.c</strong> are: + +</p> + +<ul> +<li>Supports SOCKS (version 4/4a/5) and https CONNECT method. +</li> +<li>Supports NO-AUTH and USERPASS authentication of SOCKS +</li> +<li>Partially supports telnet proxy (experimental). +</li> +<li>You can input password from tty, ssh-askpass or + environment variable. +</li> +<li>Run on UNIX or Windows platform. +</li> +<li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.) +</li> +<li>Simple and general program independent from OpenSSH. +</li> +<li>You can also relay local socket stream instead of standard I/O. +</li> +</ul> + +<p> +Download source code from: +<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">http://www.taiyo.co.jp/~gotoh/ssh/connect.c</a> +<br/> +For windows user, pre-compiled binary is also available: +<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">http://www.taiyo.co.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC) + +</p> + +<h2>Contents</h2> +<dl class="contents"> +<dt class="contents"> +<a href="#sec1">News</a> +</dt> +<dt class="contents"> +<a href="#sec2">What is 'proxy command'</a> +</dt> +<dt class="contents"> +<a href="#sec3">How to Use</a> +</dt> +<dd> +<dl class="contents"> +<dt class="contents"> +<a href="#sec4">Get Source</a> +</dt> +<dt class="contents"> +<a href="#sec5">Compile and Install</a> +</dt> +<dt class="contents"> +<a href="#sec6">Modify your ~/.ssh/config</a> +</dt> +<dt class="contents"> +<a href="#sec7">Use SSH</a> +</dt> +<dt class="contents"> +<a href="#sec8">Have trouble?</a> +</dt> +</dl> +</dd> +<dt class="contents"> +<a href="#sec9">More Detail</a> +</dt> +<dt class="contents"> +<a href="#sec10">Specifying user name via environment variables</a> +</dt> +<dt class="contents"> +<a href="#sec11">Specifying password via environment variables</a> +</dt> +<dt class="contents"> +<a href="#sec12">Limitations</a> +</dt> +<dd> +<dl class="contents"> +<dt class="contents"> +<a href="#sec13">SOCKS5 authentication</a> +</dt> +<dt class="contents"> +<a href="#sec14">HTTP authentication</a> +</dt> +<dt class="contents"> +<a href="#sec15">Switching proxy server</a> +</dt> +<dt class="contents"> +<a href="#sec16">Telnet Proxy</a> +</dt> +</dl> +</dd> +<dt class="contents"> +<a href="#sec17">Tips</a> +</dt> +<dd> +<dl class="contents"> +<dt class="contents"> +<a href="#sec18">Proxying socket connection</a> +</dt> +<dt class="contents"> +<a href="#sec19">Use with ssh-askpass command</a> +</dt> +<dt class="contents"> +<a href="#sec20">Use for Network Stream of Emacs</a> +</dt> +<dt class="contents"> +<a href="#sec21">Remote resolver</a> +</dt> +<dt class="contents"> +<a href="#sec22">Hopping Connection via SSH</a> +</dt> +</dl> +</dd> +<dt class="contents"> +<a href="#sec23">Break The More Restricted Wall</a> +</dt> +<dt class="contents"> +<a href="#sec24">F.Y.I.</a> +</dt> +<dd> +<dl class="contents"> +<dt class="contents"> +<a href="#sec25">Difference between SOCKS versions.</a> +</dt> +<dt class="contents"> +<a href="#sec26">Configuration to use HTTPS</a> +</dt> +<dt class="contents"> +<a href="#sec27">SOCKS5 Servers</a> +</dt> +<dt class="contents"> +<a href="#sec28">Specifications</a> +</dt> +<dt class="contents"> +<a href="#sec29">Related Links</a> +</dt> +<dt class="contents"> +<a href="#sec30">Similars</a> +</dt> +</dl> +</dd> +<dt class="contents"> +<a href="#sec31">hisotry</a> +</dt> +</dl> + + +<h2><a name="sec1" id="sec1"></a>News</h2> +<dl> +<dt>2005-07-08</dt> +<dd> +Rev. 1.95. Buf fix for previous change. The bug causes the fail of + basic authentication. And also fixed bug of parameter file handling. + Thanks reporting, Johannes Schindelin <Johannes.Schindelin at gmx.de>. +</dd> +<dt>2005-07-07</dt> +<dd> +Rev. 1.94. Changed to use snprintf()/vsnprintf() for security issue + that gcc complained them on OpenBSD 3.7/x86. The features are not + changed. +</dd> +<dt>2005-03-04</dt> +<dd> +Updated compile option for Mac OS X. +</dd> +<dt>2005-02-21</dt> +<dd> +Rev.1.92. Removed assertions which has no mean and worse for windows + suggested by OZAWA Takahiro. +</dd> +<dt>2005-01-12</dt> +<dd> +Rev.1.90. Fixed not to cause seg-fault on accessing to non HTTP + port. This problem is reported by Jason Armstrong <ja at riverdrums.com>. +</dd> +<dt>2004-10-30</dt> +<dd> +Rev.1.89. Partial support for telnet proxy. + Thanks to Gregory Shimansky <gshimansky at mail dot ru>. + (Note: This is ad-hoc implementation, so it is not enough for + various type of telnet proxies. + And password interaction is not supported.) +</dd> +</dl> + +<h2><a name="sec2" id="sec2"></a>What is 'proxy command'</h2> + +<p> +OpenSSH development team decides to stop supporting SOCKS and any +other tunneling mechanism. It was aimed to separate complexity to +support various mechanism of proxying from core code. And they +recommends more flexible mechanism: <strong>ProxyCommand</strong> option +instead. + +</p> + +<p> +Proxy command mechanism is delegation of network stream +communication. If <strong>ProxyCommand</strong> options is specified, SSH +invoke specified external command and talk with standard I/O of thid +command. Invoked command undertakes network communication with +relaying to/from standard input/output including iniitial +communication or negotiation for proxying. Thus, ssh can split out +proxying code into external command. + +</p> + +<p> +The <strong>connect.c</strong> program was made for this purpose. + +</p> + +<h2><a name="sec3" id="sec3"></a>How to Use</h2> + +<h3><a name="sec4" id="sec4"></a>Get Source</h3> + +<p> +Download source code from <a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">here</a>. +<br/> +If you are MS Windows user, you can get pre-compiled binary from +<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">here</a>. + +</p> + +<h3><a name="sec5" id="sec5"></a>Compile and Install</h3> + +<p> +In most environment, you can compile <strong>connect.c</strong> simply. +On UNIX environment, you can use cc or gcc. +On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc. + +</p> + +<table border="2" cellpadding="5"> +<thead> +<tr> +<th>Compiler</th><th>command line to compile</th> +</tr> +</thead> +<tbody> +<tr> +<td>UNIX cc</td><td>cc connect.c -o connect</td> +</tr> +<tr> +<td>UNIX gcc</td><td>gcc connect.c -o connect</td> +</tr> +<tr> +<td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td> +</tr> +<tr> +<td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td> +</tr> +<tr> +<td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td> +</tr> +<tr> +<td>Cygwin gcc</td><td>gcc connect.c -o connect</td> +</tr> +<tr> +<td>Mac OS X</td><td>gcc connect.c -o connect -lresolv<br/>or<br/>gcc connect.c -o connect -DBIND_8_COMPAT=1</td> +</tr> +</tbody> +</table> + +<p> +To install <strong>connect</strong> command, simply copy compiled binary to directory +in your PATH (ex. /usr/local/bin). Like this: + +</p> + +<pre class="example"> +$ cp connect /usr/local/bin +</pre> + +<h3><a name="sec6" id="sec6"></a>Modify your ~/.ssh/config</h3> + +<p> +Modify your <code>~/.ssh/config</code> file to use <strong>connect</strong> command as +<strong>proxy command</strong>. For the case of SOCKS server is running on +firewall host <code>socks.local.net</code> with port 1080, you can add +<strong>ProxyCommand</strong> option in <code>~/.ssh/config</code>, like this: + +</p> + +<pre class="example"> +Host remote.outside.net + ProxyCommand connect -S socks.local.net %h %p +</pre> + +<p> +<code>%h</code> and <code>%p</code> will be replaced on invoking proxy command with +target hostname and port specified to SSH command. + +</p> + +<p> +If you hate writing many entries of remote hosts, following example +may help you. + +</p> + +<pre class="example"> +## Inside of the firewall, use connect command with direct connection. +Host *.local.net + ProxyCommand connect %h %p + +## Outside of the firewall, use connect command with SOCKS conenction. +Host * + ProxyCommand connect -S socks.local.net %h %p +</pre> + +<p> +If you want to use http proxy, use <strong>-H</strong> option instead of <strong>-S</strong> +option in examle above, like this: + +</p> + +<pre class="example"> +## Inside of the firewall, direct +Host *.local.net + ProxyCommand connect %h %p + +## Outside of the firewall, with HTTP proxy +Host * + ProxyCommand connect -H proxy.local.net:8080 %h %p +</pre> + +<h3><a name="sec7" id="sec7"></a>Use SSH</h3> + +<p> +After editing your <code>~/.ssh/config</code> file, you are ready to use ssh. +You can execute ssh without any special options as if remote host is +IP reachable host. Following is an example to execute <code>hostname</code> +command on host <code>remote.outside.net</code>. + +</p> + +<pre class="example"> +$ ssh remote.outside.net hostname +remote.outside.net +$ +</pre> + +<h3><a name="sec8" id="sec8"></a>Have trouble?</h3> + +<p> +If you have trouble, execute <strong>connect</strong> command from command line +with <code>-d</code> option to see what is happened. Some debug message may +appear and reports progress. This information may tell you what is +wrong. In this example, error has occurred on authentication stage of +SOCKS5 protocol. + +</p> + +<pre class="example"> +$ connect -d -S socks.local.net unknown.remote.outside.net 110 +DEBUG: relay_method = SOCKS (2) +DEBUG: relay_host=socks.local.net +DEBUG: relay_port=1080 +DEBUG: relay_user=gotoh +DEBUG: socks_version=5 +DEBUG: socks_resolve=REMOTE (2) +DEBUG: local_type=stdio +DEBUG: dest_host=unknown.remote.outside.net +DEBUG: dest_port=110 +DEBUG: Program is $Revision$ +DEBUG: connecting to xxx.xxx.xxx.xxx:1080 +DEBUG: begin_socks_relay() +DEBUG: atomic_out() [4 bytes] +DEBUG: >>> 05 02 00 02 +DEBUG: atomic_in() [2 bytes] +DEBUG: <<< 05 02 +DEBUG: auth method: USERPASS +DEBUG: atomic_out() [some bytes] +DEBUG: >>> xx xx xx xx ... +DEBUG: atomic_in() [2 bytes] +DEBUG: <<< 01 01 +ERROR: Authentication faield. +FATAL: failed to begin relaying via SOCKS. +</pre> + +<h2><a name="sec9" id="sec9"></a>More Detail</h2> + +<p> +Command line usage is here: + +</p> + +<pre class="example"> +usage: connect [-dnhst45] [-R resolve] [-p local-port] [-w sec] + [-H [EMAIL PROTECTED]:port]] + [-S [EMAIL PROTECTED]:port]] + [-T socks-server:[port]] + [-c telnet-proxy-command] + host port +</pre> + +<p> +<strong><em>host</em></strong> and <strong><em>port</em></strong> is target hostname and port-number to connect. + +</p> + +<p> +<strong>-H</strong> option specify hostname and port number of http proxy server to +relay. If port is omitted, 80 is used. You can specify this value by +environment variable <code>HTTP_PROXY</code> and give <strong>-h</strong> option to use it. + +</p> + +<p> +<strong>-S</strong> option specify hostname and port number of SOCKS server to +relay. Like <strong>-H</strong> option, port number can be omit and default is 1080. +You can also specify this value pair by environment variable +<code>SOCKS5_SERVER</code> and give <strong>-s</strong> option to use it. + +</p> + +<p> +<strong>-T</strong> option specify hostname and port number of telnet proxy to +relay. The port number can be omit and default is 23. +You can also specify this value pair by environment variable +<code>TELNET_PROXY</code> and give <strong>-t</strong> option to use it. + +</p> + +<p> +<strong>-4</strong> and <strong>-5</strong> is for specifying SOCKS protocol version. It is +valid only using with <strong>-s</strong> or <strong>-S</strong>. Default is <strong>-5</strong> +(protocol version 5) + +</p> + +<p> +<strong>-R</strong> is for specifying method to resolve hostname. 3 keywords +(<code>local</code>, <code>remote</code>, <code>both</code>) or dot-notation IP address is +allowed. Keyword <code>both</code> means; "Try local first, then +remote". If dot-notation IP address is specified, use this host as +nameserver (UNIX only). Default is <code>remote</code> for SOCKS5 or <code>local</code> +for others. On SOCKS4 protocol, remote resolving method (<code>remote</code> +and <code>both</code>) use protocol version 4a. + +</p> + +<p> +The <strong>-p</strong> option specifys to wait a local TCP port and make relaying +with it instead of standard input and output. + +</p> + +<p> +The <strong>-w</strong> option specifys timeout seconds on making connection with +target host. + +</p> + +<p> +The <strong>-c</strong> option specifys request string against telnet +proxy server. The special word '%h' and '%p' in this string are replaced +as hostname and port number before sending. +For telnet proxy by <a class="nonexistent" href="mailto:[EMAIL PROTECTED]">DeleGate</a>, both "telnet %h %p" and "%h:%p" +are acceptable. +Default is "telnet %h %p". + +</p> + +<p> +The <strong>-a</strong> option specifiys user intended authentication methods +separated by comma. Currently <code>userpass</code> and <code>none</code> are +supported. Default is <code>userpass</code>. You can also specifying this +parameter by the environment variable <code>SOCKS5_AUTH</code>. + +</p> + +<p> +The <strong>-d</strong> option is used for debug. If you fail to connect, use this +and check request to and response from server. + +</p> + +<p> +You can omit <strong><em>port</em></strong> argument when program name is special format +containing port number itself. For example, + +</p> + +<pre class="example"> +$ ln -s connect connect-25 +$ ./connect-25 smtphost.outside.net +220 smtphost.outside.net ESMTP Sendmail +QUIT +221 2.0.0 smtphost.remote.net closing connection +$ +</pre> + +<p> +This example means that the command name "<code>connect-25</code>" contains port number +25 so you can omit 2nd argument (and used if specified explicitly). + +</p> + +<h2><a name="sec10" id="sec10"></a>Specifying user name via environment variables</h2> + +<p> +There are 5 environemnt variables to specify +user name without command line option. This mechanism is usefull +for the user who using another user name different from system account. + +</p> + +<dl> +<dt>SOCKS5_USER</dt> +<dd> +Used for SOCKS v5 access. +</dd> +<dt>SOCKS4_USER</dt> +<dd> +Used for SOCKS v4 access. +</dd> +<dt>SOCKS_USER</dt> +<dd> +Used for SOCKS v5 or v4 access and varaibles above are not defined. +</dd> +<dt>HTTP_PROXY_USER</dt> +<dd> +Used for HTTP proxy access. +</dd> +<dt>CONNECT_USER</dt> +<dd> +Used for all type of access if all above are not defined. +</dd> +</dl> + +<p> +Following table describes how user name is determined. +Left most number is order to check. If variable is not defined, +check next variable, and so on. + +</p> + +<table border=1> +<tr align=center><th></th><th>SOCKS v5</th><th>SOCKS v4</th><th>HTTP proxy</th></tr> +<tr align=center><td>1</td><td>SOCKS5_USER</td><td>SOCKS4_USER</td><td rowspan=2>HTTP_PROXY_USER</td></tr> +<tr align=center><td>2</td><td colspan=2>SOCKS_USER</td></tr> +<tr align=center><td>3</td><td colspan=3>CONNECT_USER</td></tr> +<tr align=center><td>4</td><td colspan=3><i>(query user name to system)</i></td></tr> +</table> + +<h2><a name="sec11" id="sec11"></a>Specifying password via environment variables</h2> + +<p> +There are 5 environemnt variables to specify +password. If you use this feature, please note that it is +not secure way. + +</p> + +<dl> +<dt>SOCKS5_PASSWD</dt> +<dd> +Used for SOCKS v5 access. This variables is compatible + with NEC SOCKS implementation. +</dd> +<dt>SOCKS5_PASSWORD</dt> +<dd> +Used for SOCKS v5 access if SOCKS5_PASSWD is not defined. <<Diff was trimmed, longer than 597 lines>> _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit