sshd on port 443

[Andrew Beattie]

[EMAIL PROTECTED] write:
>However, it only allows CONNECT to a remote port of 443.
>
>(Which is why I'm looking for someone nice who'll run an sshd on port 443
>that he'll let me use.

I happen to know of a machine that has a whole IP address kept free just
so that we can put sshd on any port we please: 212.74.28.149

We're not actualy using it at the moment, but the thought was there :-)

Andrew

Re: sshd on port 443

[Peter Sergeant]

On Tue, Feb 11, 2003 at 10:14:42PM -, Andrew Beattie wrote:
> [EMAIL PROTECTED] write:
> >However, it only allows CONNECT to a remote port of 443.
> >
> >(Which is why I'm looking for someone nice who'll run an sshd on port 443
> >that he'll let me use.

I don't recall seeing the parent message to this, but I have a machine
running sshd on port 443, that I guess I'd be happy to give out the odd
shell-account on...

+Pete

Re: sshd on port 443

[Newton, Philip]

Peter Sergeant wrote:
> I have a machine running sshd on port 443, that I guess I'd be
> happy to give out the odd shell-account on...

That would be much appreciated.

Cheers,
Philip
[email copies are appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Newton, Philip]

Andrew Beattie wrote:
> I happen to know of a machine that has a whole IP address 
> kept free just so that we can put sshd on any port we
> please: 212.74.28.149
> 
> We're not actualy using it at the moment, but the thought was 
> there :-)

Hm... if you do put an sshd on :443, could I have an account there?

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[CyberTiger]

Ok, so the upshot is, you cheat the restrictions, and ssh via a web proxy,
the same way https tunnels through a web proxy.

Stuff that comes to mind:

The web cache may timeout the connection.

Other ports:

I just checked our squid config, and the ports that you could do this with
(with the default config) are 443, and 563. (using CONNECT).

563 is a TLS wrapped NNTP.

So 563 might be a good candidate for your ssh daemon port. (especially if
you're using squid).

Also, you may wish to conisider other possible things to forward.

You could setup your own VPN using pppd running off a tcp port.
(probably with a TLS wrapper).

Even better, it'd be a TLS connection... so completely indestinguishable
from a normal connect request, even with the data.

My two cents.. nice idea ;)

-Antony

Re: sshd on port 443

[Lusercop]

On Wed, Feb 12, 2003 at 04:23:46AM -0800, Randal L. Schwartz wrote:
> /me averts his eyes of the entire thread and points people to
>   

In a parallel to UINE, EINI.

-- 
Lusercop.net - LARTing Lusers everywhere since 2002

Re: sshd on port 443

[Newton, Philip]

CyberTiger wrote:
> The web cache may timeout the connection.

Yes :) As I just found out.

Using [the ssh connection Pete kindly provided] for five minutes: all is
fine. (Damn English lack of precedence operators.)

Leave it sitting around for five minutes: the window is gone.

Still: a huge improvement on what I had before.

Cheers,
Philip
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Randal L. Schwartz]

> "CyberTiger" == CyberTiger  <[EMAIL PROTECTED]> writes:

CyberTiger> Ok, so the upshot is, you cheat the restrictions, and ssh
CyberTiger> via a web proxy, the same way https tunnels through a web
CyberTiger> proxy.

/me averts his eyes of the entire thread and points people to
  

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: sshd on port 443

[Newton, Philip]

Lusercop wrote:
> On Wed, Feb 12, 2003 at 04:23:46AM -0800, Randal L. Schwartz wrote:
> > /me averts his eyes of the entire thread and points people to
> >   
> 
> In a parallel to UINE, EINI.

What does that mean?

Cheers,
Philip
[email copies appreciated, as I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[the hatter]

On Wed, 12 Feb 2003, Newton, Philip wrote:

> CyberTiger wrote:
> > The web cache may timeout the connection.
>
> Yes :) As I just found out.
>
> Using [the ssh connection Pete kindly provided] for five minutes: all is
> fine. (Damn English lack of precedence operators.)
>
> Leave it sitting around for five minutes: the window is gone.
>
> Still: a huge improvement on what I had before.

Ask the server to use KeepAlive ?


the hatter

Re: sshd on port 443

[Lusercop]

On Wed, Feb 12, 2003 at 02:44:07PM +0100, Newton, Philip wrote:
> Lusercop wrote:
> > On Wed, Feb 12, 2003 at 04:23:46AM -0800, Randal L. Schwartz wrote:
> > > /me averts his eyes of the entire thread and points people to
> > >   
> > In a parallel to UINE, EINI.
> What does that mean?

UINE => "Usenet Is Not Email"
EINI => "Email Is Not IRC"

-- 
Lusercop.net - LARTing Lusers everywhere since 2002

Re: sshd on port 443

[CyberTiger]

On Wed, 12 Feb 2003, the hatter wrote:
> On Wed, 12 Feb 2003, Newton, Philip wrote:
>
> > CyberTiger wrote:
> > > The web cache may timeout the connection.
> >
> > Yes :) As I just found out.
> >
> > Using [the ssh connection Pete kindly provided] for five minutes: all is
> > fine. (Damn English lack of precedence operators.)
> >
> > Leave it sitting around for five minutes: the window is gone.
> >
> > Still: a huge improvement on what I had before.
>
> Ask the server to use KeepAlive ?
>

No can do, it's in squid's config, and it's the maximum time for any ssh
connection. (default 2 minutes).

Assuming it's squid that is.

Notably, on the subject, the current version of putty will ssh via a web
proxy (it's under the connection setttings).

-CT

Re: sshd on port 443

[Jody Belka]

Newton, Philip said:
> Using [the ssh connection Pete kindly provided] for five minutes: all is
> fine. (Damn English lack of precedence operators.)
>
> Leave it sitting around for five minutes: the window is gone.
>

have you tried turning keep-alives on?


Jody

Re: sshd on port 443

[Lusercop]

On Wed, Feb 12, 2003 at 06:00:22AM -0800, Randal L. Schwartz wrote:
> > "Newton," == Newton, Philip <[EMAIL PROTECTED]> writes:
> Newton,> Leave it sitting around for five minutes: the window is gone.
> Sometimes, I find it very useful that I perform all of my shell work
> inside an emacs shell window, since emacs keeps the updated time of
> day in the modeline.

See also: http://dotat.at/prog/misc/spinner.c

-- 
Lusercop.net - LARTing Lusers everywhere since 2002

Re: sshd on port 443

[Newton, Philip]

the hatter wrote:
> On Wed, 12 Feb 2003, Newton, Philip wrote:
> 
> > CyberTiger wrote:
> > > The web cache may timeout the connection.
> >
> > Yes :) As I just found out.
> 
> Ask the server to use KeepAlive ?

Suggestions welcome. How would that work? Add a header "Connection:
Keep-Alive\r\n" to the negotiation phase, the one where I send "CONNECT
host:port HTTP/1.0\r\n"?

(Of course, that would mean I'd be back to using my home-grown proxy, rather
than relying on the proxy support that's built in to PuTTY. Still, if it'll
help, it's worth trying.)

Cheers,
Philip
[email copies appreciated, as I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Newton, Philip]

CyberTiger wrote:
> On Wed, 12 Feb 2003, the hatter wrote:
> > Ask the server to use KeepAlive ?
> 
> No can do, it's in squid's config, and it's the maximum time 
> for any ssh connection. (default 2 minutes).
> 
> Assuming it's squid that is.

Nope; Microsoft IAS or something like that, in my case.

> Notably, on the subject, the current version of putty will 
> ssh via a web proxy (it's under the connection setttings).

Indeed :) *happy*

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Newton, Philip]

Randal L. Schwartz wrote:
> 
> > "Newton," == Newton, Philip 
> <[EMAIL PROTECTED]> writes:
> 
> Newton,> Leave it sitting around for five minutes: the window is gone.
> 
> Sometimes, I find it very useful that I perform all of my shell work
> inside an emacs shell window, since emacs keeps the updated time of
> day in the modeline.
> 
> Maybe you too will be warming up to this idea.

Not very likely :)

Lusercop wrote:
> See also: http://dotat.at/prog/misc/spinner.c

This looks interesting, though.

Jody Belka wrote:
> have you tried turning keep-alives on?

How do I do that?

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Newton, Philip]

Lusercop wrote:
> 
> See also: http://dotat.at/prog/misc/spinner.c

Nifty. However, the window change thing doesn't seem to work when the job is
started in the background as 'spinner &' (neither on the OpenBSD system I
ssh in to nor in a couple of Linux systems I tried from there), and starting
it in the foreground rather precludes useful work.

(Though explicitly activating it when I know I won't be typing for the next
little bit works, but it requires remembering beforehand, and it means I
can't use it to keep the connection open while some little program crunches
data without any output for a while.)

Still, nifty. And except for the window resizing, seems to work fine in the
background.

Many thanks for bringing that to my attention!

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Jody Belka]

Newton, Philip said:
> Jody Belka wrote:
>> have you tried turning keep-alives on?
>
> How do I do that?

i think you said you're using putty, yes?  if so, it has an option to send
null packets to keep the session active. that's what i was thinking of.


Jody

Re: sshd on port 443

[the hatter]

On Wed, 12 Feb 2003, Newton, Philip wrote:

> the hatter wrote:
> > On Wed, 12 Feb 2003, Newton, Philip wrote:
> >
> > > CyberTiger wrote:
> > > > The web cache may timeout the connection.
> > >
> > > Yes :) As I just found out.
> >
> > Ask the server to use KeepAlive ?
>
> Suggestions welcome. How would that work? Add a header "Connection:
> Keep-Alive\r\n" to the negotiation phase, the one where I send "CONNECT
> host:port HTTP/1.0\r\n"?
>
> (Of course, that would mean I'd be back to using my home-grown proxy, rather
> than relying on the proxy support that's built in to PuTTY. Still, if it'll
> help, it's worth trying.)

I was meaning KeepAlive as an sshd directive, rather than an HTTP header,
look in /usr/local/etc/sshd_config (or wherever it is) and see if it
already has "KeepAlive yes" in it.  If not, add it, restart sshd, and
cross your digits.


the hatter

Re: sshd on port 443

[Lusercop]

On Wed, Feb 12, 2003 at 06:04:52PM +0100, Newton, Philip wrote:
> Lusercop wrote:
> > See also: http://dotat.at/prog/misc/spinner.c

Tony wrote it when chiark.greenend.org.uk was stuck behind a firewall that
timed out connections. Chiark had previously been plugged into the ISP
(NetConnect)'s backbone network. Somehow, NetConnect believed that putting
a firewall in the way, protected chiark, or their other customers from
chiark or something. Either way, they refused to disable the obviously
service-impeding connection tracking when asked, and as a result, chiark
is now hosted by blackcatnetworks.co.uk. If the timeout is as low as 5
mins, it may be that you want to spin it faster than one tick every 60s.
The timeout on the NetConnect firewall was around 40mins IIRC.

-- 
Lusercop.net - LARTing Lusers everywhere since 2002

Re: sshd on port 443

[Newton, Philip]

the hatter wrote:
> I was meaning KeepAlive as an sshd directive, rather than an 
> HTTP header, look in /usr/local/etc/sshd_config (or wherever
> it is) and see if it already has "KeepAlive yes" in it.  If
> not, add it, restart sshd, and cross your digits.

Ah, OK. It's not my sshd, so I'm a bit at the mercy of the sysadmin :)

Jody Belka wrote:
> i think you said you're using putty, yes?  if so, it has an
> option to send null packets to keep the session active. that's
> what i was thinking of.

Ah -- found it, thanks. I'll try that out.

The spinner managed to keep my connection alive for quite a while now...
let's see whether the "null packet keep-alive" think also works. That would
be even niftier.

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Newton, Philip]

Lusercop wrote:
> If the timeout is as low as 5 mins, it may be that you want to
> spin it faster than one tick every 60s.

I wrote:
> let's see whether the "null packet keep-alive" think also works.

It does seem to -- kept the window open for quite a while (I tried one null
packet every 60 seconds). When I disabled the option to test it, it
disappeared after not very long.

So I think I can do without the spinner, or if I used it, 60 s should be
enough (though shorter intervals are safer, I think).

Thank you all very much for the help so far in getting this off the ground!
(And it pleases me particularly that I can do this with only PuTTY, since
both the proxy support and the keep-alive bits are supported "natively".)

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Randal L. Schwartz]

> "Lusercop" == Lusercop  <`the.lusercop'@lusercop.net> writes:

Lusercop> In a parallel to UINE, EINI.

I don't get either of those.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: sshd on port 443

[Peter Sergeant]

> Nifty. However, the window change thing doesn't seem to work when the job is
> started in the background as 'spinner &' (neither on the OpenBSD system I
> ssh in to nor in a couple of Linux systems I tried from there), and starting
> it in the foreground rather precludes useful work.

I found that too, the work around is to specify the options explicitly:

./spinner -s "/-\|" 0.5 &

+Pete

Re: sshd on port 443

[Struan Donald]

* at 12/02 17:25 - Jody Belka said:
> Newton, Philip said:
> > Jody Belka wrote:
> >> have you tried turning keep-alives on?
> >
> > How do I do that?
> 
> i think you said you're using putty, yes?  if so, it has an option to send
> null packets to keep the session active. that's what i was thinking of.

This may not always work. I know the adsl router I have here doesn't
honour ssh's ProtocolKeepAlives option, although it has worked in the
past with other routers.

s

Re: sshd on port 443

[Randal L. Schwartz]

> "Newton," == Newton, Philip <[EMAIL PROTECTED]> writes:

Newton,> Leave it sitting around for five minutes: the window is gone.

Sometimes, I find it very useful that I perform all of my shell work
inside an emacs shell window, since emacs keeps the updated time of
day in the modeline.

Maybe you too will be warming up to this idea.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: sshd on port 443

[Newton, Philip]

Peter Sergeant wrote:
> > Nifty. However, the window change thing doesn't seem to 
> > work when the job is started in the background
> 
> I found that too, the work around is to specify the options 
> explicitly:
> 
> ./spinner -s "/-\|" 0.5 &

Just tried that; no dice. Resizing the window doesn't change the position
where the twirling baton is displayed.

Not a problem unless you like to resize your windows often (and can't be
bothered to stop and re-start the background process).

Cheers,
Philip
[email copies appreciated, since I read the digest]
-- 
Philip Newton <[EMAIL PROTECTED]>
All opinions are my own, not my employer's.
If you're not part of the solution, you're part of the precipitate.

Re: sshd on port 443

[Mark Fowler]

On Wed, 12 Feb 2003, Peter Sergeant wrote:

> ./spinner -s "/-\|" 0.5 &

If sending null bytes doesn't work, maybe you could send escape codes to
change the title of your xterm.

perl -e '$|=1; while(1) { print "\e]2;".localtime()."\a"; sleep 60 }'

I'm not entirely sure what will happen if something else is printing at
the same time as that script tries to print - it shouldn't be a problem,
but I guess it depends on your implementation.

Mark.

-- 
#!/usr/bin/perl -T
use strict;
use warnings;
print q{Mark Fowler, [EMAIL PROTECTED], http://twoshortplanks.com/};

Re: sshd on port 443

[CyberTiger]

Ok... A few things.


The http header:
"Connection: KeepAlive;"

Almost certainly will do nothing, as this normally applies to allowing
multiple requests to the web proxy, and does not have anything to do with
the duration of a single connection.

In case you still wish to try this, send the following to the proxy:

"CONNECT : HTTP/1.0\r\nConnection: KeepAlive;\r\n\r\n"

You'll need to read the http response from the web proxy, and junk it.

The response should look something like:

"HTTP/1.0 200 \r\n\r\n"

TCP KeepAlives are also unlikely to work, unless your web proxy is really
really dumb.

TCP KeepAlives basically work by sending an empty TCP packet (i.e. no
data), which causes a response from the remote end, only very very poor
proxy software would actually forward empty packets on, because this
should be transparent at the OS level, which is where the web proxy should
(tm) be running, of course, this will work correctly, if your web proxy is
outside of the firewall that's doing the timing out of connections, but
not if it's inside.

(Sidenote: because some OS's don't respond to empty tcp packets, some
operating systems send a TCP packet, which contains 1 byte of data, which
has already been received, causing a response).

The best idea so far, seems to be to print control codes with no side
effects from a background process. Or even control codes which will be
ignored, as they're invalid. (I loved the clock in the title bar one)

-Antony