Since I didn't hear anything about a current SSH through SSL proxy "solution",
(specifically for windows clients), I went ahead a whipped up a Perl script
based on another script that I had sitting in the SSH mail directory.
It can either run as a UNIX or Windows tunnel script through a proxy server
supporting the "CONNECT" command. (note that a properly setup proxy will only
forward connections to the SSL ports (443 and 563)) The windows version was
only tested with the ActiveState perl interpretter (www.activestate.com), the
UNIX version works with the standard Perl interpretter.
It's fairly simple and works nicely from my tests. Read the comments in the
script for more info.
#!/usr/local/bin/perl
#
# Usage: ssh-tunnel.pl [daemon port] ssl-proxy port destination_host port
#
# This script can be used by ssh to traverse a www-proxy/firewall that
# supports the http CONNECT command. (Note: Properly setup proxies that allow
# CONNECT will only allow a connection through to SSL ports (443 and 563
# according to squid.))
#
# Example-- connect to host named "remote" outside of your firewall:
#
# $ ssh remote -o'ProxyCommand ssh-tunnel.pl www-proxy 8080 remote 443'
#
# Better yet, insert the ProxyCommand definition for host "remote" in
# your $HOME/.ssh/config file:
#
# .
# .
# Host remote
# ProxyCommand /usr/local/bin/ssh-tunnel.pl www-proxy 8080 %h %p
# .
# .
#
# Originally written by Urban Kaveus <[EMAIL PROTECTED]>
#
# Updated by Theo Van Dinter <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]> 4/28/1999
# I use TTSSH under Windows which doesn't support the proxycommand option.
# I made some modifications to this script to help with that:
# 1- The script no longer forks to do IO. Now uses IO::Select to deal with
# multiple filehandles at once.
# 2- The script can optionally "daemonize" itself and sit on a port. When
# a connection is established, the tunnelling process will commence.
# Add in the optional port # to listen to as the first commandline param.
# Ex: "ssh-tunnel 2345 www-proxy 8080 remotehost 443", then start SSH:
# "ssh localhost -p 2345".
# 3- Tested with ActivePerl (Win32)/TeraTerm/TTSSH and UNIX Perl/SSH client.
#
use Socket;
use IO::Select;
$dport = shift if ( $#ARGV > 3 );
($sslproxy,$proxyport,$destination,$destport) = @ARGV;
die "Usage: $0 [daemon port] ssl-proxy port destination port\n"
unless ( $sslproxy && $proxyport && $destination && $destport );
# Set up network communication
$protocol = getprotobyname("tcp");
if ( $dport ) { # do "daemon" thing.
socket(INC, PF_INET, SOCK_STREAM, $protocol) || die "socket:$!";
setsockopt (INC, SOL_SOCKET, SO_REUSEADDR, pack ("l", 1)) || die
"setsockopt:$!";
bind(INC,sockaddr_in($dport,INADDR_ANY)) || die "bind: $!";
listen(INC,1) || die "listen:$!";
accept(OUT,INC) || die "accept:$!";
$fhin = $fhout = \*OUT;
}
else { # STDIN/STDOUT used ...
$fhin = \*STDIN;
$fhout = \*STDOUT;
}
# connect to proxy server ...
socket (PROXY, PF_INET, SOCK_STREAM, $protocol) or
die("Failed to create socket:$!");
connect (PROXY, sockaddr_in($proxyport,inet_aton($sslproxy))) or
die("Failed to connect to $sslproxy port $proxyport:$!");
# Force flushing of socket buffers
foreach ( \*PROXY, $fhin, $fhout ) {
select($_); $|=1;
}
# Send a "CONNECT" command to proxy:
print PROXY "CONNECT $destination:$destport HTTP/1.0\r\n\r\n";
# Wait for HTTP status code, bail out if you don't get back a 2xx code.
($status) = (split(/\s+/,<PROXY>))[1];
die "Received a bad status code \"$status\" from proxy server."
if ( int($status/100) != 2 );
# Skip through remaining part of HTTP header (until blank line)
1 until ( <PROXY> =~ /^[\r\n]+$/ );
# Start copying packets in both directions.
$s = IO::Select->new($fhin,\*PROXY);
while ( 1 ) {
foreach $fh ( $s->can_read(10) ) {
exit unless ( defined($num = sysread($fh,$_,4096)) );
syswrite( ((fileno($fh)==fileno($fhin))?PROXY:$fhout),$_,$num);
}
}
--
Randomly Generated Tagline:
I'd love to, but I have to fulfill my destiny.
