Hide ssh traffic from firewall

1

Is it somehow (preferably easily) possible to hide ssh traffic from an package inspecting firewall. I thought of basically embedding the ssh session in a harmlessly looking TLS session. I found out that it should be possible with socat, but I have no idea how to get this running. I have full admin access on ssh client and server, but a solution in user space would of course be the nicest :-)

In case anyone knows about socat, here is what I tried (but I am also curious about other solutions):

server:

socat OPENSSL-LISTEN:10000,fork,cipher=aNULL,verify=0 TCP-CONNECT:localhost:22

client: 

ssh -o ProxyCommand='socat STDIO OPENSSL-CONNECT:%h:10000,cipher=aNULL,verify=0' theserver

serverlog: 

socat[27898] E SSL_accept(): Success
socat[27897] E exiting on signal 11

clientlog: 

socat[15953] E SSL_connect(): error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available
ssh_exchange_identification: Connection closed by remote host

According to the manpage, aNull should not raise this error.

Update: Thanks to grawity the tunnel is now successfully established. After that I had trouble finding out that connections from localhost were blocked (set up in /etc/hosts.allow). But now its working fine. Thanks.

The Omitter

Posted 2017-06-06T03:57:23.653

Reputation: 13

1stunnel is probably easier to handle, because it was made for this very purpose. – Daniel B – 2017-06-06T05:54:25.133

Got this also running. Good idea, thanks. Does also work with user permissions when manually started (not as the system service obviously). – The Omitter – 2017-06-06T12:22:41.820

Answers

2

This is commonly done, yes. (Although on the server side, stunnel is more common.)

Your main problem though is cipher=aNULL, which recent TLS libraries might not accept. (Not to mention, firewalls and IDSes might consider such a connection very unusual and suspicious.)

Instead use regular, certificate-authenticated TLS with a self-signed certificate:

openssl req -new -subj "/CN=ponies" -days 365 -extensions v3_req -x509 \
            -out tunnel.crt -newkey rsa:2048 -keyout tunnel.key -nodes

socat OPENSSL-LISTEN:10000,fork,cert=tunnel.crt,key=tunnel.key,verify=0 ...

(This only needs to be done on the server side; clients are unauthenticated by default.)

user1686

Posted 2017-06-06T03:57:23.653

Reputation: 283 655

Thanks a lot for the help. I also had to generate a dh parameter file with openssl dhparam 2048 and add it to server command dhparams=dhparmasfile (after manually compiling a socat version that supported the option…). – The Omitter – 2017-06-06T10:22:22.957

Huh? Does it not support ECDH? – user1686 – 2017-06-06T10:26:59.243

It just complained dh key too short. – The Omitter – 2017-06-06T11:12:34.747

Asked: 2017-06-06T03:57:23.653

Viewed: 908 times

Active: 2017-06-06T12:21:10.997