1
Is it somehow (preferably easily) possible to hide ssh traffic from an package inspecting firewall. I thought of basically embedding the ssh session in a harmlessly looking TLS session. I found out that it should be possible with socat, but I have no idea how to get this running. I have full admin access on ssh client and server, but a solution in user space would of course be the nicest :-)
In case anyone knows about socat
, here is what I tried (but I am also curious about other solutions):
server:
socat OPENSSL-LISTEN:10000,fork,cipher=aNULL,verify=0 TCP-CONNECT:localhost:22
client:
ssh -o ProxyCommand='socat STDIO OPENSSL-CONNECT:%h:10000,cipher=aNULL,verify=0' theserver
serverlog:
socat[27898] E SSL_accept(): Success
socat[27897] E exiting on signal 11
clientlog:
socat[15953] E SSL_connect(): error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available
ssh_exchange_identification: Connection closed by remote host
According to the manpage, aNull should not raise this error.
Update: Thanks to grawity the tunnel is now successfully established. After that I had trouble finding out that connections from localhost were blocked (set up in /etc/hosts.allow). But now its working fine. Thanks.
1
stunnel
is probably easier to handle, because it was made for this very purpose. – Daniel B – 2017-06-06T05:54:25.133Got this also running. Good idea, thanks. Does also work with user permissions when manually started (not as the system service obviously). – The Omitter – 2017-06-06T12:22:41.820