How can I use SSH with a SOCKS 5 proxy?

I have a SOCKS5 proxy set up through PuTTY with port 7777 configured as a dynamic port. I can use firefox/filezilla/etc by configuring them to use a SOCKS proxy with localhost and port 7777. But I can't figure out how to ssh (through Cygwin) to a remote server by using the dynamic port. Is this possible?

I've tried using ProxyCommand via the following method.

Create ~/.ssh/config with the following line:

ProxyCommand /usr/bin/nc -X connect -x 127.0.0.1:7777 %h %p

Run ssh -p22 user@remotehost

The message I get is ssh_exchange_identification: Connection closed by remote host

Rusty Lemur

Posted 2012-07-26T15:09:03.247

Reputation: 513

To make a program whuch does not support SOCKS go through SOCKS, you can use a so-called proxifer; see http://en.wikipedia.org/wiki/Comparison_of_proxifiers . In particular, I recommand my open source tun2socks proxifer ( http://code.google.com/p/badvpn/wiki/tun2socks ).

– Ambroz Bizjak – 2012-07-26T15:34:16.093

Thanks for the comment Ambroz. I need it to work in cygwin, and I see from the wikipedia page on proxifiers that all of the ones it mentions are either not implemented in cygwin or not applicable. Is there a way to get a proxifier to work in cygwin? – None – 2012-07-26T15:41:08.637

you don't need it to specifically support Cygwin. Cygwin programs are in the end just Windows programs, but with a POSIX interface implemented as a library. If a proxifier works on Windows, it should be able to proxify Cygwin programs just fine. – Ambroz Bizjak – 2012-07-26T16:50:09.567

Answers

You are using 'connect' for HTTPS as your proxy version, this is from man nc:

-X proxy_version Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ''4'' (SOCKS v.4), ''5'' (SOCKS v.5) and 'connect' (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.

So you should use the following to use SOCKS 5:

ProxyCommand /usr/bin/nc -X 5 -x 127.0.0.1:7777 %h %p

Or simply:

ProxyCommand /usr/bin/nc -x 127.0.0.1:7777 %h %p

I hope it helps.

Saman Barghi

Posted 2012-07-26T15:09:03.247

Reputation:

The ProxyCommand must be the first line of your ~/.ssh/config', or else nested inside a specifyHostsection. Not really sure why. It doesn't work if it's the last line in the~/.ssh/config` – Aaron McDaid – 2016-07-14T19:21:12.373

@AaronMcDaid: From man ssh_config: "For each parameter, the first obtained value will be used." Therefore... global settings need to be before any Host sections. The last line of ~/.ssh/config is part of the final Host section. – mpb – 2017-06-26T02:41:21.453

Worth mentioning is that netcat is in /bin/nc on Debian and Ubuntu. – Per Lundberg – 2018-05-18T10:25:04.047

Thanks Saman, that worked! Also, thanks for the explanation, it helps. – None – 2012-07-26T18:19:33.703

ssh -o ProxyCommand='nc --proxy-type socks4 --proxy 127.0.0.1:9050 %h %p' user@host

fc19 x86_64, Ncat: Version 6.25

user264910

Posted 2012-07-26T15:09:03.247

Reputation: 121

1@ChrisF it is the same as accepted solution, but it is one-liner! No need to modify any config file. – j123b567 – 2015-12-02T09:39:07.550

On Gentoo, right command name is ncat and not nc like on other distros. – j123b567 – 2015-12-02T09:40:18.450

This is the nmap ncat program (comes via apt install nmap on APT systems like Ubuntu and Debian), which is different from netcat (be it netcat-openbsd or Hobbit's netcat-traditional).

– Adam Katz – 2016-11-05T00:07:30.273

1@suspectus related to @Adam Katz comment, the proxy-type is socks4 because the nmap ncat program didn't support sock5 until more recently. Indeed, this is an issue even now (Nov 2017), as RHEL 7/Centos 7 switched to the nmap package but used an older build that does not support socks5 – Randall – 2017-11-27T16:09:08.490

just curious - why proxy-type socks4? – suspectus – 2013-10-19T09:57:54.403

2Can you add a little more explanation to this to say why it's the solution. – ChrisF – 2013-10-19T10:48:37.807

tsocks (http://tsocks.sourceforge.net/) is a nice wrapper that uses LD_PRELOAD to make any program use SOCKS proxy transparently:

tsocks ssh example.com

Just works, remember to configure SOCKS proxy IP in /etc/tsocks.conf

neutrinus

Posted 2012-07-26T15:09:03.247

Reputation: 139

it's too complex to have a configuration file – Jiang YD – 2017-03-14T03:10:21.547

This following command will do, to just use nc:

ssh examplehost.com -o "ProxyCommand=nc --proxy localhost:7000 %h %p"

Default is HTTP proxy, there is an HTTP proxy running on port 7000.

Chinglin Wen

Posted 2012-07-26T15:09:03.247

Reputation: 11