Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling
yuri at rawbw
Apr 19, 2023, 7:00 PM
Post #1 of 6 (402 views)
Permalink
I am in the network that is behind the Zscaler firewall.

Virtually all ports except 80 and 443 are closed. ssh through any of
ports 80 and 443 is disallowed based on protocol content analysis.


It would be nice if OpenSSH would have some features that would allow
the user to break out of such network.


I suggest that OpenSSH adds the SSL tunneling feature:

1. The server would have the AllowHttpsTunnels {secret token} setting

2. The client would have the -h {secret token} argument that would tell
it to try the SSL connection when the SSH connection fails, and the -H
{secret token} argument that would instruct the client to only use the
SSL tunnel.

3. In case when SSL tunneling is used the client would establish the SSL
connection, and then it would authenticate the secret token.


The secret token is needed to ensure that deep filters like Zscaler
wouldn't be able to ban such SSL tunnel based on content probing.


SSL might need to have the HTTP protocol embedded into it (making it an
HTTPS tunnel) in case the network filter would probe for it and ban
connections based on its absence.


It is probably possible to do something similar using stunnel but (1) it
is a lot more difficult to set up and (2) it would be blockable based on
content probing because no secret token would be involved.


Without such feature more and more users would be unable to use ssh in
more and more situations.



Yuri


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling [ In reply to ]
djm at mindrot
Apr 19, 2023, 10:38 PM
Post #2 of 6 (402 views)
Permalink
On Wed, 19 Apr 2023, Yuri wrote:

> I am in the network that is behind the Zscaler firewall.
>
> Virtually all ports except 80 and 443 are closed. ssh through any of ports 80
> and 443 is disallowed based on protocol content analysis.
>
>
> It would be nice if OpenSSH would have some features that would allow the user
> to break out of such network.

You can do everything you need with a ProxyCommand. A good reason *not*
to put such functionality into OpenSSH itself it that firewall vendors
would add a detection for it explicitly and then you're back to square
one, and we're stuck maintaining it.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling [ In reply to ]
dtucker at dtucker
Apr 19, 2023, 10:40 PM
Post #3 of 6 (402 views)
Permalink
On Thu, 20 Apr 2023 at 12:04, Yuri <yuri@rawbw.com> wrote:
[...]
> I suggest that OpenSSH adds the SSL tunneling feature:

I don't think this is something we would be interested in doing.

1) it's a pretty niche feature.
2) it would require adding a dependency on OpenSSL's libssl which we
currently do not have.
3) as you note, there are already ways to do this kind of thing via
inetd/proxycommand and/or stunnel.
4) I don't think we'd want to play whack-a-mole with the middlebox
vendors anyway.

If I was trying to do this I'd probably start with stunnel and look at
adding the feature you want to that.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling [ In reply to ]
b.laessig at pengutronix
Apr 19, 2023, 11:47 PM
Post #4 of 6 (402 views)
Permalink
On Wed, 2023-04-19 at 19:00 -0700, Yuri wrote:
> I am in the network that is behind the Zscaler firewall.
>
> Virtually all ports except 80 and 443 are closed. ssh through any of
> ports 80 and 443 is disallowed based on protocol content analysis.
>
>
> It would be nice if OpenSSH would have some features that would allow
> the user to break out of such network.
>
>
> I suggest that OpenSSH adds the SSL tunneling feature:

Simply set up stunnel4 according to your needs.
This way you can wrap ssh in ssl.

Yours faithfully,
Björn Lässig

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling [ In reply to ]
logout at free
Apr 20, 2023, 6:51 AM
Post #5 of 6 (402 views)
Permalink
Le jeu. 20 avr. 2023 à 08:47, Björn Lässig <b.laessig@pengutronix.de> a écrit :
>
> On Wed, 2023-04-19 at 19:00 -0700, Yuri wrote:
> > I am in the network that is behind the Zscaler firewall.
> >
> > Virtually all ports except 80 and 443 are closed. ssh through any of
> > ports 80 and 443 is disallowed based on protocol content analysis.
> >
> >
> > It would be nice if OpenSSH would have some features that would allow
> > the user to break out of such network.
> >
> >
> > I suggest that OpenSSH adds the SSL tunneling feature:
>
> Simply set up stunnel4 according to your needs.
> This way you can wrap ssh in ssl.
>
> Yours faithfully,
> Björn Lässig

Yet another alternative would be to use socat on both ends if you're
in control. There are in fact many solutions that would allow you to
do what you want.

Being able to evade security measures is not the purpose of OpenSSH -
and that's a good thing IMHO.

Best regards,

-- Emmanuel Deloget
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: It would be nice if OpenSSH would have features to circumvent network filters, like SSL tunneling [ In reply to ]
yuri at rawbw
May 9, 2023, 11:35 AM
Post #6 of 6 (360 views)
Permalink
Here is how I solved this problem:

1. I've built proxytunnel on Windows in Cygwin

2. proxytunnel failed due to an apparent bug with the
SSL_set_tlsext_host_name invocation, so it had to be commented out,
after which proxytunnel worked

3. I've configured proxytunnelin c:\Users\{user_name}\.ssh\config
according to instructions in the GitHub README (ssl had to be enabled,
SSL key check had to be disabled)

4. I've added the http_proxy_connect option to the FreeBSD port
www/nginx that adds the ngx_http_proxy_connect third-party nginx module,
and installed the package with this option enabled

5. I've configured http_proxy_connect according to its GitHub README,
generated self-signed ssl keys, etc.

6. I added another, un-obvious port that the ssh server listens on, for
this purpose.


After this ssh works through the https tunnel.


There are a lot of steps. I think that this makes this method
inaccessible to most regular users so they would really be locked out of
ssh due to the middlebox filtering.


Hopefully these instructions will help someone.



Best,

Yuri

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal