www wrapper for SSH

thebigslide · Posted: Sun Jan 16, 2005 9:18 pm Post subject: www wrapper for SSH

Does anyone know of a good www wrapper for ssh? I have a proxy at work that won't pass anything that isn't a http or https request (it examines the header). I want to run a webserver on a routable box that will ask me for a login and then display a terminal of a chrooted environment. Does anyone know of an existing package that will do this, or do I have to write something? I don't think it would be hard to write that in php. If no one knows of an existing package, please tell me and I will write something. Just learning PHP and I want to try it out.

ElGuido · n00b Joined: 24 Apr 2003 Posts: 74

Been a long time since I've used it but I think this is in webmin.

K Rgds,

G

thebigslide · Posted: Sun Jan 16, 2005 11:05 pm Post subject:

Yeah.... I don't want to run webmin on a routable webserver tho....

setagllib · n00b Joined: 15 Dec 2004 Posts: 53

ssh in PHP actually *is* pretty difficult, because of the complicated crypto involved which you may or may not have available. You're better off writing a hack (C) on your home server that uses HTTP as a tunnel; I can do it in a weekend (I've already written a web server myself). On your client end, make a hack that encapsulates incoming crap in this tunnel, and sends it off as a HTTP request to your machine; that unpacks it and the SSH server sees it as a local connection.

It's a LOT of overhead since you effectively have a whole HTTP sesssion per payload, so pray you have unlimited downloads and everything. It will, however, be the l33test possible solution to your problem. I'm willing to try my hand at developing such a hack.
_________________
My other computer is your Windows box.

thebigslide · Posted: Mon Jan 17, 2005 1:01 am Post subject:

heh, I imaging that making a php ssh client would be more difficult, I, however, simply wanted to make a login page that hashes a password and continuously passes a password hash via GET. Then give the user a 1 line textbox and a scrolling text window. Have the textbox run a system command when hitting submit and put the result in the textbox.

Very ghetto. :lol:

Done over https, this would work securely as long as the commands are executed in a chrooted environment.

Alternatively, the command output could be buffered through a file so that they aren't displayed all at once when the command terminates.

setagllib · n00b Joined: 15 Dec 2004 Posts: 53

That's not how ssh itself works. It actually takes over its controlling terminal and the server simulates a terminal for applications to live in. Your hack might work okay for very very simple line-buffered IO, but it is doomed if any curses/etc work is involved.

My hack doesn't care about terminals or even protocols, it would just be tunneling over HTTP[S]. It could scale up to allow any kind of connection really. If all the proxy cares about is the header (exactly how much of the header? as in, how much of the standard has to be complied with?) then it's a very simple encapsulation job.

I'll see if I can design something now. Just for fun, even if not to solve your problem.
_________________
My other computer is your Windows box.

thebigslide · Posted: Mon Jan 17, 2005 1:37 am Post subject:

I'm not sure how much of the header the proxy looks at, I just know that when I tried running ssh on port 80, it didn't work because the proxy closed the connection. Never thought about the curses thing. I might take apart webmin and reverse engineer something too. Race ya? I don't get home for another 2.5 hours. Would your solution need a special client?

dannycool · Posted: Mon Jan 17, 2005 2:38 am Post subject:

It can't examine https headers as https is encrypted. Proxies aren't supposed to decrypt it. That would sort-of undermine the whole idea.

However if your proxy doesn't decrypt, but just passes through https, the easy way is to run a sshd on port 443 on an outside host, and use a ssh connect script (ProxyCommand directive in .ssh/config).

thebigslide · Posted: Mon Jan 17, 2005 2:52 am Post subject:

Are you sure the https header is encrypted? Also, since the proxy is the middleman for the entire server/browser conversation, it is able to decode the packets just as easily as the client.

ryceck · Apprentice Joined: 13 Jan 2004 Posts: 195

So if I get ur drift u want to connect to ur server through a firewall which only allows http/https... What is the problem?
Https == encrypted binary data, ssh == encrypted binary data.

Create on ur server an iptables ruling:

setagllib · n00b Joined: 15 Dec 2004 Posts: 53

As an author of a HTTPS server, yes, the header is encrypted (it's simple: it's just a whole HTTP session transparently wrapped in an SSL session)

As a person with logic, no, the proxy should NEVER know either the client or server's public key, let alone the key negotiated for symmetric encryption. As said, this would completely kill the point of HTTPS.

How does the proxy do it then? That does sound strange. Maybe it looks for an SSL handshake (which does have a definite ring to it, including an SSL connection - which is NOT the same as an SSH authentication), so really all you need is an SSL tunnel. It might notice more than one packet being sent in both directions though, especially the client sending stuff AFTER the server sends its load (which should never happen in real HTTP[S]).
_________________
My other computer is your Windows box.

thebigslide · Posted: Mon Jan 17, 2005 5:01 pm Post subject:

You know, I always just assumed it was examining packets on BOTH ports 443 and 80. I never tried 443...
I will today

era3 · Posted: Sat Jan 29, 2005 4:33 pm Post subject:

I am really interested in firing up a ssh session (putty plus vnc) through a firewal that blocks port 22 but allows http and https.

From this thread I am understanding that it is possible, but I have really not undertood how.

Could someone post what is needed and a very shor and quick how-to ?