www wrapper for SSH

[thebigslide]

Does anyone know of a good www wrapper for ssh? I have a proxy at work that won't pass anything that isn't a http or https request (it examines the header). I want to run a webserver on a routable box that will ask me for a login and then display a terminal of a chrooted environment. Does anyone know of an existing package that will do this, or do I have to write something? I don't think it would be hard to write that in php. If no one knows of an existing package, please tell me and I will write something. Just learning PHP and I want to try it out.

[ElGuido]

Been a long time since I've used it but I think this is in webmin.

K Rgds,

G

[thebigslide]

Yeah.... I don't want to run webmin on a routable webserver tho....

[setagllib]

ssh in PHP actually *is* pretty difficult, because of the complicated crypto involved which you may or may not have available. You're better off writing a hack (C) on your home server that uses HTTP as a tunnel; I can do it in a weekend (I've already written a web server myself). On your client end, make a hack that encapsulates incoming crap in this tunnel, and sends it off as a HTTP request to your machine; that unpacks it and the SSH server sees it as a local connection.

It's a LOT of overhead since you effectively have a whole HTTP sesssion per payload, so pray you have unlimited downloads and everything. It will, however, be the l33test possible solution to your problem. I'm willing to try my hand at developing such a hack.

[thebigslide]

heh, I imaging that making a php ssh client would be more difficult, I, however, simply wanted to make a login page that hashes a password and continuously passes a password hash via GET. Then give the user a 1 line textbox and a scrolling text window. Have the textbox run a system command when hitting submit and put the result in the textbox.

Very ghetto.

Done over https, this would work securely as long as the commands are executed in a chrooted environment.

Alternatively, the command output could be buffered through a file so that they aren't displayed all at once when the command terminates.

[setagllib]

That's not how ssh itself works. It actually takes over its controlling terminal and the server simulates a terminal for applications to live in. Your hack might work okay for very very simple line-buffered IO, but it is doomed if any curses/etc work is involved.

My hack doesn't care about terminals or even protocols, it would just be tunneling over HTTP[S]. It could scale up to allow any kind of connection really. If all the proxy cares about is the header (exactly how much of the header? as in, how much of the standard has to be complied with?) then it's a very simple encapsulation job.

I'll see if I can design something now. Just for fun, even if not to solve your problem.

[thebigslide]

I'm not sure how much of the header the proxy looks at, I just know that when I tried running ssh on port 80, it didn't work because the proxy closed the connection. Never thought about the curses thing. I might take apart webmin and reverse engineer something too. Race ya? I don't get home for another 2.5 hours. Would your solution need a special client?

[dannycool]

It can't examine https headers as https is encrypted. Proxies aren't supposed to decrypt it. That would sort-of undermine the whole idea.

However if your proxy doesn't decrypt, but just passes through https, the easy way is to run a sshd on port 443 on an outside host, and use a ssh connect script (ProxyCommand directive in .ssh/config).

[thebigslide]

Are you sure the https header is encrypted? Also, since the proxy is the middleman for the entire server/browser conversation, it is able to decode the packets just as easily as the client.

[ryceck]

So if I get ur drift u want to connect to ur server through a firewall which only allows http/https... What is the problem?
Https == encrypted binary data, ssh == encrypted binary data.

Create on ur server an iptables ruling:

Code: Select all

iptables -t nat -A PREROUTING -p tcp -i ethX --dport 443 -j DNAT --to-destination ur.ip.addr.here:22

If u want it to work for ur work only btw... (and have https normally reachable for the rest of the world) add an --source-destination at the end :)

And if you dont have it:
iptables -t nat -A POSTROUTING -i ethX -j MASQUERADE

Thats all and u can connect to ur server using ssh servername.ex -p443 (or use putty and guide it to port 443) and u can ssh remote
As an advanced option with this one u can also forward other ports (like 3389, rdesktop or 590X, vnc) using

Code: Select all

ssh -L 3389:internal.ip.of.lanhost:3389 (where the internal ip of the lan host is 192.168.1.23 for example)
and u can connect to ur rdesktop using:
rdesktop <insert ur regular options here> localhost:3389

[setagllib]

As an author of a HTTPS server, yes, the header is encrypted (it's simple: it's just a whole HTTP session transparently wrapped in an SSL session)

As a person with logic, no, the proxy should NEVER know either the client or server's public key, let alone the key negotiated for symmetric encryption. As said, this would completely kill the point of HTTPS.

How does the proxy do it then? That does sound strange. Maybe it looks for an SSL handshake (which does have a definite ring to it, including an SSL connection - which is NOT the same as an SSH authentication), so really all you need is an SSL tunnel. It might notice more than one packet being sent in both directions though, especially the client sending stuff AFTER the server sends its load (which should never happen in real HTTP[S]).

[thebigslide]

You know, I always just assumed it was examining packets on BOTH ports 443 and 80. I never tried 443...
I will today

[era3]

I am really interested in firing up a ssh session (putty plus vnc) through a firewal that blocks port 22 but allows http and https.

From this thread I am understanding that it is possible, but I have really not undertood how.

Could someone post what is needed and a very shor and quick how-to ?