Linux

Using Corkscrew to tunnel SSH over HTTP

If you are in an environment that disallows the use of SSH and forces the use of an HTTP proxy, it is possible to use that HTTP proxy as a transport for SSH. Vincent Danen explains how to use the Corkscrew program to do it.

Ever come to work and realize you left a required file at home? Or you're out on the road and find yourself in the same situation? Some environments and ISPs have strict firewall rules that can make life difficult. In some cases, these rules are absolutely required, in others perhaps not so much. If you are in an environment that disallows the use of SSH and forces the use of an HTTP proxy, it is possible to use that HTTP proxy as a transport for SSH.

Please note that I am not advocating breaking out of your environment's firewall if you have a policy that expressly prevents that or outbound SSH access! Unfortunately in the real world, some draconian firewall rules are in place that cause more grief than they need to and without a real reason. In some environments, however, the explicit denial of outbound SSH is required and for that reason you should respect the policy. I am not at all advocating breaking any rules unless you have permission or an exception from the people that should provide it.

With that disclaimer out of the away, go to the Corkscrew homepage and download the source for Corkscrew. Corkscrew is an HTTP-tunneling programming that does not require server-side modifications to work. It is also cross-platform and will work on most client systems.

To build Corkscrew, simply unpack the tarball and run:

./configure
make

Then copy the resulting corkscrew application to somewhere in your PATH or in ~/bin/. Next, edit your SSH configuration file, ~/.ssh/config, and add:

Host somehost
    Hostname somehost.example.com
    ProxyCommand /home/user/bin/corkscrew proxy.example.com 8080 %h %p

Replace the hostname with the host you are attempting to SSH into, and replace "proxy.example.com" with the actual HTTP proxy. You may also need to replace the port (8080) if the proxy listens on an alternate port (i.e., port 3128 in the case of Squid). OpenSSH transparently converts the %h to the hostname to connect to (somehost.example.com) and the port to connect to (22, by default).

The ProxyCommand line here is telling OpenSSH to start the Corkscrew program to make the actual connection to the end SSH server. You can create multiple entries for all of the hosts you may need to connect to, or use a simple regular expression or the global asterisk (*) in the Host line (* will tell OpenSSH to use this Host stanza for all connections).

When this is done, you should be able to run ssh somehost and have the connection be established, just as if you were connecting directly. Keep in mind this may not work with all proxies, so it may be a little hit-and-miss, but it should work with Squid and Apache's mod_proxy module as well as a few other popular implementations.

Get the PDF version of this tip here.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

11 comments
raymosely
raymosely

1. This is a re-hash of an old technique and not really even a mash up. 2. It is not a mash up because the author left out any mention of context or environment. Very *nix centric. Yes, it can be compiled in Windows using cygwin. 3. What is wrong with using putty for this? It supports proxy out of the box, and that is a really small box. Small footprint, no install, just an executable. 4. I have used putty for tunnelling remote desktop over port 22, along with OpenSSH on the server side. It should work with http proxy. 5. In my experience, port 22 is rarely blocked. It is used for secure traffic after all.

Snake_and_Jakes
Snake_and_Jakes

Using the HTTP Connect command to make the HTTP Proxy Server open a raw TCP connection to the target host which can then be used to tunnel any TCP based protocol (such has SSH) seems to be a pretty old and well know technique. See: http://www.kb.cert.org/vuls/id/150227 It seems that most draconian type environments would have their proxies configured to allow "HTTP CONNECT" access only to a whitelist of specific authorized destinations.

vickaprili
vickaprili

With the current anarchy where some individuals are allowed to disrupt services or create unnecessary work for others, draconian firewall rules are fine by me!

Royc_1
Royc_1

Which I think it may be then it is right next door to 'useless' on the 'fall off the world' side of things. I mean things like "simply unpack the tarball and run: ./configure make" tarball? do you mean Tarbell? That was a tape interface for S100 buss in the late 1970's. But what does that have to do with the current story, I can not guess. And ./ do you mean slashdot? And what does that have to do with the current story. Yes, I do know what a tarball is and the ./configure also. But I am smarter than the average Windows user too.

Kahikatea
Kahikatea

Hmmm ... Interesting statement ... Take out any IT-related stuff and make it a general statement related to our society. Does or doesn't it seem OK? Is the potential for anarchy, the price of freedom? Or is freedom not all it's cracked up to be? Are 'draconian' measures sometimes required for the 'greater good'? Sorry for the sidetrack! Corkscrew looks like a nice way to get around the high fence some sysadmins have in place.

raymosely
raymosely

Royc makes a good point. I came to this blog through a Tech Republic email with a Windows 7 subject line. I believe the author could have approached an old story with a new approach, instead of presenting something bordering on plagarism. And the author could have been "open" enough to realize that some open source runs on Windows, including Corkscrew compiled with cygwin.

unixed
unixed

It is cross-platform. So why not check the site to see if it compiles/runs on Windows? As it happens, it runs under many OSes and Windows is one of them. Your post was pretty long...should have just clicked the link to Corkscrew.

vamman
vamman

Tell me it was ;) For someone that knows that Tarbell was a Tape drive back in the 70s they sure as hell should know what some Unix syntax looks like. Tarball is a packaged achieve like a zip file. Those commands are to configure and make (compile) the source code in a unix environment. haha about /.

vdanen
vdanen

You found this in the "Linux and Open Source" blog, so I'd suspect that no, it's not for Windows. =) Having said that, it might work on Windows under Cygwin, but I've never tried.

Royc_1
Royc_1

Thanks for seeing what I was trying to say. I was trying to see this as a Windows user with no other OS experience, not even DOS. And trying to make sense out of this posting based on Windows 7 post that put me in the middle of this tarball which I was trying to get out of. :)

Royc_1
Royc_1

What this comment a joke? Tell me it was _______________________ Yes, it was a joke. I know some Unix stuff. I attended a full week seminar on System IV in the mid 1980's. I was looking at the AT&T PC to replace my CP/M computer that I was trying to use for an ATE (Automatic Test Equipment) system. I decided on a Tektronix 4041 computer that was a very small 68000 based computer that ran BASIC from ROM and had GPIB (IEEE-488) controller built-in and controlled from BASIC. The other plus side of this computer was it was 68000 based and I knew 6800 code down to hex code entry (I did not use this in the 3+ years I was working the computer). And I have ran Mandrake in the early 2000's plus several others since then. So I do know what the things like tarball and ./ and the rest of them are.

Editor's Picks