ssh over ssl part 2 : client side
The idea of this tutorial is to understand and configure your client to build a ssh connection through ssl. Of course your server must have a specific configuration as well. see the server side configuration tutorial: ssh over ssl part 1 : server side
nowadays firewall block port, but can also do a DPI to see which protocol you are using. It means that if you try to ssh on port 443 it won't work even if port 443 is open. To avoid it, we have to trick the firewall to think we are doing a legitimate https connexion but instead once we are in SSL (firewall can't read anymore), we switch to ssh!
This tutorial is made as a Proof Of Concept and should be used only for better understanding and POC purposes ! i'm not responsible of any use of this trick.
if you are using windows, i would recommand to use a linux virtual machine. it's way easier.
windows software (didn't try them):
- Optional depending if proxy authentication to bypass too: proxifier (not tested yet)
- Optional depending if proxy authentication to bypass too: cntlm
- openssh client
3. Proxy authentication
The first step is to be able to connect to the proxy, since most of the time it's the only way to access internet. If you don't have a proxy you can bypass this part, same thing if you don't need to be authenticate to use your proxy.
We need to have a way to authenticate to the proxy. to do so, if it's using basic auth, you can set your env variable http(s)_proxy. Look for it on Internet. But if it's using NTLM you will need another way.
A way is to use a local proxy authenticating itself to the remote proxy and giving you a local port already connected to the remote proxy.
cntlm do this job very well. download and install it (direcly for official website or apt-get).
then look into my config file. to generate the PassLM, PassNT, PassNTLMv2 you must first create the config file with all info, then in the console type in : "cntlm -H", it will ask you your password then generate you the 3 lines !
you can find lot of other option into this:
once your config file is ready, you can test it in your terminal using this :
if everything goes well, cntlm should tell you it's ready.
you can test it by connecting through it with firefox (set your proxy settings to use localhost and your define port in your confiuration)
4. Tunnel to your remote server on 443 port
this part is made to build a connection to your remote server on the port 443. if the firewall you are trying to bypass isnt looking into protocole it wont be necessary to go farer. indeed once you are connected you could directly do ssh into it. But if your firewall is watching, it will instantly close your connection since it's not https!
if you want to know build your proxytunnel connexion, then try to type in anything into it. your connection should close !
So, download proxytunnel and using the previous cntlm tunnel launch it like it :
if your proxy wasnt using auth, you could directly type in your proxy address:port instead of 127.0.0.1:3128. we chose the local port 7000 for our tunnel
5. SSL tunnel
once you have a connection to your server, it's time to trick the firewall thinking we will do HTTPS.
To do so, we will use openSSSL like this :
if everything is working well, you should see your server certificate.
So for your ssh to use this tunnel SSL, it's simple: create or edit the file ~/.ssh/config
and add :
it's telling your ssh for this host, to use this has a proxy! so instead of trying directly to ssh, it will first execute this ssl tunnel, then use it!
everything is done for your client side!
for windows, you should look into stunnel but i didnt try
5. Sum up