Using OpenSSH through a SOCKS compatible firewall on your LAN

Using OpenSSH through a SOCKS compatible PROXY on your LAN

This guide has been written by J. Grant. 2002-01-15 Version 0.3 BETA
Copyleft J. Grant. Including this in any other documents is permitted under the GNU licence, providing my name is given next to the section. Distributing this any other way is permitted providing it is complete and contains this message.

Tested on Linux Mandrake 8.1, this will not affect you providing you have RPM support.

Introduction

The SOCKS firewall protocol was fostered by NEC, they currently DO NOT support a free version of their tools for UNIX. Many applications directly support the SOCKS 4/5 protocols, Netscape, Opera etc. The NEC software was previously available at ftp://ftp.nec.com/pub/socks/socks5 before, now it is not. However there are other free solutions available now, which means you have choices. (The way of UNIX)

There are 4 solutions covered in this SSH through a SOCKS PROXY guide.

Currently I use Goto-san's connect.c and the wrapper "runsocks" for other applications, read this whole FAQ before making your decision!

1) Using the old NEC software

The packages NEC previously made available on Linux were rpm/tgz packages that implemented the server,
client programs and a wrapper program (for programs without compiled in SOCKS support).
http://rpmfind.net/linux/rpm2html/search.php?query=socks

I installed runsocks-1.0r11-3.i386.rpm successfully.
rpm -ivh

I have also rpm --rebuild the src.rpm to make the whole packages and installed those as well.

i rebuilt the source downloaded from
ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/
(sometimes this site not available, try later and it might work, anyone know why?)

Do this in your shell
$ export SOCKS4_SERVER = mysocks4server

Or you can specify it in the conf file as follows.

Create this file /etc/libsocks5.conf

$ cat /etc/libsocks5.conf
socks4 - - - - mysocks4server

There are problems with this

You have to be root to use runsocks ssh -l myusername <host> or you will get the
following error:

$ runsocks ssh -l myuser myhost.com
ssh: error while loading shared libraries: libsocks5_sh.so: cannot open
shared object file: No such file or directory

DNS does not work, you get this error from ssh
$ su

$ runsocks ssh -l youruser yourhost.com
ssh: yourhost.com: Temporary failure in name resolution

The only way to connect is to be root and also use the IP. I can connect, its just not good practice to have to be root and use the IP address!

Read the man pages for libsocks5.conf and runsocks for further information.

These are the versions I have, I do not have ftp space to host them, if anyone has perminant ftp space for them please contact me. (I believe we are allowed to distribute them under the licence) I download them from places such as ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/

runsocks-1.0r11-3.i386.rpm
socks-4.3.beta2-2.i386.rpm
socks-4.3.beta2-2.src.rpm
socks5-1.0r11-3.i386.rpm
socks5-1.0r11-3.src.rpm
socks5-clients-1.0r11-3.i386.rpm
socks5-devel-1.0r11-3.i386.rpm
export.socks.4.3.beta2.tar.gz
export.socks.cstc.4.2.2.tar.gz
socks.cstc.4.2.2.tar.gz

2) Use Goto-san's connect.c (works transparently)

OpenSSH SOCKS support was removed from the OpenSSH implementation on 2000-02-07, using SSH through SOCKS firewalls is now ONLY supported using a ProxyCommand from within the SSH configuration files.

I found how to use OpenSSH through socks.

a) Download and compile this URL's source code. And put the binary in your path.
http://www.imasy.or.jp/~gotoh/connect.c

$ su
$ gcc -o sconnect connect.c
$ cp sconnect /usr/local/bin

b) Add the following line in your ssh_config, this is for a SOCKS4 server. Read his source for futher infomation.

ProxyCommand /usr/local/bin/sconnect -4 -S your-socks-server:1080 %h %p

That's it! Everything should work now

This is the best solution IMO.

3) Use the proprietary SSH.com trial version

Only possible for non-commercial 30 day use, supports the SOCKS protocol.

export SSH_SOCKS_SERVER=socks://youruser@socks-server:1080/x.x.x.0/24

I gave up on proprietary solutions so I have not tested futher. SSH.com is not open source, thus I would only use it in "legacy" systems that required it.

4) Dante OSS version

This has not been tested, but i have received good feedback about it. See http://www.inet.no/dante/ for further information or http://rpmfind.net/linux/rpm2html/search.php?query=dante

Misc.

NEC never replied to any of my emails so I think it is best to not bother them anymore, there are enough solutions now anyway
If you really want to contact them try, steve@syl.dl.nec.com and socks5-comments@socks.nec.com

Links

http://www.funet.fi/pub/unix/security/firewalls/socks/socks4/
ftp://rpmfind.net/linux/falsehope/home/gomez/socks5/

Greetings

Thank you to the following people who helped me during my SOCKS with SSH investigations:
(Ordered alphabetically by first name)

Avi Alkalay
Alex Feinberg (alex@freethinkers.net), author of "Using SOCKS Proxy Firewalls on Linux". Introduction is based on his.
David Knight French
OpenSSH.com - You have a great application, thank you to all the team.
Satoru Takeuchi
Shun-ichi Goto

Also, thank you to the other people who replied to my emails about these problems and offered sugestions.