using a SOCKS proxy from SSH

How can I have SSH _use_ a SOCKS proxy to make a connection?

I know it can _create_ a SOCKS proxy with the -D option or DynamicForward
configuration (listens on local port for the connection to the SOCKS proxy
and makes outgoing connections from the remote host logged in to).  But in
this case what I want is for the actual SSH connection itself to layer
through whatever SOCKS proxy I have set up (which could be another SSH
command previously started with the -D option, or any other).

I can certainly direct SSH to a specific port.  But SOCKS does not have a
banner like SSH itself does.  So SSH cannot detect that it has connected
to a SOCKS proxy instead of an SSH daemon.  And I doubt autodetecting it
would be considered secure, anyway.  So what I would be looking for is an
option like:

    --via-socks [hostname][:port]
    --via-socks5 [hostname][:port]
    --via-socks4 [hostname][:port]

with hostname defaulting to and port defaulting to "socks" via
the services lookup, or 1080 if the lookup fails.  It would proceed to
request the SOCKS peer make the connection request, and handle everything
as SSH thereafter, including host key validation.

Similarly, the HTTP CONNECT protocol might also be usable:

    --via-http-connect [hostname][:port]

Chaining proxies should also be allowed.  Multiple instances of these would
mean that the first is connected to directly via the SSH program, while the
next would be connected to _through_ the previous proxy connection.

Config file options should also exist for these:

ViaSocks [hostname][:port]
ViaSocks5 [hostname][:port]
ViaSocks4 [hostname][:port]
ViaHttpConnect [hostname][:port]

| Phil Howard KA9WGN (ka9wgn.ham.org)  /  Do not send to the address below |
| first name lower case at ipal.net   /  spamtrap-2008-01-26-0923@ipal.net |
1/26/2008 3:41:10 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

2 Replies

Similar Articles

[PageSpeed] 1

phil-news-nospam@ipal.net writes:

> How can I have SSH _use_ a SOCKS proxy to make a connection?

I do this frequently.   In both putty and SecureCRT  GUI ssh clients
for Windows, there are settings for specifying a proxy and its type. 

To do it on the command line, the ProxyCommand directive is where
you'll specify it in teh config file.  Sorry I don't have a working
example to paste, but I imagine someone here will. 

A little googling got me here, but I'm not sure if there's something
more elegant in more recent openssh versions: 

For *nix,  generally socks needs I see folks using dante socks

Best Regards, 
Todd H.
comphelp (872)
1/26/2008 6:05:13 PM
On 2008-01-26, phil-news-nospam@ipal.net <phil-news-nospam@ipal.net> wrote:
> How can I have SSH _use_ a SOCKS proxy to make a connection?

Assuming you're talking about OpenSSH (and from the options you quote
it looks like it) then you have 2 choices:

a) Use a ProxyCommand (as Todd mentioned upthread).  Good choices are
"connect" (http://www.meadowy.org/~gotoh/projects/connect, which does
SOCKS4, SOCKS5 and HTTP CONNECT) or some variants of netcat (which might
already be on your system)

    ProxyCommand connect -S socks.example.com:1080 %h %p
    ProxyCommand nc -x socks.example.com %h %p

b) If your platform supports it, use on of the LD_PRELOAD dynamic
SOCKSification wrappers such as "socksify" or "runsocks".

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
dtucker1 (251)
1/26/2008 10:43:11 PM