SSH addenda
I'm pretty excited about all the traffic generated by my SSH howto (part 1, part 2). I should've submitted junk to hackaday long ago!
Anyway, I'm doing my best to respond to all the questions posed in comments (and that's definitely the place to pose them). Here are answers to the two most common problems: restrictive work security policies, and mac ownership.
- I can't install programs at work!
You shouldn't have to. PuTTY doesn't require installation; it's just an executable you run. I can't account for every security configuration that your work might have, but you don't have to be an administrator to run PuTTY. However, at my job I've got admin rights, and I haven't bothered to create a non-admin user and try this out for myself. I would suggest dumping PuTTY on a thumbdrive. While you're at it, stick Portable Firefox on there, too. You can set up all the proxy settings at home and not worry about having rights to change them at the office. Just run the apps off your thumb drive.
If that doesn't work, well, there's probably not much more I can do to help. Well, okay, that's not true. I'll try to put up something about recovering your local Administrator password by and by. But in the short term: go buy a thumbdrive and give it a try.
- I have a Mac!
First: this might be totally unhelpful. I don't own a Mac, and I havent yet installed the leaked OSX86 image. It would be great if a knowledgeable Mac user could add a comment explaining where I'm totally off-base.
But... from what I can tell, here's how you'd do it. Thing is, OS X is based on BSD, a *nix-style system, which makes SSH a very natural fit. In fact, you probably already have an SSH server installed and running, according to this page. To make sure it's on, go to the "Sharing" System Preferences Panel and make sure "Remote Login" is enabled.
You'll want to restrict the users who can log in. Like with OpenSSH on Windows, this is based on the system's users, not some SSH-specific pool of logins and passwords. I'm no expert on adding users on the Mac, but this page might provide you with some help if you need it. Now: to restrict the SSH server to only let in the designated user.
The SSH server config file is either /etc/sshd_config or /etc/ssh/sshd_config (probably the former, but I can't confirm). Edit it (you'll probably have to be logged in as a superuser) and find the line that begins with "AllowUsers". If there isn't one, add it. After it, specify the user name you want to allow to log in. If you'd like to change the port on which SSH will run, this file is also the place to do that — find the line that says "Port", remove the hash (#) in front of it (if there is one), and change the number accordingly. Then stop and restart the "Remote Login" service as outlined above.
As for Privoxy... well, there's a Mac installation package available, and we didn't have to specify any custom settings during the PC install. Looking here, it doesn't seem like you should have to do anything other than run the installer.
That should take care of the server half of the equation. You should be able to forward a port on your router and log into your Mac from the outside world. You can mix and match platforms — the server and client don't have to be the same operating system.
But what if you've got a Mac at work? Well, I'm sure there are plenty of SSH clients out there for Macs, but OS X should already have the command-line version available; let's just use that (you will have to figure out how to get to the command-line, though). Once you've got a cursor in front of you, and assuming a) your SSH server's public IP is, say, 12.34.56.78 and b) the account you specified in sshd_config is "sshuser" (like in the other howto), you'd use the following line:
ssh -lsshuser -L8118:127.0.0.1:8118 12.34.56.78
Note that both of those parameters are "L"s, but one is uppercase and the other is lower. Hit enter; get the prompt about the unknown key; enter the password — and then configure your browser's proxy settings as described in the PC howto.
I hope this is helpful. Sorry I can't be more specific, particularly with respect to the Mac. If you have problems with these instructions, post a message to comments and hopefully we can all muddle through together.
Comments
hackaday.com, not hackaday.org
Thanks for all the tips.
fixed. thanks.
I have the tunnel working with the Terminal on Mac OS X. However, when I try to set my IM client to use the proxy, i get the error that the proxy does not support port 5190 forwarding (for AIM). I get the same error for MSN but with the MSN default port. I am not able to change the connect port successfully yet.
Are there any setting for Privoxy that restricts what ports it forwards?
Any good recommendations for a linux proxy?
Justin: I got the same error, and got around it by using 443 as the "auth port" in my IM client settings. I'm not sure if or why Privoxy doesn't forward 5190 by default; a brief glance through its config file didn't provide any answers.
adam: privoxy is available for linux as well. In fact, that's the configuration I use (Windows client, FC4 server running sshd and privoxy).
I found a program called SSH Tunnel Manager for Mac OS X.
It is basically a front end for the terminal and gives you more management options for multiple tunnels.
Search for it on Google or Version Tracker
As a comment...
Privoxy doesn't seemt to like to tunnel much at all... are there any alternatives?
it tunnels fine for me, and for a number of other folks. I'm not sure what you mean. It's just a straightforward HTTP proxy.
If you don't mind leaking DNS requests, you can just use the "dynamic" port forwarding option in PuTTY, which basically makes it a SOCKS proxy.
What i meant with that comment was, Privoxy only tunnels 80 and 443. I can get AIM to connect on 443 but MSN doesn't like that port. Also, it would be nice to have my pop and smtp email tunnel through the proxy. Basically, I want everything to go through it...
ah, ok. Well, socat (under cygwin in windows) might meet your needs. Alternately, you could establish an ssh "dynamic" tunnel -- specify a local port, leave "remote" blank and your copy of PuTTY will act like a SOCKS proxy that can be used with all those applications. It will leak DNS requests, though -- so while the content of your messages will be protected, their destination will be visible to anyone snooping.
Are there any proxy server programs for windows that I could put inplace of privoxy?
If you want ports other than 80 and 443, you want a SOCKS proxy. If you want a socks proxy, you can just use SSH with dynamic port forwarding. You don't need a privoxy replacement if you're not using an HTTP proxy.
Whether SOCKS-aware apps leak DNS requests or not is up to them; there's no SOCKS proxy server that will magically fix that problem that I'm aware of.
Something that might be worth trying is forwarding port 53 (DNS) on your machine over the SSH tunnel, and setting it to exit on your LAN and direct to your router (also on 53). Then change your client's network settings to use 127.0.0.1 as your DNS server. This *might* route your DNS requests through the tunnel. I haven't verified this, though, and you should dig out ethereal to test it before you assume it's working. It'll also require admin rights on the client machine.
Adam: Squid works well for me on Linux.
Post A Comment