On Wednesday, I had to head into Washington to work at a client site. Of course, they had an annoying ISA Server web proxy that required authentication in order to work correctly. After having a problem with Internet Explorer 7 and proxy authentication, I decided to work on getting around this web proxy altogether.
Thankfully, the client allows SSH traffic without any authentication. Since my home router has an SSH server running on it as part of the DD-WRT firmware it runs, I was all set. A quick configuration of PuTTY on my laptop, and I was able so do most of the things I usually am able to do. No need to authenticate to surf the web, and no need to not be accessible via IM. I obviously have l33t haX0r skillz. 
Obviously, this is a bit of a small hole, and I will bring it up to the powers that be. Of course, that means I will need to find another way around it next time.
{ 5 } Comments
stunnel is your friend. You have to sacrifice port 443, but it’s indistinguishable from HTTPS traffic and - with a properly configured squid server on the other end - will allow you to proxy to basically whatever service you need.
mokie: Why would I want to use stunnel when I have a perfectly good SSH tunnel working just fine? If it is to make the traffic look like regular HTTPS traffic, I can get around that by making my SSH server listen on 443. From what I can tell by reading the docs, stunnel effectively works in the same fashion. Unless, of course, I am dumb and smoking lots of crack.
An idea if they shut down port 22 is try port 53. That’s often open a lot too.
SSH packets are functionally different and distinguishable from HTTPS packets. If you’re behind a “facist firewall,” (i.e. a firewall which only allows HTTP/HTTPS outbound) a la Websense or other proxifying firewalls, you might have a vested interest in being able to masquerade your SSH traffic as HTTPS traffic.
Boys, you all should just get married and start a commune somewhere together in Utah! Nerdy love is such a beautiful thing….
Post a Comment