[gentoo-user] Shell through the web

[gentoo-user] Shell through the web

[James Colby]

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

Hi All -

I am wondering if anyone has any suggestions of a way to get to a shell over
the web using only port 80 or port 443. I would like to be able to open up a
shell on my gentoo box from , but I am behind a firewall. I have searched
sourcforge and freshmeat and have not had any luck. Is anyone doing this
that may have a suggestion/advice for me?


Thanks for your replies,
James

[-- Attachment #2: Type: text/html, Size: 451 bytes --]

Re: [gentoo-user] Shell through the web

[W.Kenworthy]

gnu http-tunnel - works well (I last used it a few years back to tunnel
a zebeddee encypted, compressed tunnel through a tight firewall/webproxy
gateway, doesnt seem to have changed much - mature)

Move the sshd instance on your server to port 443 (if you are not
running an ssl aware webserver that is ...)

There are also some cgi shell proxies out there as well, which you may
be able to run via your own webserver
(http://freshmeat.net/search/?q=web
+shell&section=projects&Go.x=0&Go.y=0)

There are also web based public ssh proxies, but I am not sure I'd trust
them ...

BillK

On Tue, 2005-10-11 at 00:21 -0400, James Colby wrote:
> Hi All - 
> 
> I am wondering if anyone has any suggestions of a way to get to a
> shell over the web using only port 80 or port 443.  I would like to be
> able to open up a shell on my gentoo box from , but I am behind a
> firewall.  I have  searched sourcforge and freshmeat and have not had
> any luck.  Is anyone doing this that may have a suggestion/advice for
> me?
> 
> 
> Thanks for your replies,
> James
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Shell through the web

[Christoph Gysin]

James Colby wrote:
> I am wondering if anyone has any suggestions of a way to get to a shell 
> over the web using only port 80 or port 443.  I would like to be able to 
> open up a shell on my gentoo box from , but I am behind a firewall.  I 
> have  searched sourcforge and freshmeat and have not had any luck.  Is 
> anyone doing this that may have a suggestion/advice for me?

If it's only a firewall just let your sshd run on port 80 or 443. Then connect 
with:

$ ssh -p 80 yourhost.domain.com

If your also behind a proxy (very likely), you need to tunnel ssh through http:

http://www.nocrew.org/software/httptunnel.html

# emerge -avt net-misc/httptunnel

Christoph
-- 
echo mailto: NOSPAM !#$.'<*>'|sed 's. ..'|tr "<*> !#:2" org@fr33z3
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Shell through the web

[Drew Tomlinson]

James Colby wrote:

> Hi All -
>
> I am wondering if anyone has any suggestions of a way to get to a 
> shell over the web using only port 80 or port 443.  I would like to be 
> able to open up a shell on my gentoo box from , but I am behind a 
> firewall.  I have  searched sourcforge and freshmeat and have not had 
> any luck.  Is anyone doing this that may have a suggestion/advice for me?
>
>
> Thanks for your replies,
> James


Seems to me that Webmin has a shell.  In other words, the machine that 
is running Webmin offers clients shell access via their browsers to 
itself.  But then if the machine upon which you want to run Webmin 
already has a web server running on it, you'll have to configure the web 
server to server Webmin's pages instead of relying upon the one that's 
included to avoid port conflicts.

HTH,

Drew
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Shell through the web

[John Jolet]

On Monday 10 October 2005 23:21, James Colby wrote:
> Hi All -
>
> I am wondering if anyone has any suggestions of a way to get to a shell
> over the web using only port 80 or port 443. I would like to be able to
> open up a shell on my gentoo box from , but I am behind a firewall. I have
> searched sourcforge and freshmeat and have not had any luck. Is anyone
> doing this that may have a suggestion/advice for me?

just edit sshd_config to tell sshd to listen on port 80
>
>
> Thanks for your replies,
> James

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Shell through the web

[Steve [Gentoo]]

W.Kenworthy wrote:
> Move the sshd instance on your server to port 443 (if you are not
> running an ssl aware webserver that is ...)
>   
This is (pretty much) what I do- I mapped port 443 to 22 at my 
NAT/Firewall/router - that way I only have to deal with a peculiar port 
when using SSH from remote locations.  I found that corkscrew ( 
http://www.agroman.net/corkscrew/ ) was useful where I was forced to use 
a proxy which required authentication at remote locations.

A question that I've recently been mulling is how I can retain this 
invaluable capability to accept remote SSH connections on port 443 - but 
also run a standard HTTPS website without needing another public IP 
address.  I fiddled with netcat and discovered that the two protocols 
(SSH and HTTPS) behave quite differently in spite of both being 
encrypted.  As far as I could tell SSH required an initial message from 
the server to the client, whereas HTTPS started with the client sending 
the start of the request.  Given that I wouldn't mind waiting a few 
seconds to establish a SSH connection, it occurred to me that it should 
be possible to intercept both SSH and HTTPS connections arriving on port 
443; distinguish between them (by waiting to see if an HTTP  request 
arrives pretty quickly after the connection is established) then 
forwards the data to the correct service...

           +-------+         +-----+---443-->[apache]
 O---443-->|NAT-BOX|--1443-->|  ?  |
           +-------+         +-----+---22--->[sshd]

Is anyone aware of something I can use to implement the box labelled 
"?"?  I suppose I could write a simple proxy myself... but don't really 
want to re-invent the wheel... I'm also vaguely hopeful that there may 
be a more efficient lower-level solution which wouldn't require the 
overhead of a process to 'pass-on' the tcp data... maybe integrated with 
ipchains or pf or similar?

Any ideas?


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Shell through the web

[Dave Nebinger]

On Tuesday 11 October 2005 07:37 am, Steve [Gentoo] wrote:
> I'm also vaguely hopeful that there may
> be a more efficient lower-level solution which wouldn't require the
> overhead of a process to 'pass-on' the tcp data... maybe integrated with
> ipchains or pf or similar?

If you choose to roll your own solution, that would be difficult.  Youve 
already accepted the connection, so the firewall is now configured to allow 
the packets back and forth only when related to your connection.

Without 'exec()'ing a child process to retain the open file handle, you'll be 
forced to proxy the packets on your own.

And since you don't want to exec an instance of apache (hm, perhaps an 
instance of a lightweight web proxy instead, hmm) it will be less general 
overhead to proxy packets on your own.

Technically the proxy development is not difficult, but for newbies it can be 
frustrating working out the nuances of processing asynchronous data arriving 
on one pipe let alone two.
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] About a proxy-like idea... (was Shell through the web)

[Steve [Gentoo]]

Dave Nebinger wrote:
> On Tuesday 11 October 2005 07:37 am, Steve [Gentoo] wrote:
>   
>> I'm also vaguely hopeful that there may
>> be a more efficient lower-level solution which wouldn't require the
>> overhead of a process to 'pass-on' the tcp data... maybe integrated with
>> ipchains or pf or similar?
>>     
> If you choose to roll your own solution, that would be difficult.  Youve 
> already accepted the connection, so the firewall is now configured to allow 
> the packets back and forth only when related to your connection.
>   
I realise that the idea would necessarily be substantially more 
challenging than just writing a proxy... but I'm sure it is possible.  
I'm guessing I'd need to interact at the IP packet level, recognise the 
start of a TCP stream (buffering packets as necessary) then re-play them 
to the right port and force the packet filter to re-direct that TCP 
stream.  It would not be worth my time to try and make this work if it 
isn't already available for me to just compile and use.
> Technically the proxy development is not difficult, but for newbies it can be 
> frustrating working out the nuances of processing asynchronous data arriving 
> on one pipe let alone two.
>   
I'm confident that I could write a proxy that would do this... as you 
suggest - it's not rocket science.  Conversely, I'm lazy enough to just 
use one that's already written if one exists... which, I'm guessing, is 
likely as I doubt I'm the first person to tackle this.

Steve

-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Shell through the web

[Olaf Niermann]

Hi Steve,

> A question that I've recently been mulling is how I can retain this 
> invaluable capability to accept remote SSH connections on 
> port 443 - but 
> also run a standard HTTPS website without needing another public IP 
> address.  I fiddled with netcat and discovered that the two protocols 
> (SSH and HTTPS) behave quite differently in spite of both being 
> 
>            +-------+         +-----+---443-->[apache]
>  O---443-->|NAT-BOX|--1443-->|  ?  |
>            +-------+         +-----+---22--->[sshd]
> 

Maybe the 'Layer-7 Filter' [1] extension for netfilter/iptables can do the
recognition of the service (ssh/https) for you. Only from theory then just
two destination NAT (DNAT) rules in the prerouting NAT chain from iptables
might do all the work for you.


[1] http://l7-filter.sourceforge.net

Also there are two examples of patterns that match against the ssh and ssl
service can be found here: http://l7-filter.sourceforge.net/protocols

Regards,
Olaf Niermann

-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Shell through the web

[Daevid Vincent]

[-- Attachment #1: Type: text/plain, Size: 695 bytes --]

i used to run a java ssh client. do a google search for "java ssh" and see
some. mindterm was the one i think i used.
 
D.Vin


  _____  

From: James Colby [mailto:jcolby@gmail.com] 
Sent: Monday, October 10, 2005 9:22 PM
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Shell through the web


Hi All - 

I am wondering if anyone has any suggestions of a way to get to a shell over
the web using only port 80 or port 443.  I would like to be able to open up
a shell on my gentoo box from , but I am behind a firewall.  I have
searched sourcforge and freshmeat and have not had any luck.  Is anyone
doing this that may have a suggestion/advice for me?


Thanks for your replies,
James



[-- Attachment #2: Type: text/html, Size: 1658 bytes --]

Re: [gentoo-user] Shell through the web

[Ralf Fischer]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

Hi James,

On Tue, Oct 11, 2005 at 12:21:30AM -0400, James Colby wrote:
> I am wondering if anyone has any suggestions of a way to get to a shell over
> the web using only port 80 or port 443. I would like to be able to open up a
> shell on my gentoo box from , but I am behind a firewall. I have searched
> sourcforge and freshmeat and have not had any luck. Is anyone doing this
> that may have a suggestion/advice for me?

Also if i don't like it personally :) - check out Anyterm [1].
Unfortunately it's not in Portage yet. 

Cheers,
   Ralf

[1] http://chezphil.org/anyterm/

-- 
Ralf Fischer -  makii@jabber.ccc.de  -  Public Key ID 0xFCD51EAA
fingerprint = E4B1 4780 D001 4DC0 0E2A  468C EB7B AD48 FCD5 1EAA

Hacker's Quicky #313:
	Sour Cream -n- Onion Potato Chips
	Microwave Egg Roll
	Chocolate Milk

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Shell through the web

[Willie Wong]

On Wed, Oct 12, 2005 at 12:11:20AM -0700, Daevid Vincent wrote:
> i used to run a java ssh client. do a google search for "java ssh" and see
> some. mindterm was the one i think i used.
>  
> D.Vin
> 

Won't do you any good if you are behind a corporate firewall. AFAIK
Mindterm is nothing more than an SSH client written in Java, with an
applet version which you can embed in webpages. From what I can
remember, mindterm by itself doesn't open up listening for SSH
connections in any other port: it is not a server by any means. So
while it is a convenient thing to have for times when you can't
download a "real" ssh client, it still connects through the normal
venues, which means that if the firewall blocks outgoing port 22
connections, you are equally screwed. 

W


-- 
There was a man in a nuthouse who constantly scared off all the
newcomers with a menacing smile and the dreadful-sounding phrase, "I
differentiate you! I differentiate you!"--invariably the newcomer
would cower in the corner and stay far away from the man.

However, one day another man came in and confronted the first man. Of
course, the first began yelling at the newcomer, "I differentiate you!
I differentiate you!" But it had no effect on the newcomer. The man
yelled "I differentiate you!" several times to no avail. Finally, he
broke down in tears. "Why, why?!?" he asked.

The second man stated simply, "I'm e^x."
Sortir en Pantoufles: up 61 days, 17:32
-- 
gentoo-user@gentoo.org mailing list