Linux客户机透过HTTP代理服务访问ssh服务
[b]问题[/b]公司内部网络防火墙密布,戒备森严,封锁了一切流向公司外部的网络流量。访问外部的网络,唯有透过 HTTP 代理服务。
[b]解决方案[/b]
透过 [url=http://www.faqs.org/rfcs/rfc2817.html]HTTP CONNECT 方法[/url]可以达成目的。[font=monospace][quote]+--------+ +--------+ +----------+ +--------+
| ssh | | proxy | | router/ | | ssh |
| client | | server | | firewall | __ __ | server |
|+------+| | | | | _/ \/ \_ | |
||ssh- || https |+------+| | | / \ ssh |+------+|
||https-|============>squid ||===-> -> -> ->==| Internet |=========>| sshd ||
||tunnel|| port 80 |+------+| | | \_ _/ port 22 |+------+|
|+------+| or 3128 | | | | \__/\__/ or 443 | |
+--------+ or 8080 +--------+ +----------+ +--------+[/quote][/font]Perl 脚本 [url=http://www.snurgle.org/%7Egriffon/ssh-https-tunnel]ssh-https-tunnel[/url] 发送 CONNNET 请求到你的代理服务器,指示它打开一个到远程主机端口的 TCP 连接。然后它允许你通过标准输入/标准输出和这个端口通讯。
更新你的 ~/.ssh/config 文件。[font=monospace][code]Host www.example.com
ProxyCommand ~/.ssh/ssh-https-tunnel %h %p[/code]把你的代理服务设置放在 ssh-https-tunnel 文件中[code]#### Configuration ####
my $proxy = "my-proxy.company.com";
my $proxy_port = 80;[/code][/font]然后就可以通过 HTTP 代理服务来访问 ssh 了[font=monospace][quote]$ ssh -v www.example.com
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /home/neo/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Executing proxy command: exec ~/.ssh/ssh-https-tunnel www.example.com 22
debug1: identity file /home/neo/.ssh/identity type -1
debug1: identity file /home/neo/.ssh/id_rsa type -1
debug1: identity file /home/neo/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'www.example.com' is known and matches the RSA host key.
debug1: Found key in /home/neo/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
neo@www.example.com's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Remote: No xauth program; cannot forward with spoofing.
[neo@www neo]$[/quote][/font]
[[i] 本帖最后由 neo 于 2007-7-27 14:31 编辑 [/i]]
页:
[1]