Table of Contents
SSH over HTTP proxy: connection issue
Setup
SSH client tries to connect to SSH server through HTTP proxy that supports method CONECT (using e.g. corkscrew).
Symptoms
SSH client establishes TCP connection, but after a while disconnects with message “ssh_exchange_identification: Connection closed by remote host”. SSH server at the same time receive no connection attempt at all.
Analysis
It's been discovered that HTTP proxy may not establish outbound connection unless it receive two lines of text closed by '\n'. Furthermore, even provided these two lines from client, sometimes it doesn't send SSH server reply back, unless it has two leading text lines closed by '\n'.
Solution
We need to push two lines of text at the beginning of SSH client connection, throw them away (as they don't conform SSH protocol) at the SSH server side, and push two lines of text before SSH server reply (which is acceptable by SSH protocol, if these lines don't start with 'SSH-').
Implementation
Client side: use the following script as proxy script:
#! /bin/bash ( cat << EOF EOF cat ) | corkscrew "$@"
Server side: use the following script as xinetd demon:
#! /bin/bash cat <<EOF Hello. This is a text allowed by RFC4253. We use it here in order to pass by HTTP proxies that are too lazy to work through. Blah-blah-blah. And some more text, to be pretty sure. EOF read read nc 127.0.0.1 22
If it is saved as /usr/local/bin/sssh, add sssh to /etc/services and register it with xinetd like this:
service sssh
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/bin/sssh
log_on_failure += USERID
}