Table of Contents

SSH over HTTP proxy: connection issue

Setup

SSH client tries to connect to SSH server through HTTP proxy that supports method CONECT (using e.g. corkscrew).

Symptoms

SSH client establishes TCP connection, but after a while disconnects with message “ssh_exchange_identification: Connection closed by remote host”. SSH server at the same time receive no connection attempt at all.

Analysis

It's been discovered that HTTP proxy may not establish outbound connection unless it receive two lines of text closed by '\n'. Furthermore, even provided these two lines from client, sometimes it doesn't send SSH server reply back, unless it has two leading text lines closed by '\n'.

Solution

We need to push two lines of text at the beginning of SSH client connection, throw them away (as they don't conform SSH protocol) at the SSH server side, and push two lines of text before SSH server reply (which is acceptable by SSH protocol, if these lines don't start with 'SSH-').

Implementation

Client side: use the following script as proxy script:

#! /bin/bash
(
cat << EOF


EOF
cat
) | corkscrew "$@"

Server side: use the following script as xinetd demon:

#! /bin/bash

cat <<EOF
Hello. This is a text allowed by RFC4253.
We use it here in order to pass by HTTP proxies
that are too lazy to work through.
Blah-blah-blah.
And some more text, to be pretty sure.
EOF

read
read
nc 127.0.0.1 22

If it is saved as /usr/local/bin/sssh, add sssh to /etc/services and register it with xinetd like this:

service sssh
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/bin/sssh
        log_on_failure  += USERID
}