Is there any plan to add socks 4 or socks 5 support to openssh like the original ssh developed in finland?? Michael Michael at bizsystems.com
> Is there any plan to add socks 4 or socks 5 support to openssh like > the original ssh developed in finland??There's a longstanding war over this. Essentially, SSH->SOCKS support generally demands: 1) Nasty library dependancies 2) Inflexibility(which SOCKS protocols? Which auth methods? etc.) I will probably be able to work around the former problem(guys, have you *seen* how trivial SOCKS4 is? Er, don't read the spec, it's wrong.)--but the latter issue is indeed problematic. Nobody wants to bulk up SSH with 83945798435 different authentication methods. There are presently two solutions available: 1) Use a general purpose socksifier. In this context, there's a wrapper that makes *any* app SOCKS capable. The Dante daemon has one; I believe the C Bouncer author has written another. There's also of course the stuff out of NEC. 2) Use ProxyCommands. I don't know the syntax offhand(it's quite ugly and isn't particularly usable, sorry everyone), but it's related to: ssh -o ProxyCommand [arbitrary connector]. The idea is that an external Proxy application gets one an 8 bit path to the SSH daemon--then the SSH client takes over. I'm attaching a 7K app that was written to do this for SOCKS. There might be better solutions available in future versions of OpenSSH, but for now these are what's available. Yours Truly, Dan Kaminsky, CISSP http://www.doxpara.com -------------- next part -------------- A non-text attachment was scrubbed... Name: connect.c.gz Type: application/x-gzip Size: 7071 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010310/7b74ba24/attachment.bin
Michael,
It is quite simple to socksify OpenSSH using the NEC socks code from
http://www.socks.nec.com. If you comile the socks library then you can
add the support to OpenSSH by:
adding #include <socks.h> in front of the other includes in
sshconnect.c
configuring with: --with-cflags="-DSOCKS"
--with-libs="-lsocks5"
This will give you socks4 and socks5 support which you can define using
libsocks5.conf (see the NEC socks man pages).
An alternative socks implementation to use is Dante. I have no experience
with that library but I have heard good things about it.
Hope this helps,
--------------------------------------------------------
Doug Manton, AT&T EMEA Commercial Security Solutions
E: demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"
Please respond to michael at bizsystems.com
To: openssh-unix-dev at mindrot.org
cc:
Subject: what about socks support?
Is there any plan to add socks 4 or socks 5 support to openssh like
the original ssh developed in finland??
Michael
Michael at bizsystems.com
> Even easier: run > LDFLAGS=-ldsocks ./configure > and you are away :) > > This basically just preloads libdsocks, which you can't do with > LD_LIBRARY_PRELOAD since ssh is suid'd. If you can disable the suid > bit, you could run 'socksify ssh <hostname>'.But not under AIX :-( -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy"
On Sun, Mar 11, 2001 at 02:14:59PM +0000, douglas.manton at uk.ibm.com wrote:> But not under AIX :-(but ProxyCommand from ssh(1) should work on every system.
On AIX > v4.3.2 you could always use the built-in sockified stack.. It is
for socks v5
servers only I believe.. It also does unauthenticated SOCKS connection.
Docs on this can be found at ...
http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf2/socks5c_conf.htm#scs70399bkm
Just need to create a socks5c.conf file and set the varable pointing to
that.. e.g.
export SOCKS5C_CONFIG=/etc/socks5c.conf
EdGy
Doug E Manton/UK/IBM at IBMGB@mindrot.org on 03/11/2001 06:16:31
Sent by: owner-openssh-unix-dev at mindrot.org
To: michael at bizsystems.com
cc: openssh-unix-dev at mindrot.org
Subject: Re: what about socks support?
Michael,
It is quite simple to socksify OpenSSH using the NEC socks code from
http://www.socks.nec.com. If you comile the socks library then you can
add the support to OpenSSH by:
adding #include <socks.h> in front of the other includes in
sshconnect.c
configuring with: --with-cflags="-DSOCKS"
--with-libs="-lsocks5"
This will give you socks4 and socks5 support which you can define using
libsocks5.conf (see the NEC socks man pages).
An alternative socks implementation to use is Dante. I have no experience
with that library but I have heard good things about it.
Hope this helps,
--------------------------------------------------------
Doug Manton, AT&T EMEA Commercial Security Solutions
E: demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"
Please respond to michael at bizsystems.com
To: openssh-unix-dev at mindrot.org
cc:
Subject: what about socks support?
Is there any plan to add socks 4 or socks 5 support to openssh like
the original ssh developed in finland??
Michael
Michael at bizsystems.com
On Sun, 11 Mar 2001 16:29:14 Markus Friedl wrote: | On Sun, Mar 11, 2001 at 02:14:59PM +0000, douglas.manton at uk.ibm.com | wrote: | > But not under AIX :-( | | but ProxyCommand from ssh(1) should work on every system. Okay, here is a ProxyCommand that works with Dante for me. It simply runs netcat, which should be available on a lot of systems. In [/path/to/]ssh_config, add: Host *internet* ProxyCommand [/path/to/]socksify [/path/to/]nc %h %p You will want to change "*internet*" to some other way to identify hosts behind a socks firewall. Is this a good or bad way of doing things? It seemed the simplest way to me, and scp copies binary files. Is netcat safe? Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Berend De Schouwer, +27-11-712-1435, UCS