Pages

Saturday, 31 March 2012

establish ssh connection through proxy with NTML authentication

Open ssh connection through proxy with NTML authentication

Here is the explanation of how to pass a ssh connection through a proxy that use NTLM authentication protocol (cryptographic authentication) instead of a plain login/password authenication.

First follow the steps describes here :
http://blog.mansonthomas.com/2008/01/open-ssh-connection-through-http-proxy.html

Next we have to deal with NTLM authentication.

Putty do not know how to talk with proxy that use NTML authentication, so we need a soft that will handle the authentication and encapsulate the network packet.

To do that we'll use cntlm which is a port of an unix programms using cygwin (no need to make a insall of cygwin though...).

Once you unzip the files, edit the configuration file cntlm.ini

You have to change 4 values :

login: Your Windows login name
domain: Your domain name

You can get theses information by hitting CTRL+ALT+SUPPR, a window display and in the first fieldset you can see something like "Thomas Manson has opened a session as DOMAIN\LOGIN"

proxy url and port : See the previous post to see how to get this informations
ctnlm port : the local port on which CNTML will listen (Local that is : on your computer). The port shoud be above 1024 (as below, ports are reserved for specific use) and not used (use netstat -a > c:\netstat.log and check that the port you choosed is not in the file). Take for example 5865.



Example :
Expand this zone !
#
# Cntlm Authentication Proxy Configuration
#
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.
#

Username __LOGIN__
Domain  __DOMAIN__
#Password password  # Use hashes instead (-H)
#Workstation netbios_hostname # Should be auto-guessed

Proxy  __PROXY-URL__:__PROXY-PORT__
#Proxy  10.217.112.42:8080

#
# This is the port number where Cntlm will listen
#
Listen  __CNTLM_PORT_NUMBER__
#Listen  5865

#
# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option, SOCKS5. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
#
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#
#SOCKS5Proxy 8010
#SOCKS5User dave:password

#
# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
Auth  LM
#Flags  0x06820000

#
# Enable to allow access from other computers
#
#Gateway yes

#
# Useful in Gateway mode to allow/restrict certain IPs
#
#Allow  127.0.0.1
#Deny  0/0

#
# GFI WebMonitor-handling plugin parameters, disabled by default
#
#ISAScannerSize 1024
#ISAScannerAgent Wget/
#ISAScannerAgent APT-HTTP/
#ISAScannerAgent Yum/

#
# Headers which should be replaced if present in the request
#
#Header  User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Header  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

#
# Tunnels mapping local port to a machine behind the proxy
#
#Tunnel  11443:remote.com:443

Next we need configure putty to use the CNTLM program.

On connection->proxy settings.
On Proxy hostname field, type "localhost", on port field, type the port number you choose for cntlm (ex : 5865).

On username field : your windows login.
On password field : your windows password.

Save theses inputs in a session (so you don't have to type it each time).

Run cntml, open your connection with putty and you should be able to login on your login box.

Notice that each time your windows password changes, you have to change it in putty too.

from http://blog.mansonthomas.com/2008/04/open-ssh-connection-through-proxy-with.html
------------------------------------------------------------------------

Open a SSH connection through an http proxy and dig tunnels :)

I'm working for an IT Services & Software Engineering company, and I often work for some time (3 months to a year) by the client company's office...

And often, I'm behind a ****ing proxy that filters http request, provide antivirus analysis etc.. Useful for the company securtity and efficiency, but really borring for me.

Those proxy allows http (tcp/80) and https (tcp/443) connections and nothing else...

So no tcp/22 for SSH, and I miss it really much for many reasons.

So here is what to do, to get an SSH connexion to a linux box.

But beware that doing that will certainly break the security contract you signed when you enter the company. Doing that allow you to bypass the content filtering and security. And you could be fired for that...

This blog post will show you how to bypass an http proxy with a basic authentication.

The following post will show you a way to bypass a proxy with NTLM authentication mecanism.

Server configuration



You're a geek like me, so you have a linux box somewhere running 24hours a day running a ssh server in a linux box.

The ssh server usually listen on the tcp/22 port, but this port is filtered by the proxy. The proxy allow tcp/80 & tcp/443.

As the tcp/80 is probably used by your web server, we'll focus on tcp/443, the https port which you probably don't need. But you can do the same with tcp/80 port.

What we need is that your linux box accepts a ssh connection on the tcp/443 port.

We can either change the ssh server setting to listen on port 443 or redirect the connection established on the 443 port to 22 port.

I prefer the second option that leaves untouch the ssh server configuration, and let your linux box be accessed trough ssh on it's standart port.

You can redirect you 443 port to the 22 port using iptables or other tools.
You may even have a graphical interface that allow you to do that easily.

With the sme server, i've such a tools (a web interface attainable only though my local network)

You can find information on how to do that here :

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

if this can help, here is the lines of my iptables-save output that involves the 443 port :

Expand this zone !
-A PortForwarding_22383 -p tcp -m tcp --dport 443 -j DNAT --to-destination 80.1.1.1:22
-A InboundTCP_22383 -d 80.1.1.1 -p tcp -m tcp --dport 443 -j ACCEPT


where 80.1.1.1 is my external public ip address.

Once this is done, you can test it by trying to open an ssh connection on the port 443, or use telnet (telnet youBoxIp 443) and you should see you open ssh server version : SSH-2.0-OpenSSH_3.9p1.


Configure your ssh client



Putty is a marvelous ssh client for windows, I couldn't live without it.

You can get it here : http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


All settings describe below can be change on the fly when the ssh connection is open (except for the proxy setting... of course) by right clicking in the title window->change settings.

Basic settings





In the hostname field, enter the ip or domain name of your linux box.
in the port field, enter 443 (or 80 if you use the 80 port)

In Saved sessions, enter a string that remind you your trully loved linux box ;o)

Putty's number of lines of scrollback



this is not really a mandatory step, but really usefull.



Replace the 200 value by 20000000 (it should be enough). Adding more zeros could lead putty the behave strangely... i've tried ;o)

Putty's encoding





In order to have a proper display of characters in your putty, you need to set the encoding of putty accordingly to your linux box configuration (mostly UTF-8 or your country's specific charset).

You can find these setting on your linux box in /etc/sysconfig/i18n

cat /etc/sysconfig/i18n
LANG="fr_FR@euro"
SUPPORTED="fr_Fr@euro:fr_FR:fr"
SYSFONT="lat0-sun16"
SYSFONTACM="iso15"


here it's fr_FR which is ISO-8859-1 charset.
You can find which charset match with your country code in /usr/share/i18n/locales/your country code

cat /usr/share/i18n/locales/fr_FR
comment_char %
escape_char  /
%
% French Language Locale for France
% Source: RAP
% Address: Sankt Jo//rgens Alle 8
%    DK-1615 Ko//benhavn V, Danmark
% Contact: Keld Simonsen
% Email: Keld.Simonsen@dkuug.dk
% Tel: +45 - 31226543
% Fax: +45 - 33256543
% Language: fr
% Territory: FR
% Revision: 4.3
% Date: 1996-10-15
% Users: general
% Charset: ISO-8859-1
% Distribution and use is free, also
% for commercial purposes.



Keep alive settings





The http proxy will automatically close an idling connection. To avoid that, putty has the keep alive parameter which simulate an activity and thus avoid the proxy to close the connection.

Set it to 4 seconds which is a good value.

Proxy settings





Here is the tricky part...

You need to get the proxy url and port, login and password.

In most case, your company uses Microsoft windows and Internet explorer.

You can get the proxy settings from internet explorer, in :
Tools->Internet Options->Networking->Network parameters





If the checkbox in the proxy server fieldset is ticked, then just use the information in this fieldset (have a look in Advanced also) but in most case, it will use a script.
copy and paste the proxy script in the internet explorer address bar, save the content to a file and read it...

You need to determine what is the proxy url you use.
The proxy scripts usually use your network address and subnet to determine which is the proxy server you should use with function such as dnsDomainIs(host, "aDomain.com") or isInNet (host, "10.0.123.0", "255.255.255.0")

if ( dnsDomainIs (host, ".domain.com.") ||
        dnsDomainIs (host, ".sub.domaine.com.") ||
        dnsDomainIs (host, ".domain.net.") ||
 dnsDomainIs (host, ".domain2.com.") ||
 isInNet (host, "10.0.112.0", "255.255.255.0") ||
 isInNet (host, "10.1.112.0", "255.255.255.0"))

{

 if (isInNet (myIpAddress (),"10.3.0.0", "255.255.0.0"))
   return "PROXY srv-proxy-01.site.dom:8090;" +
          "PROXY srv-proxy-02.site.dom:8090";
   else
     return "PROXY srv-proxy-01.site2.dom:8090;" +
            "PROXY srv-proxy-02.site2.dom:8090";
}


in this case, the proxy usr would be one of the srv-proxy-02.site2.dom and the port would be 8090.

In a command console(Windows key+R, type cmd), you can get your ip address with the following command :
ipconfig /all

Which will help you to determine the proxy settings that is calculated by the scripts.

Or more basically you can run, still in a console

netstat -a


and look for something like a proxy...

The proxy url might contains the word proxy so
netstat -a | find "proxy"



Once you have it (or you can try each url & port in the script)
paste it in the proxy hostname an port.

Username is usually your NT Domain\windows account username.
You can get it by hitting CTRL+ALT+SUPPR, it will be displayed the the window that appears. (type escape to return to where you were)

SSH compression





Enabling ssh compression will make the connexion smoother...

SSH tunnels






SSH Tunnels, one of the wounderfull functionnality of the SSH protocol.

in the source port, type 22, in the destination 127.0.0.1:22.

this will create a tunnel that will take the tcp traffic on the port 22 of the local machine to the remote 22/tcp port with the ip 127.0.0.1 : your linux box, all that throug the ssh connection (established on the 443 port, forwarded to the 22 port)

Like this, you can browse file with a secure ftp programm like winscp, filezilla, or any text editor that supports SSH like ultraedit.

You'll just need to point this programs to localhost:22.
Not on yourLinuxBoxIp:443, because this link won't be kept alive by default by these programs.

Another usefull tunnel is L3390->192.168.1.24:3389

where 192.168.1.24 machine would be a windows computer with remote desktop activated (Windows Key+pause, remote connection tab, remote desktop fieldset) on your private network that can be reached by your linux box.

with this, you can run Microsoft Terminal Service Client : windows key + R, type mstsc, type localhost:3390 and you'll be able to use your windows computer which is also up 24h a day ;o) and browse the web as if you were at home (a bit slowly though).

You can see why i wrote this post :
http://mansonthomas.blogspot.com/2008/01/remote-desktop-client-with-windows-2000.html


Save settings




Save all these settings.

If it doesn't works, try other proxy settings in the proxy configuration script.
If it still don't work, it may be because your company uses the NTLM authentication protocol. This will be described in a next article.

from http://blog.mansonthomas.com/2008/01/open-ssh-connection-through-http-proxy.html

No comments:

Post a Comment