I want to setup a simple ssh tunnel from a local machine to a machine on the internet.
I'm using
ssh -D 8080 -f -C -q -N -p 12122 <username>#<hostname>
Setup works fine (I think) cause ssh returs asking for the credentials, which I provide.
Then i do
export http_proxy=http://localhost:8080
and
wget http://www.google.com
Wget returns that the request has been sent to the proxy, but no data is received back.
What i need is a way to look at how ssh is processing the request....
To get more information out of your SSH connection for debugging, leave out the -q and -f options, and include -vvv:
ssh -D 8080 -vvv -N -p 12122 <username>#<hostname>
To address your actual problem, by using ssh -D you're essentially setting up a SOCKS proxy which I believe is not supported by default in wget.
You might have better luck with curl which provides SOCKS suport via the --socks option.
If you really really need to use wget, you'll have to recompile your own version to include socks support. There should be an option for ./configure somewhere along the lines of --with-socks.
Alternatively, look into tsock which can intercept outgoing network connections and redirecting them through a SOCKS server.
Related
Need some help with a tricky SSH tunnel through a bastion host.
I want to port forward Postgres on the remote server, through the bastion. Our company setup only allows communication over SSH, so we have to port forward everything.
Currently, I use the CLI command to set up the SSH tunnel, then use psql shell command on my laptop to query the remote Postgres. I want to write this same connection in Go, so I can create reports, graphs, etc.
The following command line works, but I can't figure out how to do this with Go SSH.
ssh -o ProxyCommand="ssh -l username1 -i ~/.ssh/privKey1.pem bastionIP -W %h:%p" -i ~/.ssh/privKey2.pem -L 8080:localhost:5432 -N username2#PsqlHostIP
psql -h localhost -P 8000 -U user -W pass
As I work remotely I do often have to run scripts that make sense only when I am on intranet.
But I a not always connected to intranet and I would prefer to define a more generic way of testing the connectivity so I bypass when I am not in "work-mode" ;)
I to implement this as a simple bash command or script so I can do something like:
#!/bin/bash
is-intranet-on || echo "Yeah, time to do something!"
If I do this I will be include this even on crontab so I can have scheduled tasks that run only when connected to intranet.
I need to make this work on both MacOS and Linux. Currently I use OpenVPN but I think that testing for network interfaces would be the wrong approach because: I could configure the VPN on my router or I could be in the office.
My impression is that the final solution would have to involve some kind of DNS check, but I need to make it kinda safe as I don't want surprised from captive portals that may return me fake IP for a DNS entry.
If for example you know that you have a server named example.intra and the name is only resolvable within the intranet or on VPN, and lets say the name resolves to 10.1.1.3 and the machine is pingable, the code would simply be something like:
is_intranet_on() {
[[ $(dig example.intra +short) == "10.1.1.3" ]] && ping -c 1 example.intra &> /dev/null
}
Which checks that the dns name resolves to a specific ip and then pings the ip to make sure there is at least some kind of network connectivity.
The output will be return code 0 when there is connectivity and return code 1 when there is none. You can put this function in your script, or source it.
You could modify this to use curl instead to check for a https-site by first obtaining the certificate-chain from your server with something like:
openssl s_client -showcerts -servername example.intra -connect example.intra:443 > cacert.pem
This command saves the certs into a file named cacert.pem
And then using curl to check that the server is ok using the certificates:
[[ $(curl -s -I -L -m 4 --cacert cacert.pem https://example.intra | head -n 1) == "HTTP/1.1 200 OK" ]]
Change the string HTTP/1.1 200 OK to whatever your server responds if needed (for example a 204 status or whatever)
I tried to open putty ssh connection over SOCKS5 proxy via command line.
putty.exe -P port -pw password username#host -nc proxyhost:proxyport
This command doesn't work and I think it is incorrect. I tried a lot of variants of this command, but putty user manual doesn't contain necessary information.
I tried to connect to my host throw putty UI and it works fine.
For openSSH similar command looks
ssh -o "ProxyCommand=nc -x proxyhost:proxyport %h %p" -p port username#host
If I were you I would create a "Saved Session" with Putty and launch it via command line:
putty.exe -load session_name
It will be easier to create a "Saved Session" via the PuTTY interface than toying around with the command line. And it seems like you already have it working through the PuTTY interface.
Even though this is an old thread I would like to add my two cents, as I found it hard to gather all the information necessary to set up a working ssh connection over a SOCKS-5 proxy using putty command line and this thread showed up in my result list.
TL;DR
It is currently not possible (as of putty v0.74) to route ssh traffic over a SOCKS-5 proxy using putty or plink as the proxy-command on the command line. You have to use an alternative like ncat for windows, e.g.:
putty -p <targetport> -proxycmd "ncat.exe --proxy-type socks5 --proxy <proxyhost>:<proxyport> <targethost> <targetport>" <targethost>
Details
The putty GUI allows the configuration of an SOCKS-5 proxy, see putty documentation.
As correctly stated in the answer, by BlakBat this configuration can be called via command line using the -load argument.
The command line argument -proxycmd triggers the use of a so called 'local' proxy connection (see the putty documentation again):
> 3.8.3.24 -proxycmd: specify a **local** proxy command
The local proxy command is a command issued on the local machine, that will handle the proxy connection (see the documentation about proxy types). ncat is such a command and it is able to interact with a SOCKS-5 proxy.
Finally, it is tempting to use plink/putty as the proxy command to avoid the use of multiple tools.
Putty claims to provide an alternative to the netcat utility via the -nc argument, however the putty documentation states:
If you want your local proxy command to make a secondary SSH connection to a proxy host and then tunnel the primary connection over that, you might well want the -nc command-line option in Plink.
If you try to use the -nc argument to open a SOCKS-5 connection your SOCKS server log might show something like this:
sockd[1234]: info: block(1): tcp/accept ]: 1.2.3.4.4711 1.2.3.5.1080: error after reading 1 byte in 0 seconds: unknown SOCKS version 83 in client request
This is an indication that an attempt was made to open an SSH session to the SOCKS-5 server.
So, unfortunately, to my knowledge your only chance is to use putty along with a netcat-like tool to establish a proxied SSH connection using an SOCKS-5 proxy.
Simple,
putty -D 8080 <user_id>#<server_name> -pw <password>
When I do:
sudo wget ${FTPpath}* -nc
It gets the files without a problem, but entering a password is awkward for automation. Also just seems like bad practice.
When I leave out the sudo, it does not connect to the ftp server:
--2015-12-09 11:02:17-- ftp://dmanalytics:*password*#10.10.23.32/dmanalytics/download/*
=> ‘.listing’
Connecting to 197.80.203.9:3128... connected.
Logging in as dmanalytics ...
And then it just sits there.
I am working via a proxy, but I don't think its that. Above it says connected, but also I tried:
wget ${FTPpath}* -e use_proxy=yes -e http_proxy=197.80.203.9:3128 -nc
without any success. Any ideas what is causing my failure to log into the ftp server, and how I can fix my wget command so that I don't have to use sudo?
for a programming project I have to do some strange setup. Now, first of all, I have root rights on both servers, and I think an ssh tunnel is the best way (if you have a better idea, please feel free to tell me)
I have to write a piece of software running on an IRC server. That is not difficult, but the IRC server is only reachable on localhost. So I have to ssh to the box first and then use irssi or similar to connect to localhost:6667
Now I tried to do an ssh-tunnel from a second server (where I have irssi running all the time) and then tunnel to the server and use localhost through the tunnel, something like:
ssh -f user#server2 -L 2000:server2:6667 -N
Now this is not working as expected when I use irssi to connect to localhost:2000. I don't understand why, do you have any hint? I would be glad if you could help me.
Regards
Remember that that address you tunnel to (server2:6667 in your case) is from the point of view of the destination. For example: I have a VPS running with ssh installed. If I do ssh -f user#vps -L 2000:localhost:3306 I can connect to the MySql server running on it (which is only listening on the loopback interface).
So assuming the IRC server is running on server2 you should do:
you#server1:~$ ssh -f you#server2 -L 2000:localhost:6667 -N
You can then connect to localhost:2000 (on server1) with your IRC client and get a connection to the IRC-server running on server2.