Re: ssh tunneling to bypass web proxy rules

[Alexander Klimov <alserkli () inbox ru>]

On Sun, 21 Aug 2005, Juan B wrote:
> Someone told me one can pass web proxy restrictions by
> tunnling throw ssh to restricted web sites like web
> mail sites in our corporate network.I really whant to
> know how he is doing that but I dont know where and
> how to test it, and he of course doesnt tell.

man ssh:
     -L port:host:hostport
           Specifies that the given port on  the  local  (client)
           host  is to be forwarded to the given host and port on
           the remote side. This works by allocating a socket  to
           listen to the port on the local side. Then, whenever a
           connection is made to this  port,  the  connection  is
           forwarded  over the secure channel and a connection is
           made to host port hostport from  the  remote  machine.
           Port  forwardings  can also be specified in the confi-
           guration file.

So you need to:
o  start a proxy (e.g., privoxy) on the remote host,
o  connect with ssh using port forwarding, and
o  setup local web browser to use localhost:forwarded-port as a proxy.

> I need to close this hole in the network.

If you allow ssh connections to external hosts there is no way to
close such `hole.' Note that if you use a black list of `bad' sites
(and not a white list of allowed web servers) somebody can as easily
use an external http proxy (BTW, even with a white list the google
cache can be used to read `bad' sites). So you best choice is just to
ignore this `problem.'


-- 
Regards,
ASK