Friday, October 8, 2010

Hiding a sshd inside a httpd trickery

If you always asked yourself how you could run both a sshd and
an apache (or a lophttpd!) on the same TCP port 80
without patching any client or server software and still
getting always the right service, you should
have a look at sshttp.

4 comments:

Anonymous said...

It seems a better software than what I've seen before, since the real IP is showed to the server (SSH or HTTP) instead of just localhost. It requires more netfilter trickery however, but I think this is mandatory…
Anyway, I think the default port should be 443, since this is the only port that is allowed to forward a CONNECT command to open an SSH connection.
And one more question: will it be easy to do it using IPv6? I don't have the need for the moment, but just in case you have spare time :p

Adrien Clerc said...

Hi!

I forgot something in the previous comment. In fact I've just tested the HTTPS connection, and, as you might expect, it doesn't work. But as I said, I use it on the port 443, to have the choice between SSH and HTTPS. And the test to find the right port try to look for the 'HTTP' string inside the received bytes, which obviously doesn't exist in an HTTPS stream.
Do you know so much SSH client that send something before receiving the server banner?
Anyway, I think I'll modify this for my own usage :)

Adrien Clerc said...

It's me again ;)
In RFC 4253 §4.2 :
When the connection has been established, both sides MUST send an identification string. This identification string MUST be
SSH-protoversion-softwareversion SP comments CR LF

This means that instead of testing for "HTTP" in the request, "SSH" can be used, since it's the only valid request the client can send.

What do you think of this?

Sebastian said...

The RFC says that both sides must
send a SSH version string, however
it might happen that the client is waiting for the server string before
it is sending its own string
(as in openssh case). Therefore
we can only rely on HTTP to detect
the protocol since the client needs
to send his request before the server.

I do not have the SSL protocol in mind, but it should be possible
if the client sends a handshake to
detect it.
IP6 should be possible too, however
I dont know yet if IP_TRANSPARENT can
be applied to AF_INET6 sockets.

I dont understand the CONNECT argument.