SOURCES: connect.html (NEW), connect.c (NEW) b856937f1cdfca7a3ccfb...

qboosh qboosh at pld-linux.org
Wed Nov 15 10:16:53 CET 2006


Author: qboosh                       Date: Wed Nov 15 09:16:52 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
b856937f1cdfca7a3ccfb2fac36ef726  connect.c
bb972b3a9d435c62023b355960d78f78  connect.html

---- Files affected:
SOURCES:
   connect.html (1.3 -> 1.4)  (NEW), connect.c (1.3 -> 1.4)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/connect.html
diff -u /dev/null SOURCES/connect.html:1.4
--- /dev/null	Wed Nov 15 10:16:52 2006
+++ SOURCES/connect.html	Wed Nov 15 10:16:47 2006
@@ -0,0 +1,1142 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>SSH Proxy Command -- connect.c</title>
+    <meta name="generator" content="emacs-wiki.el" />
+    <meta http-equiv="Content-Type"
+	  content="us-ascii" />
+    <link rev="made" href="mailto:gotoh at taiyo.co.jp" />
+    <link rel="home" href="http://www.taiyo.co.jp/~gotoh/" />
+    <link rel="index" href="http://www.taiyo.co.jp/~gotoh/SiteIndex.html" />
+    <link rel="stylesheet" type="text/css" href="emacs-wiki.css" />
+  </head>
+  <body>
+    <h1>SSH Proxy Command -- connect.c</h1>
+    <!-- Page published by Emacs Wiki begins here -->
+<p>
+<strong>connect.c</strong> is the simple relaying command to make network
+connection via SOCKS and https proxy. It is mainly intended to
+be used as <strong>proxy command</strong> of OpenSSH.  You can make SSH session
+beyond the firewall with this command,
+
+</p>
+
+<p>
+Features of <strong>connect.c</strong> are:
+
+</p>
+
+<ul>
+<li>Supports SOCKS (version 4/4a/5) and https CONNECT method.
+</li>
+<li>Supports NO-AUTH and USERPASS authentication of SOCKS
+</li>
+<li>Partially supports telnet proxy (experimental).
+</li>
+<li>You can input password from tty, ssh-askpass or
+     environment variable.
+</li>
+<li>Run on UNIX or Windows platform.
+</li>
+<li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.)
+</li>
+<li>Simple and general program independent from OpenSSH.
+</li>
+<li>You can also relay local socket stream instead of standard I/O.
+</li>
+</ul>
+
+<p>
+Download source code from:
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">http://www.taiyo.co.jp/~gotoh/ssh/connect.c</a>
+<br/>
+For windows user, pre-compiled binary is also available:
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">http://www.taiyo.co.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC)
+
+</p>
+
+<h2>Contents</h2>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec1">News</a>
+</dt>
+<dt class="contents">
+<a href="#sec2">What is 'proxy command'</a>
+</dt>
+<dt class="contents">
+<a href="#sec3">How to Use</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec4">Get Source</a>
+</dt>
+<dt class="contents">
+<a href="#sec5">Compile and Install</a>
+</dt>
+<dt class="contents">
+<a href="#sec6">Modify your ~/.ssh/config</a>
+</dt>
+<dt class="contents">
+<a href="#sec7">Use SSH</a>
+</dt>
+<dt class="contents">
+<a href="#sec8">Have trouble?</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec9">More Detail</a>
+</dt>
+<dt class="contents">
+<a href="#sec10">Specifying user name via environment variables</a>
+</dt>
+<dt class="contents">
+<a href="#sec11">Specifying password via environment variables</a>
+</dt>
+<dt class="contents">
+<a href="#sec12">Limitations</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec13">SOCKS5 authentication</a>
+</dt>
+<dt class="contents">
+<a href="#sec14">HTTP authentication</a>
+</dt>
+<dt class="contents">
+<a href="#sec15">Switching proxy server</a>
+</dt>
+<dt class="contents">
+<a href="#sec16">Telnet Proxy</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec17">Tips</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec18">Proxying socket connection</a>
+</dt>
+<dt class="contents">
+<a href="#sec19">Use with ssh-askpass command</a>
+</dt>
+<dt class="contents">
+<a href="#sec20">Use for Network Stream of Emacs</a>
+</dt>
+<dt class="contents">
+<a href="#sec21">Remote resolver</a>
+</dt>
+<dt class="contents">
+<a href="#sec22">Hopping Connection via SSH</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec23">Break The More Restricted Wall</a>
+</dt>
+<dt class="contents">
+<a href="#sec24">F.Y.I.</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec25">Difference between SOCKS versions.</a>
+</dt>
+<dt class="contents">
+<a href="#sec26">Configuration to use HTTPS</a>
+</dt>
+<dt class="contents">
+<a href="#sec27">SOCKS5 Servers</a>
+</dt>
+<dt class="contents">
+<a href="#sec28">Specifications</a>
+</dt>
+<dt class="contents">
+<a href="#sec29">Related Links</a>
+</dt>
+<dt class="contents">
+<a href="#sec30">Similars</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec31">hisotry</a>
+</dt>
+</dl>
+
+
+<h2><a name="sec1" id="sec1"></a>News</h2>
+<dl>
+<dt>2005-07-08</dt>
+<dd>
+Rev. 1.95. Buf fix for previous change. The bug causes the fail of
+  basic authentication. And also fixed bug of parameter file handling.
+  Thanks reporting, Johannes Schindelin <Johannes.Schindelin at gmx.de>.
+</dd>
+<dt>2005-07-07</dt>
+<dd>
+Rev. 1.94. Changed to use snprintf()/vsnprintf() for security issue
+  that gcc complained them on OpenBSD 3.7/x86. The features are not
+  changed.
+</dd>
+<dt>2005-03-04</dt>
+<dd>
+Updated compile option for Mac OS X.
+</dd>
+<dt>2005-02-21</dt>
+<dd>
+Rev.1.92. Removed assertions which has no mean and worse for windows
+  suggested by OZAWA Takahiro.
+</dd>
+<dt>2005-01-12</dt>
+<dd>
+Rev.1.90. Fixed not to cause seg-fault on accessing to non HTTP
+  port. This problem is reported by Jason Armstrong <ja at riverdrums.com>.
+</dd>
+<dt>2004-10-30</dt>
+<dd>
+Rev.1.89. Partial support for telnet proxy.
+  Thanks to Gregory Shimansky &lt;gshimansky at mail dot ru&gt;. 
+  (Note: This is ad-hoc implementation, so it is not enough for
+  various type of telnet proxies.
+  And password interaction is not supported.)
+</dd>
+</dl>
+
+<h2><a name="sec2" id="sec2"></a>What is 'proxy command'</h2>
+
+<p>
+OpenSSH development team decides to stop supporting SOCKS and any
+other tunneling mechanism. It was aimed to separate complexity to
+support various mechanism of proxying from core code.  And they
+recommends more flexible mechanism: <strong>ProxyCommand</strong> option
+instead.
+
+</p>
+
+<p>
+Proxy command mechanism is delegation of network stream
+communication.  If <strong>ProxyCommand</strong> options is specified, SSH
+invoke specified external command and talk with standard I/O of thid
+command.  Invoked command undertakes network communication with
+relaying to/from standard input/output including iniitial
+communication or negotiation for proxying.  Thus, ssh can split out
+proxying code into external command.
+
+</p>
+
+<p>
+The <strong>connect.c</strong> program was made for this purpose.
+
+</p>
+
+<h2><a name="sec3" id="sec3"></a>How to Use</h2>
+
+<h3><a name="sec4" id="sec4"></a>Get Source</h3>
+
+<p>
+Download source code from <a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">here</a>.
+<br/>
+If you are MS Windows user, you can get pre-compiled binary from
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">here</a>.
+
+</p>
+
+<h3><a name="sec5" id="sec5"></a>Compile and Install</h3>
+
+<p>
+In most environment, you can compile <strong>connect.c</strong> simply.
+On UNIX environment, you can use cc or gcc.
+On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc.
+
+</p>
+
+<table border="2" cellpadding="5">
+<thead>
+<tr>
+<th>Compiler</th><th>command line to compile</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>UNIX cc</td><td>cc connect.c -o connect</td>
+</tr>
+<tr>
+<td>UNIX gcc</td><td>gcc connect.c -o connect</td>
+</tr>
+<tr>
+<td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td>
+</tr>
+<tr>
+<td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td>
+</tr>
+<tr>
+<td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td>
+</tr>
+<tr>
+<td>Cygwin gcc</td><td>gcc connect.c -o connect</td>
+</tr>
+<tr>
+<td>Mac OS X</td><td>gcc connect.c -o connect -lresolv<br/>or<br/>gcc connect.c -o connect -DBIND_8_COMPAT=1</td>
+</tr>
+</tbody>
+</table>
+
+<p>
+To install <strong>connect</strong> command, simply copy compiled binary to directory
+in your PATH (ex. /usr/local/bin).  Like this:
+
+</p>
+
+<pre class="example">
+$ cp connect /usr/local/bin
+</pre>
+
+<h3><a name="sec6" id="sec6"></a>Modify your ~/.ssh/config</h3>
+
+<p>
+Modify your <code>~/.ssh/config</code> file to use <strong>connect</strong> command as
+<strong>proxy command</strong>.  For the case of SOCKS server is running on
+firewall host <code>socks.local.net</code> with port 1080, you can add
+<strong>ProxyCommand</strong> option in <code>~/.ssh/config</code>, like this:
+
+</p>
+
+<pre class="example">
+Host remote.outside.net
+  ProxyCommand connect -S socks.local.net %h %p
+</pre>
+
+<p>
+<code>%h</code> and <code>%p</code> will be replaced on invoking proxy command with
+target hostname and port specified to SSH command.
+
+</p>
+
+<p>
+If you hate writing many entries of remote hosts, following example
+may help you.
+
+</p>
+
+<pre class="example">
+## Inside of the firewall, use connect command with direct connection.
+Host *.local.net
+  ProxyCommand connect %h %p
+
+## Outside of the firewall, use connect command with SOCKS conenction.
+Host *
+  ProxyCommand connect -S socks.local.net %h %p
+</pre>
+
+<p>
+If you want to use http proxy, use <strong>-H</strong> option instead of <strong>-S</strong>
+option in examle above, like this:
+
+</p>
+
+<pre class="example">
+## Inside of the firewall, direct
+Host *.local.net
+  ProxyCommand connect %h %p
+
+## Outside of the firewall, with HTTP proxy
+Host *
+  ProxyCommand connect -H proxy.local.net:8080 %h %p
+</pre>
+
+<h3><a name="sec7" id="sec7"></a>Use SSH</h3>
+
+<p>
+After editing your <code>~/.ssh/config</code> file, you are ready to use ssh.
+You can execute ssh without any special options as if remote host is
+IP reachable host.  Following is an example to execute <code>hostname</code>
+command on host <code>remote.outside.net</code>.
+
+</p>
+
+<pre class="example">
+$ ssh remote.outside.net hostname
+remote.outside.net
+$
+</pre>
+
+<h3><a name="sec8" id="sec8"></a>Have trouble?</h3>
+
+<p>
+If you have trouble, execute <strong>connect</strong> command from command line
+with <code>-d</code> option to see what is happened. Some debug message may
+appear and reports progress. This information may tell you what is
+wrong. In this example, error has occurred on authentication stage of
+SOCKS5 protocol.
+
+</p>
+
+<pre class="example">
+$ connect -d -S socks.local.net unknown.remote.outside.net 110
+DEBUG: relay_method = SOCKS (2)
+DEBUG: relay_host=socks.local.net
+DEBUG: relay_port=1080
+DEBUG: relay_user=gotoh
+DEBUG: socks_version=5
+DEBUG: socks_resolve=REMOTE (2)
+DEBUG: local_type=stdio
+DEBUG: dest_host=unknown.remote.outside.net
+DEBUG: dest_port=110
+DEBUG: Program is $Revision$
+DEBUG: connecting to xxx.xxx.xxx.xxx:1080
+DEBUG: begin_socks_relay()
+DEBUG: atomic_out()  [4 bytes]
+DEBUG: &gt;&gt;&gt; 05 02 00 02
+DEBUG: atomic_in() [2 bytes]
+DEBUG: &lt;&lt;&lt; 05 02
+DEBUG: auth method: USERPASS
+DEBUG: atomic_out()  [some bytes]
+DEBUG: &gt;&gt;&gt; xx xx xx xx ...
+DEBUG: atomic_in() [2 bytes]
+DEBUG: &lt;&lt;&lt; 01 01
+ERROR: Authentication faield.
+FATAL: failed to begin relaying via SOCKS.
+</pre>
+
+<h2><a name="sec9" id="sec9"></a>More Detail</h2>
+
+<p>
+Command line usage is here:
+
+</p>
+
+<pre class="example">
+usage:  connect [-dnhst45] [-R resolve] [-p local-port] [-w sec]
+		[-H [user@]proxy-server[:port]]
+		[-S [user@]socks-server[:port]]
+		[-T socks-server:[port]]
+                [-c telnet-proxy-command]
+		host port
+</pre>
+
+<p>
+<strong><em>host</em></strong> and <strong><em>port</em></strong> is target hostname and port-number to connect.
+
+</p>
+
+<p>
+<strong>-H</strong> option specify hostname and port number of http proxy server to
+relay. If port is omitted, 80 is used. You can specify this value by
+environment variable <code>HTTP_PROXY</code> and give <strong>-h</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-S</strong> option specify hostname and port number of SOCKS server to
+relay.  Like <strong>-H</strong> option, port number can be omit and default is 1080. 
+You can also specify this value pair by environment variable
+<code>SOCKS5_SERVER</code> and give <strong>-s</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-T</strong> option specify hostname and port number of telnet proxy to
+relay. The port number can be omit and default is 23.
+You can also specify this value pair by environment variable
+<code>TELNET_PROXY</code> and give <strong>-t</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-4</strong> and <strong>-5</strong> is for specifying SOCKS protocol version. It is
+valid only using with <strong>-s</strong> or <strong>-S</strong>. Default is <strong>-5</strong>
+(protocol version 5)
+
+</p>
+
+<p>
+<strong>-R</strong> is for specifying method to resolve hostname. 3 keywords
+(<code>local</code>, <code>remote</code>, <code>both</code>) or dot-notation IP address is
+allowed.  Keyword <code>both</code> means; "Try local first, then
+remote". If dot-notation IP address is specified, use this host as
+nameserver (UNIX only). Default is <code>remote</code> for SOCKS5 or <code>local</code>
+for others. On SOCKS4 protocol, remote resolving method (<code>remote</code>
+and <code>both</code>) use protocol version 4a.
+
+</p>
+
+<p>
+The <strong>-p</strong> option specifys to wait a local TCP port and make relaying
+with it instead of standard input and output.
+
+</p>
+
+<p>
+The <strong>-w</strong> option specifys timeout seconds on making connection with
+target host.
+
+</p>
+
+<p>
+The <strong>-c</strong> option specifys request string against telnet
+proxy server. The special word '%h' and '%p' in this string are replaced
+as hostname and port number before sending. 
+For telnet proxy by <a class="nonexistent" href="mailto:gotoh at taiyo.co.jp">DeleGate</a>, both "telnet %h %p" and "%h:%p"
+are acceptable.
+Default is "telnet %h %p".
+
+</p>
+
+<p>
+The <strong>-a</strong> option specifiys user intended authentication methods
+separated by comma.  Currently <code>userpass</code> and <code>none</code> are
+supported. Default is <code>userpass</code>. You can also specifying this
+parameter by the environment variable <code>SOCKS5_AUTH</code>.
+
+</p>
+
+<p>
+The <strong>-d</strong> option is used for debug. If you fail to connect, use this
+and check request to and response from server.
+
+</p>
+
+<p>
+You can omit <strong><em>port</em></strong> argument when program name is special format
+containing port number itself. For example, 
+
+</p>
+
+<pre class="example">
+$ ln -s connect connect-25
+$ ./connect-25 smtphost.outside.net
+220 smtphost.outside.net ESMTP Sendmail
+QUIT
+221 2.0.0 smtphost.remote.net closing connection
+$
+</pre>
+
+<p>
+This example means that the command name "<code>connect-25</code>" contains port number
+25 so you can omit 2nd argument (and used if specified explicitly).
+
+</p>
+
+<h2><a name="sec10" id="sec10"></a>Specifying user name via environment variables</h2>
+
+<p>
+There are 5 environemnt variables to specify
+user name without command line option. This mechanism is usefull
+for the user who using another user name different from system account.
+
+</p>
+
+<dl>
+<dt>SOCKS5_USER</dt>
+<dd>
+Used for SOCKS v5 access.
+</dd>
+<dt>SOCKS4_USER</dt>
+<dd>
+Used for SOCKS v4 access.
+</dd>
+<dt>SOCKS_USER</dt>
+<dd>
+Used for SOCKS v5 or v4 access and varaibles above are not defined.
+</dd>
+<dt>HTTP_PROXY_USER</dt>
+<dd>
+Used for HTTP proxy access.
+</dd>
+<dt>CONNECT_USER</dt>
+<dd>
+Used for all type of access if all above are not defined.
+</dd>
+</dl>
+
+<p>
+Following table describes how user name is determined.
+Left most number is order to check. If variable is not defined,
+check next variable, and so on.
+
+</p>
+
+<table border=1>
+<tr align=center><th></th><th>SOCKS v5</th><th>SOCKS v4</th><th>HTTP proxy</th></tr>
+<tr align=center><td>1</td><td>SOCKS5_USER</td><td>SOCKS4_USER</td><td rowspan=2>HTTP_PROXY_USER</td></tr>
+<tr align=center><td>2</td><td colspan=2>SOCKS_USER</td></tr>
+<tr align=center><td>3</td><td colspan=3>CONNECT_USER</td></tr>
+<tr align=center><td>4</td><td colspan=3><i>(query user name to system)</i></td></tr>
+</table>
+
+<h2><a name="sec11" id="sec11"></a>Specifying password via environment variables</h2>
+
+<p>
+There are 5 environemnt variables to specify
+password. If you use this feature, please note that it is
+not secure way.
+
+</p>
+
+<dl>
+<dt>SOCKS5_PASSWD</dt>
+<dd>
+Used for SOCKS v5 access. This variables is compatible
+  with NEC SOCKS implementation.
+</dd>
+<dt>SOCKS5_PASSWORD</dt>
+<dd>
+Used for SOCKS v5 access if SOCKS5_PASSWD is not defined.
<<Diff was trimmed, longer than 597 lines>>


More information about the pld-cvs-commit mailing list