SOURCES: connect.html (NEW), connect.c (NEW) b856937f1cdfca7a3ccfb...
qboosh
qboosh at pld-linux.org
Wed Nov 15 10:16:53 CET 2006
Author: qboosh Date: Wed Nov 15 09:16:52 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
b856937f1cdfca7a3ccfb2fac36ef726 connect.c
bb972b3a9d435c62023b355960d78f78 connect.html
---- Files affected:
SOURCES:
connect.html (1.3 -> 1.4) (NEW), connect.c (1.3 -> 1.4) (NEW)
---- Diffs:
================================================================
Index: SOURCES/connect.html
diff -u /dev/null SOURCES/connect.html:1.4
--- /dev/null Wed Nov 15 10:16:52 2006
+++ SOURCES/connect.html Wed Nov 15 10:16:47 2006
@@ -0,0 +1,1142 @@
+<?xml version="1.0" encoding="us-ascii"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <title>SSH Proxy Command -- connect.c</title>
+ <meta name="generator" content="emacs-wiki.el" />
+ <meta http-equiv="Content-Type"
+ content="us-ascii" />
+ <link rev="made" href="mailto:gotoh at taiyo.co.jp" />
+ <link rel="home" href="http://www.taiyo.co.jp/~gotoh/" />
+ <link rel="index" href="http://www.taiyo.co.jp/~gotoh/SiteIndex.html" />
+ <link rel="stylesheet" type="text/css" href="emacs-wiki.css" />
+ </head>
+ <body>
+ <h1>SSH Proxy Command -- connect.c</h1>
+ <!-- Page published by Emacs Wiki begins here -->
+<p>
+<strong>connect.c</strong> is the simple relaying command to make network
+connection via SOCKS and https proxy. It is mainly intended to
+be used as <strong>proxy command</strong> of OpenSSH. You can make SSH session
+beyond the firewall with this command,
+
+</p>
+
+<p>
+Features of <strong>connect.c</strong> are:
+
+</p>
+
+<ul>
+<li>Supports SOCKS (version 4/4a/5) and https CONNECT method.
+</li>
+<li>Supports NO-AUTH and USERPASS authentication of SOCKS
+</li>
+<li>Partially supports telnet proxy (experimental).
+</li>
+<li>You can input password from tty, ssh-askpass or
+ environment variable.
+</li>
+<li>Run on UNIX or Windows platform.
+</li>
+<li>You can compile with various C compiler (cc, gcc, Visual C, Borland C. etc.)
+</li>
+<li>Simple and general program independent from OpenSSH.
+</li>
+<li>You can also relay local socket stream instead of standard I/O.
+</li>
+</ul>
+
+<p>
+Download source code from:
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">http://www.taiyo.co.jp/~gotoh/ssh/connect.c</a>
+<br/>
+For windows user, pre-compiled binary is also available:
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">http://www.taiyo.co.jp/~gotoh/ssh/connect.exe</a> (compiled with MSVC)
+
+</p>
+
+<h2>Contents</h2>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec1">News</a>
+</dt>
+<dt class="contents">
+<a href="#sec2">What is 'proxy command'</a>
+</dt>
+<dt class="contents">
+<a href="#sec3">How to Use</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec4">Get Source</a>
+</dt>
+<dt class="contents">
+<a href="#sec5">Compile and Install</a>
+</dt>
+<dt class="contents">
+<a href="#sec6">Modify your ~/.ssh/config</a>
+</dt>
+<dt class="contents">
+<a href="#sec7">Use SSH</a>
+</dt>
+<dt class="contents">
+<a href="#sec8">Have trouble?</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec9">More Detail</a>
+</dt>
+<dt class="contents">
+<a href="#sec10">Specifying user name via environment variables</a>
+</dt>
+<dt class="contents">
+<a href="#sec11">Specifying password via environment variables</a>
+</dt>
+<dt class="contents">
+<a href="#sec12">Limitations</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec13">SOCKS5 authentication</a>
+</dt>
+<dt class="contents">
+<a href="#sec14">HTTP authentication</a>
+</dt>
+<dt class="contents">
+<a href="#sec15">Switching proxy server</a>
+</dt>
+<dt class="contents">
+<a href="#sec16">Telnet Proxy</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec17">Tips</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec18">Proxying socket connection</a>
+</dt>
+<dt class="contents">
+<a href="#sec19">Use with ssh-askpass command</a>
+</dt>
+<dt class="contents">
+<a href="#sec20">Use for Network Stream of Emacs</a>
+</dt>
+<dt class="contents">
+<a href="#sec21">Remote resolver</a>
+</dt>
+<dt class="contents">
+<a href="#sec22">Hopping Connection via SSH</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec23">Break The More Restricted Wall</a>
+</dt>
+<dt class="contents">
+<a href="#sec24">F.Y.I.</a>
+</dt>
+<dd>
+<dl class="contents">
+<dt class="contents">
+<a href="#sec25">Difference between SOCKS versions.</a>
+</dt>
+<dt class="contents">
+<a href="#sec26">Configuration to use HTTPS</a>
+</dt>
+<dt class="contents">
+<a href="#sec27">SOCKS5 Servers</a>
+</dt>
+<dt class="contents">
+<a href="#sec28">Specifications</a>
+</dt>
+<dt class="contents">
+<a href="#sec29">Related Links</a>
+</dt>
+<dt class="contents">
+<a href="#sec30">Similars</a>
+</dt>
+</dl>
+</dd>
+<dt class="contents">
+<a href="#sec31">hisotry</a>
+</dt>
+</dl>
+
+
+<h2><a name="sec1" id="sec1"></a>News</h2>
+<dl>
+<dt>2005-07-08</dt>
+<dd>
+Rev. 1.95. Buf fix for previous change. The bug causes the fail of
+ basic authentication. And also fixed bug of parameter file handling.
+ Thanks reporting, Johannes Schindelin <Johannes.Schindelin at gmx.de>.
+</dd>
+<dt>2005-07-07</dt>
+<dd>
+Rev. 1.94. Changed to use snprintf()/vsnprintf() for security issue
+ that gcc complained them on OpenBSD 3.7/x86. The features are not
+ changed.
+</dd>
+<dt>2005-03-04</dt>
+<dd>
+Updated compile option for Mac OS X.
+</dd>
+<dt>2005-02-21</dt>
+<dd>
+Rev.1.92. Removed assertions which has no mean and worse for windows
+ suggested by OZAWA Takahiro.
+</dd>
+<dt>2005-01-12</dt>
+<dd>
+Rev.1.90. Fixed not to cause seg-fault on accessing to non HTTP
+ port. This problem is reported by Jason Armstrong <ja at riverdrums.com>.
+</dd>
+<dt>2004-10-30</dt>
+<dd>
+Rev.1.89. Partial support for telnet proxy.
+ Thanks to Gregory Shimansky <gshimansky at mail dot ru>.
+ (Note: This is ad-hoc implementation, so it is not enough for
+ various type of telnet proxies.
+ And password interaction is not supported.)
+</dd>
+</dl>
+
+<h2><a name="sec2" id="sec2"></a>What is 'proxy command'</h2>
+
+<p>
+OpenSSH development team decides to stop supporting SOCKS and any
+other tunneling mechanism. It was aimed to separate complexity to
+support various mechanism of proxying from core code. And they
+recommends more flexible mechanism: <strong>ProxyCommand</strong> option
+instead.
+
+</p>
+
+<p>
+Proxy command mechanism is delegation of network stream
+communication. If <strong>ProxyCommand</strong> options is specified, SSH
+invoke specified external command and talk with standard I/O of thid
+command. Invoked command undertakes network communication with
+relaying to/from standard input/output including iniitial
+communication or negotiation for proxying. Thus, ssh can split out
+proxying code into external command.
+
+</p>
+
+<p>
+The <strong>connect.c</strong> program was made for this purpose.
+
+</p>
+
+<h2><a name="sec3" id="sec3"></a>How to Use</h2>
+
+<h3><a name="sec4" id="sec4"></a>Get Source</h3>
+
+<p>
+Download source code from <a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.c">here</a>.
+<br/>
+If you are MS Windows user, you can get pre-compiled binary from
+<a href="http://www.taiyo.co.jp/~gotoh/ssh/connect.exe">here</a>.
+
+</p>
+
+<h3><a name="sec5" id="sec5"></a>Compile and Install</h3>
+
+<p>
+In most environment, you can compile <strong>connect.c</strong> simply.
+On UNIX environment, you can use cc or gcc.
+On Windows environment, you can use Microsoft Visual C, Borland C or Cygwin gcc.
+
+</p>
+
+<table border="2" cellpadding="5">
+<thead>
+<tr>
+<th>Compiler</th><th>command line to compile</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>UNIX cc</td><td>cc connect.c -o connect</td>
+</tr>
+<tr>
+<td>UNIX gcc</td><td>gcc connect.c -o connect</td>
+</tr>
+<tr>
+<td>Solaris</td><td>gcc connect.c -o connect -lnsl -lsocket -lresolv</td>
+</tr>
+<tr>
+<td>Microsoft Visual C/C++</td><td>cl connect.c wsock32.lib advapi32.lib</td>
+</tr>
+<tr>
+<td>Borland C</td><td>bcc32 connect.c wsock32.lib advapi32.lib</td>
+</tr>
+<tr>
+<td>Cygwin gcc</td><td>gcc connect.c -o connect</td>
+</tr>
+<tr>
+<td>Mac OS X</td><td>gcc connect.c -o connect -lresolv<br/>or<br/>gcc connect.c -o connect -DBIND_8_COMPAT=1</td>
+</tr>
+</tbody>
+</table>
+
+<p>
+To install <strong>connect</strong> command, simply copy compiled binary to directory
+in your PATH (ex. /usr/local/bin). Like this:
+
+</p>
+
+<pre class="example">
+$ cp connect /usr/local/bin
+</pre>
+
+<h3><a name="sec6" id="sec6"></a>Modify your ~/.ssh/config</h3>
+
+<p>
+Modify your <code>~/.ssh/config</code> file to use <strong>connect</strong> command as
+<strong>proxy command</strong>. For the case of SOCKS server is running on
+firewall host <code>socks.local.net</code> with port 1080, you can add
+<strong>ProxyCommand</strong> option in <code>~/.ssh/config</code>, like this:
+
+</p>
+
+<pre class="example">
+Host remote.outside.net
+ ProxyCommand connect -S socks.local.net %h %p
+</pre>
+
+<p>
+<code>%h</code> and <code>%p</code> will be replaced on invoking proxy command with
+target hostname and port specified to SSH command.
+
+</p>
+
+<p>
+If you hate writing many entries of remote hosts, following example
+may help you.
+
+</p>
+
+<pre class="example">
+## Inside of the firewall, use connect command with direct connection.
+Host *.local.net
+ ProxyCommand connect %h %p
+
+## Outside of the firewall, use connect command with SOCKS conenction.
+Host *
+ ProxyCommand connect -S socks.local.net %h %p
+</pre>
+
+<p>
+If you want to use http proxy, use <strong>-H</strong> option instead of <strong>-S</strong>
+option in examle above, like this:
+
+</p>
+
+<pre class="example">
+## Inside of the firewall, direct
+Host *.local.net
+ ProxyCommand connect %h %p
+
+## Outside of the firewall, with HTTP proxy
+Host *
+ ProxyCommand connect -H proxy.local.net:8080 %h %p
+</pre>
+
+<h3><a name="sec7" id="sec7"></a>Use SSH</h3>
+
+<p>
+After editing your <code>~/.ssh/config</code> file, you are ready to use ssh.
+You can execute ssh without any special options as if remote host is
+IP reachable host. Following is an example to execute <code>hostname</code>
+command on host <code>remote.outside.net</code>.
+
+</p>
+
+<pre class="example">
+$ ssh remote.outside.net hostname
+remote.outside.net
+$
+</pre>
+
+<h3><a name="sec8" id="sec8"></a>Have trouble?</h3>
+
+<p>
+If you have trouble, execute <strong>connect</strong> command from command line
+with <code>-d</code> option to see what is happened. Some debug message may
+appear and reports progress. This information may tell you what is
+wrong. In this example, error has occurred on authentication stage of
+SOCKS5 protocol.
+
+</p>
+
+<pre class="example">
+$ connect -d -S socks.local.net unknown.remote.outside.net 110
+DEBUG: relay_method = SOCKS (2)
+DEBUG: relay_host=socks.local.net
+DEBUG: relay_port=1080
+DEBUG: relay_user=gotoh
+DEBUG: socks_version=5
+DEBUG: socks_resolve=REMOTE (2)
+DEBUG: local_type=stdio
+DEBUG: dest_host=unknown.remote.outside.net
+DEBUG: dest_port=110
+DEBUG: Program is $Revision$
+DEBUG: connecting to xxx.xxx.xxx.xxx:1080
+DEBUG: begin_socks_relay()
+DEBUG: atomic_out() [4 bytes]
+DEBUG: >>> 05 02 00 02
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 05 02
+DEBUG: auth method: USERPASS
+DEBUG: atomic_out() [some bytes]
+DEBUG: >>> xx xx xx xx ...
+DEBUG: atomic_in() [2 bytes]
+DEBUG: <<< 01 01
+ERROR: Authentication faield.
+FATAL: failed to begin relaying via SOCKS.
+</pre>
+
+<h2><a name="sec9" id="sec9"></a>More Detail</h2>
+
+<p>
+Command line usage is here:
+
+</p>
+
+<pre class="example">
+usage: connect [-dnhst45] [-R resolve] [-p local-port] [-w sec]
+ [-H [user@]proxy-server[:port]]
+ [-S [user@]socks-server[:port]]
+ [-T socks-server:[port]]
+ [-c telnet-proxy-command]
+ host port
+</pre>
+
+<p>
+<strong><em>host</em></strong> and <strong><em>port</em></strong> is target hostname and port-number to connect.
+
+</p>
+
+<p>
+<strong>-H</strong> option specify hostname and port number of http proxy server to
+relay. If port is omitted, 80 is used. You can specify this value by
+environment variable <code>HTTP_PROXY</code> and give <strong>-h</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-S</strong> option specify hostname and port number of SOCKS server to
+relay. Like <strong>-H</strong> option, port number can be omit and default is 1080.
+You can also specify this value pair by environment variable
+<code>SOCKS5_SERVER</code> and give <strong>-s</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-T</strong> option specify hostname and port number of telnet proxy to
+relay. The port number can be omit and default is 23.
+You can also specify this value pair by environment variable
+<code>TELNET_PROXY</code> and give <strong>-t</strong> option to use it.
+
+</p>
+
+<p>
+<strong>-4</strong> and <strong>-5</strong> is for specifying SOCKS protocol version. It is
+valid only using with <strong>-s</strong> or <strong>-S</strong>. Default is <strong>-5</strong>
+(protocol version 5)
+
+</p>
+
+<p>
+<strong>-R</strong> is for specifying method to resolve hostname. 3 keywords
+(<code>local</code>, <code>remote</code>, <code>both</code>) or dot-notation IP address is
+allowed. Keyword <code>both</code> means; "Try local first, then
+remote". If dot-notation IP address is specified, use this host as
+nameserver (UNIX only). Default is <code>remote</code> for SOCKS5 or <code>local</code>
+for others. On SOCKS4 protocol, remote resolving method (<code>remote</code>
+and <code>both</code>) use protocol version 4a.
+
+</p>
+
+<p>
+The <strong>-p</strong> option specifys to wait a local TCP port and make relaying
+with it instead of standard input and output.
+
+</p>
+
+<p>
+The <strong>-w</strong> option specifys timeout seconds on making connection with
+target host.
+
+</p>
+
+<p>
+The <strong>-c</strong> option specifys request string against telnet
+proxy server. The special word '%h' and '%p' in this string are replaced
+as hostname and port number before sending.
+For telnet proxy by <a class="nonexistent" href="mailto:gotoh at taiyo.co.jp">DeleGate</a>, both "telnet %h %p" and "%h:%p"
+are acceptable.
+Default is "telnet %h %p".
+
+</p>
+
+<p>
+The <strong>-a</strong> option specifiys user intended authentication methods
+separated by comma. Currently <code>userpass</code> and <code>none</code> are
+supported. Default is <code>userpass</code>. You can also specifying this
+parameter by the environment variable <code>SOCKS5_AUTH</code>.
+
+</p>
+
+<p>
+The <strong>-d</strong> option is used for debug. If you fail to connect, use this
+and check request to and response from server.
+
+</p>
+
+<p>
+You can omit <strong><em>port</em></strong> argument when program name is special format
+containing port number itself. For example,
+
+</p>
+
+<pre class="example">
+$ ln -s connect connect-25
+$ ./connect-25 smtphost.outside.net
+220 smtphost.outside.net ESMTP Sendmail
+QUIT
+221 2.0.0 smtphost.remote.net closing connection
+$
+</pre>
+
+<p>
+This example means that the command name "<code>connect-25</code>" contains port number
+25 so you can omit 2nd argument (and used if specified explicitly).
+
+</p>
+
+<h2><a name="sec10" id="sec10"></a>Specifying user name via environment variables</h2>
+
+<p>
+There are 5 environemnt variables to specify
+user name without command line option. This mechanism is usefull
+for the user who using another user name different from system account.
+
+</p>
+
+<dl>
+<dt>SOCKS5_USER</dt>
+<dd>
+Used for SOCKS v5 access.
+</dd>
+<dt>SOCKS4_USER</dt>
+<dd>
+Used for SOCKS v4 access.
+</dd>
+<dt>SOCKS_USER</dt>
+<dd>
+Used for SOCKS v5 or v4 access and varaibles above are not defined.
+</dd>
+<dt>HTTP_PROXY_USER</dt>
+<dd>
+Used for HTTP proxy access.
+</dd>
+<dt>CONNECT_USER</dt>
+<dd>
+Used for all type of access if all above are not defined.
+</dd>
+</dl>
+
+<p>
+Following table describes how user name is determined.
+Left most number is order to check. If variable is not defined,
+check next variable, and so on.
+
+</p>
+
+<table border=1>
+<tr align=center><th></th><th>SOCKS v5</th><th>SOCKS v4</th><th>HTTP proxy</th></tr>
+<tr align=center><td>1</td><td>SOCKS5_USER</td><td>SOCKS4_USER</td><td rowspan=2>HTTP_PROXY_USER</td></tr>
+<tr align=center><td>2</td><td colspan=2>SOCKS_USER</td></tr>
+<tr align=center><td>3</td><td colspan=3>CONNECT_USER</td></tr>
+<tr align=center><td>4</td><td colspan=3><i>(query user name to system)</i></td></tr>
+</table>
+
+<h2><a name="sec11" id="sec11"></a>Specifying password via environment variables</h2>
+
+<p>
+There are 5 environemnt variables to specify
+password. If you use this feature, please note that it is
+not secure way.
+
+</p>
+
+<dl>
+<dt>SOCKS5_PASSWD</dt>
+<dd>
+Used for SOCKS v5 access. This variables is compatible
+ with NEC SOCKS implementation.
+</dd>
+<dt>SOCKS5_PASSWORD</dt>
+<dd>
+Used for SOCKS v5 access if SOCKS5_PASSWD is not defined.
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list