If you are in networks with internet access only through proxies, you should try tunneling SSH through SSL. Stunnel is made for this purpose.
So let us install Stunnel4:
sudo apt-get install stunnel
mkdir -p /var/run/stunnel4
sudo chown stunnel4:stunnel4 /var/run/stunnel4
vi /etc/stunnel/stunnel.conf
Configuring the server
Change its config to:
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
client=no
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[sslssh]
accept=192.168.2.42:10443
connect=localhost:22
Do not forget to change the IP address in the “accept=” line
This allows connecting to port 10443 with SSL and redirects traffic from and to port 22 (SSH). You could also enter any other host and port as target which is reachable from the stunnel host. I assume you are able to configure the port forwarding in your router yourself
Create the certificate and convert it for use with stunnel:
openssl req -new -x509 -keyout st-key.pem -out st-csr.pem -days 1000 -nodes
sudo "echo | cat st-csr.pem - st-key.pem > /etc/stunnel/stunnel.pem"
Configuring the client
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
client=yes
cert=/etc/stunnel/stunnel.pem
debug=3
sslVersion = all
output=/var/log/stunnel4/stunnel.log
[ssh]
accept = localhost:10443
connect = PROXY_IP:80
protocol = connect
protocolHost = REMOTE_IP:443
You have to enter the correct IP addresses again. I suggest using no-ip.com or any other DynDNS provider if REMOTE_IP ist dynamic.
Starting the services
If everything is configured, use
sudo /etc/init.d/stunnel4 start
After successful configuration you are able to connect to the remote SSH machine with
ssh localhost:10443
Having trouble?
If the connection fails it is possible, that your firewall or proxy blocks SSL-requests without User-Agent Header set. I am using proxytunnel on the client side to circumvent this “feature”:
sudo apt-get install proxytunnel
Change your ~/.ssh/config
Host REMOTE_NAME
ProxyCommand proxytunnel -q -e -p PROXY_IP:80 -d REMOTE_IP:10443 -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1\n"
ProtocolKeepAlives 30
User pi
To connect the remote system:
ssh REMOTE_NAME
Simple? :)