Tag: ssh

SOCKS Proxy via SSH reverse tunnel

I was working on some test servers on which access is highly restricted (only SSH over VPN) and I couldn’t ask for proxy permissions for outbound HTTP connections so I wasn’t able to use any repo needed to install or upgrade software.

My laptop can access the Internet so it could act as proxy but I didn’t know how to redirect traffic from the remote server to my local machine.

And here’s where I “met” the SSH reverse tunneling, which allows to connect via SSH to a remote server and tell it to forward all the TCP connections received on a specific port, to another host.

Continue reading

SSH: No supported key exchange algorithms [preauth]

I’ve recently installed Solaris 11.4 on a VM and, as soon as I tried to log in remotely using SSH, my connection was refused straight away. First of all, I checked if the service was enabled:

$ svcs ssh
STATE          STIME    FMRI
online         13:23:15 svc:/network/ssh:default

I checked SSH directory under /etc and something was definitely not quite right with the auto-generated keys:

-rw-------   1 root     root         0 Jan  4 13:23 ssh_host_ed25519_key
-rw-r--r--   1 root     root         0 Jan  4 13:23 ssh_host_ed25519_key.pub
-rw-------   1 root     root         0 Jan  4 13:23 ssh_host_rsa_key
-rw-r--r--   1 root     root         0 Jan  4 13:23 ssh_host_rsa_key.pub

The keys were there… but truncated to zero.

Something, somewhere went wrong during the key generation (usually when OpenSSH is run for the first time) so I deleted the keys and restarted the service:

# svcadm restart ssh

The keys were re-generated and I was able to log in.

SSH tunneling

A SSH tunnel provides an encrypted tunnel using a SSH protocol connection. It can be used to exchange data over a network through an encrypted channel or to bypass some firewall restrictions.

To set up a SSH tunnel, a given port on a machine need to be forwarded. Ports can be forwarded in three ways: local, remote or dynamic.

Local

Say you’re on a private network which doesn’t allow connections to a specific server. To get around the problem, you can create a tunnel through a server which is not on your private network:

ssh -L [local-port]:[remote-host]:[remote-port] user@remoteserver

-L stands for local port forwarding; you’re forwarding local port 9000 to [remote-host]:[remote-port]

Remote

Say you need to give someone access to your client machine over an encrypted tunnel. Before establishing a connection your need to edit /etc/ssh/sshd_config, add GatewayPorts yes and restarting sshd.

ssh -R [remote-port]:localhost:[local-port] user@remoteserver

Dynamic

In this case, port forwarding turns your SSH client into a SOCKS proxy server. Every program need to be configured to use the proxy server. SOCKS is a protocol that redirects every Internet connection through a proxy server:

ssh -D 1080 [server]

1080 is the standard SOCKS port but you can use any port number; the SOCKS proxy will stop when you close your SSH session.

Convert .ppk key to OpenSSH keys

OpenSSH is the de facto standard implementation of the SSH protocol.

If you use ssh-keygen with the default options, it will generate a private and a public key that will work with virtually any server.

Unfortunately, out there are Windows users that bother Linux admins with .ppk key generated by PuTTY; both keys are stored in this single proprietary file.

You can convert this file and obtain standard OpenSSH key pairs using puttygen provided with the putty package available on many distros.

puttygen your_key.ppk -O [output-type] -o [output-file]

output-type refers to they key type, private-openssh or public-openssh.