ssh sessions when port 22 is locked down?
October 18, 2008 4:05 PM   Subscribe

I sometimes visit a network where port 22 is locked down. I'd like to be able to initiate ssh sessions from this site. Is there any tunneling or other magic I can invoke to reach this goal, or any other solution short of badgering the admins?

(I'm also not sure now to find out what other ports are open. I know 21,80, and 443 are, because I can do normal web and ftp stuff, but other than manually trying each port with telnet, I'm not sure how to check...)
posted by namespan to Computers & Internet (10 answers total) 2 users marked this as a favorite
 
Set up an SSH server somewhere outside this network listening on an additional port (add a Port 12345 line to sshd_config). Then you can just connect to it with ssh -p 12345 example.com or ssh example.com:12345 and SSH out from that machine to wherever you want to go.

Depending on your precise needs there may be fancier ways to do things, but this is going to be the simplest.
posted by enn at 4:21 PM on October 18, 2008 [1 favorite]


Enn has it. You can also specify the port sshd listens on with the -p option (and the fullpath to the executable). The non-privileged ports above 1024 have a better chance of being open, though the firewall may well be default deny. There is nothing stopping you using say port 21 (ftp) on the server for sshd if it is not needed.
posted by tallus at 4:30 PM on October 18, 2008


Or you could put your ssh server on port 80 which is almost always open.
posted by GuyZero at 4:35 PM on October 18, 2008


on dittoing the above, do you have control over the server and what port it listens on?
posted by whatisish at 4:48 PM on October 18, 2008


An even better way to do the same thing is to look at tunnelling ssh-over-https, since it will be (very) obvious to any network admin that you're just running ssh over a different port; it will also let you go past transparent proxies and similar tools. A little googling will

A word of caution, though: these policies are generally in place because the network owner doesn't want you doing that. Evading the policy and getting caught will probably land you in a world of pain.
posted by rodgerd at 6:03 PM on October 18, 2008


Response by poster: I don't have absolute power over any server on the net, but there's a lot of other reasons I've been considering leaving managed hosting and trying that, so maybe this'll push me over the edge.

rogerd, <movievoice>I guess that's a chance I'll just have to take.</movievoice>

Assuming I can actually do this, given I'm a somewhat novice sysadmin.
posted by namespan at 6:32 PM on October 18, 2008


Be sure that they're doing port-based blocking and not just blocking all outgoing connections except those that go through a proxy. I know lots of big corporate networks that are like that. You can't even connect out on port 80 without going through their proxy/gateway server.

If that's the case, and I'm not saying it is, but if — then you'll need to be much trickier. You'll essentially have to tunnel your SSH traffic within an HTTP session, using something like corkscrew.

If performing your job depends on being able to make outgoing SSH connections (for remote admin, etc.), you might want to make sure you have corkscrew installed ahead of time, just in case you ever need it.
posted by Kadin2048 at 7:42 PM on October 18, 2008


If you are on a Windows PC, the Putty SSH client supports initiating SSH sessions via a HTTP proxy - see this article for full instructions.
posted by your mildly obsessive average geek at 9:27 PM on October 18, 2008


Bleh sorry wrote the last comment in a slight post-lunch daze. To forward SSH traffic over HTTP in PuTTy, try the instructions given in this article.
posted by your mildly obsessive average geek at 10:40 PM on October 18, 2008


I use corkscrew with some success
posted by singingfish at 4:56 AM on October 19, 2008


« Older Name that sample?   |   Lowering the tone Newer »
This thread is closed to new comments.