Is it possible to SSH through port 80?

I am behind a network firewall that doesn't let me ssh through the default port. Because of that, I can't push any bzr branches to my repository. I would like to know if it is possible to somehow proxy the ssh through port 80 so I can push the branches.

I heard that corkscrew lets you do that but I am not sure how to do that exactly.

If you know any working proxy server that lets you do that, please do mention them.


Solution 1:

A good corporate firewall will inspect traffic regardless of port so changing port just might not work.

If you have control over the server, and still want to try it, you can change the sshd port to port 80. Warning If you have something else running on port 80 (on the server) this will not work and will likely mean you completely lose SSH access to the server!

You'll need to edit /etc/ssh/sshd_config and change Port to 80. Then run

sudo restart ssh

And then connect:

ssh user@host -p80

Your bzr path would then look something like: bzr+ssh://host:80/path/


Another method is to use WebDav. This should skirt around the firewall problem completely because it all happens on Port 80 but it will require you to be running Apache and set up a number of things:

  1. Get WebDav installed
  2. Move your branch into the right place
  3. Use the bzr-webdav plugin to connect

A VPN might be an option but if ssh is locked out, I'd expect that to be excluded too.

You might just want to have a word with your network admins. You need to do something and they're stopping you. If they've got a reason for blocking ssh, it's likely they'll view any extreme attempts to circumvent it fairly negatively...

In short, it might just be safer to talk to them.

Solution 2:

SSH through the proxy

If the firewall lets you, you can run ssh to any port, but that requires the ssh server to be listening on that port. Port 80 is unlikely to work, because most places that have firewalls analyse the traffic on that port and block anything that isn't HTTP. But port 443, which is normally the HTTPS port, often works, because SSH and HTTPS look a lot like each other to filtering software, so your SSH session will look like an HTTPS session. (It is possible to distinguish HTTPS and SSH, so this won't work if the firewall is sophisticated enough.)

If you have control over the server, make it listen on port 443 in addition to 22 (the normal ssh port). You can configure the port in /etc/ssh/sshd_config: add a line

Port 443

in addition to the Port 22 that should already be there. Note that this assumes that the ssh server is not also an HTTPS server. If it is, you'll need to find another port that the firewall lets you use or to find another ssh server (see forwarding below).

If you don't need to set a web proxy in your web browser, then you can try connecting directly:

ssh -p 443 myserver.example.com

If that works, define an alias in your ~/.ssh/config:

Host myserver
HostName myserver.example.com
Port 443

If you need to set a web proxy in your web browser, tell ssh to go through the proxy. Install corkscrew. Define an alias like this in your ~/.ssh/config, where http://proxy.acme.com:3128/ is the proxy you use for HTTPS to outside (replace by the proper host name and port):

Host myserver
HostName myserver.example.com
Port 443
ProxyCommand /usr/bin/corkscrew proxy.acme.com 3128 %h %p

SSH over SSH

If you can get to some outside machine by one of the techniques above but not to the machine you're interested in, use that to forward a connection. Assuming you can ssh to a machine called mygateway and you want to reach the SSH server on mytarget, install netcat-openbsd on mygateway (or, if it's not running Ubuntu, make sure it has the nc command). Put this in your ~/.ssh/config:

Host mytarget
ProxyCommand ssh mygateway nc %h %p

SSH to Apache

If the host you want to connect to is already running Apache and listening on port 443, and you have control over that host, you can set up this Apache to accept SSH connections and forward them. See Tunneling SSH over HTTP(S).

Solution 3:

I've just read a sophisticated solution here:

http://benctechnicalblog.blogspot.hu/2011/03/ssh-over-connect-over-port-80.html

You can SSH home on port 80 even if your home server runs a webserver on port 80 too.

Assuming the home server runs Apache. The idea involves enabling mod_proxy in your server, then restricting it into connecting to localhost (proxy.conf):

<IfModule mod_proxy.c>
         ProxyRequests On
        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Deny from all
        </Proxy>
        <Proxy localhost>
          Allow from all
        </Proxy>
        AllowCONNECT 22
        ProxyVia On
</IfModule>

Now you can do a HTTP connect request to the localhost and the webserver will establish a tunnel for you, you only need to make sure all traffic goes through your proxy:

ssh -o 'ProxyCommand nc -X connect -x myhost.example.com:80 localhost 22' myhost.example.com

Make sure localhost connections to SSH is not privileged (to avoid letting strangers in...)

This should work if you are behind a router that allows only port 80 out.

If you are behind a proxy (so you need to set proxy in your browser to get web), you will need to first establish a tunnel to your own host, then issuing another CONNECT request inside this tunnel to get to your host. This is more sophisticated, you will need to use 2 netcats for this.

Everything is possible, but do it for your own risk...

UPDATE:

Or simply, just use a web application that gives you SSH via a browser. http://en.wikipedia.org/wiki/Web-based_SSH