How can I setup a SOCKS proxy over ssh with password based authentication on CentOS?

Dynamic application-level port forwarding (ssh -D) doesn't support this feature. Take a look at the Dante for instead:

[I] net-proxy/dante
     Available versions:  1.1.19-r4 (~)1.2.3 (~)1.3.0 (~)1.3.1 (~)1.3.1-r1 (~)1.3.2 {debug kerberos pam selinux static-libs tcpd}
     Installed versions:  1.3.2(04:14:03 PM 11/08/2011)(pam static-libs tcpd -debug -kerberos -selinux)
     Homepage:            http://www.inet.no/dante/
     Description:         A free socks4,5 and msproxy implementation

But note that the password is transmitted in cleartext.

To configure username based authentication, open the /etc/sockd.conf file and add/change the following:

logoutput: syslog /var/log/dante.log

# methods for socks-rules.
method: username #rfc931

# when doing something that can require privilege, 
# it will use the userid "sockd".
user.privileged: root

# when running as usual, 
# it will use the unprivileged userid of "sockd".
user.notprivileged: sockd

pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    protocol: tcp udp
    command: bind connect udpassociate
    log: error
    method: username
}

Check the listening sockets after starting:

# netstat -nlp | grep sockd
tcp        0      0 127.0.0.1:1080          0.0.0.0:*               LISTEN      5463/sockd          
tcp        0      0 192.168.15.36:1080      0.0.0.0:*               LISTEN      5463/sockd        

Take a look at the logs file (/var/log/messages or /var/log/dante.log) if you get something wrong.

PS: the system password file (/etc/passwd) is used to verify a username and password combination.


ssh -D doesn't require require a password for access, and with the current implementation can't be made to require a password. If you want, you could set up a multi-stage proxy using an exiting http server (e.g. apache) which then uses the ssh tunnel for its outbound connection.

Then again, if you get that far into the weeds, then you're probably going down the wrong road and perhaps may need to re-think what you're trying to accomplish.