How can I setup a SOCKS proxy over ssh with password based authentication on CentOS?
Dynamic application-level port forwarding (ssh -D
) doesn't support this feature. Take a look at the Dante for instead:
[I] net-proxy/dante
Available versions: 1.1.19-r4 (~)1.2.3 (~)1.3.0 (~)1.3.1 (~)1.3.1-r1 (~)1.3.2 {debug kerberos pam selinux static-libs tcpd}
Installed versions: 1.3.2(04:14:03 PM 11/08/2011)(pam static-libs tcpd -debug -kerberos -selinux)
Homepage: http://www.inet.no/dante/
Description: A free socks4,5 and msproxy implementation
But note that the password is transmitted in cleartext.
To configure username based authentication, open the /etc/sockd.conf
file and add/change the following:
logoutput: syslog /var/log/dante.log
# methods for socks-rules.
method: username #rfc931
# when doing something that can require privilege,
# it will use the userid "sockd".
user.privileged: root
# when running as usual,
# it will use the unprivileged userid of "sockd".
user.notprivileged: sockd
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
command: bind connect udpassociate
log: error
method: username
}
Check the listening sockets after starting:
# netstat -nlp | grep sockd
tcp 0 0 127.0.0.1:1080 0.0.0.0:* LISTEN 5463/sockd
tcp 0 0 192.168.15.36:1080 0.0.0.0:* LISTEN 5463/sockd
Take a look at the logs file (/var/log/messages
or /var/log/dante.log
) if you get something wrong.
PS: the system password file (/etc/passwd
) is used to verify a username and password combination.
ssh -D
doesn't require require a password for access, and with the current implementation can't be made to require a password. If you want, you could set up a multi-stage proxy using an exiting http server (e.g. apache) which then uses the ssh tunnel for its outbound connection.
Then again, if you get that far into the weeds, then you're probably going down the wrong road and perhaps may need to re-think what you're trying to accomplish.