0

I have a nonroot server with public IP which only accepts HTTP requests (not just a port restriction), and two local computers with only private IP on different networks. I'd like to establish an SSH connection between those local computers, probably through the server.

Is there a way to do this without rewriting SSH client/server?

andrew
  • 1
  • 3

3 Answers3

0

No way unless you set up additional service on the server.

Regardless of firewall, the main issue is HTTP closes connection each time after the request is fulfilled whilst SSH requires constantly open connection.

Putnik
  • 912
  • 1
  • 6
  • 16
  • But HTTP doesn't have to fulfill the request. I've heard that's one way that website tracking software figure out how long a person stays at a page. Have a web page load a transparent pixel, but then don't finish the file download, and the client will keep the HTTP connection open, typically until the user tells the web browser to go to another page. – TOOGAM Aug 12 '17 at 21:05
  • Is it possible that I fake local TCP server/client into the other end of SSH tunnel, and use other programs (connected to a public HTTP server) to forward messages back and forth? SSH can be and are commonly built upon TCP right? – andrew Aug 12 '17 at 21:10
  • @TOOGAM browser has connection timeout and it usually afair is 60sec, so quite useless method in comparison to others. – Putnik Aug 13 '17 at 10:39
  • @andrew you have to have two things: 1) chat software on the http node 2)converter which listens ssh port, converts received data to base64 then post to chat. Another box with the same converter listens the chat, decode base64 and send to ssh, the same with answer. – Putnik Aug 13 '17 at 10:42
  • @Putnik I have done what you said, but after seeing the server writing "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2\r\n" right after the fake client connects and seeing ""SSH-2.0-OpenSSH_6.9\r\n" after calling on real client side the ssh on localhost, nothing more has been going on. What could be the problem? – andrew Aug 16 '17 at 07:38
  • @Putnik I used tcpflow to observe that the SSH server is actually sending text messages into the stream (at least for the first piece of message), so there is no need for base64 conversion? – andrew Aug 16 '17 at 10:21
  • 1
    @Putnik Sorry, I solved the problem. I was decoding the chunk in base64 but storing in utf8... Now it's working, thanks for the instruction – andrew Aug 16 '17 at 12:27
0

You might be interested in HTTP tunnelling.

See Can I tunnel other protocol through an HTTP proxy?

RedGrittyBrick
  • 81,981
  • 20
  • 135
  • 205
  • The answer from Putnik mentioned the fact that SSH is using half-open socket (on both client and server?), and to my knowledge this is an extra piece of information to the TCP message. Therefore I would need to be able to find a way to re-configure the HTTP server's reaction to CONNECT method right? (Regarding your link to the other question) – andrew Aug 15 '17 at 09:06
  • @andrew: Whether an HTTP server closes a connection after responding to a request depends on the version of HTTP and HTTP options specified by the client and supported by the server. HTTP servers can keep connections open to serve multiple consecutive requests or indeed to push multiple responses back to the client. However achieving what you want may involve significant work. – RedGrittyBrick Aug 15 '17 at 09:28
0

I managed to do this even without an HTTP server (in a strict sense):

all I used was node.js on both client sides (one ssh client one ssh server) as well as firebase to store buffers (converted to strings) read from the TCP stream, and under the general instruction from @Putnik's answer/comments, (bearing in mind to use the allowHalfOpen option), the program works with only little delay. Graphically, the connection looks like this:

client1 (ssh client)<=>localhost1(tcp, fake-ssh server)

client2 (ssh server)<=>localhost2(tcp, fake-ssh client(s))

localhost1<=>firebase(or a real HTTP server)<=>localhost2

Please note that from localhosts to firebase/server, one can encode/decode the buffers however one wants -- as long as they are a pair of lossless conversions. Therefore the link to the other question in @RedGrittyBrick's answer (using HTTP CONNECT) should also work provided there is enough privilege on that server, and potentially it can be faster.

There are of course lots of things in the code that can be improved but I believe in terms of security, this shouldn't be less secure than direct connection using openSSH. Please correct me if I'm wrong.

andrew
  • 1
  • 3