66

I have a SOCKS5 proxy set up through PuTTY with port 7777 configured as a dynamic port. I can use firefox/filezilla/etc by configuring them to use a SOCKS proxy with localhost and port 7777. But I can't figure out how to ssh (through Cygwin) to a remote server by using the dynamic port. Is this possible?

I've tried using ProxyCommand via the following method.

  1. Create ~/.ssh/config with the following line: 

    ProxyCommand /usr/bin/nc -X connect -x 127.0.0.1:7777 %h %p
  2. Run ssh -p22 user@remotehost

The message I get is ssh_exchange_identification: Connection closed by remote host

Braiam
  • 4,709
  • 3
  • 26
  • 57
Rusty Lemur
  • 843
  • 1
  • 7
  • 14
  • 1
    To make a program whuch does not support SOCKS go through SOCKS, you can use a so-called proxifer; see http://en.wikipedia.org/wiki/Comparison_of_proxifiers . In particular, I recommand my open source tun2socks proxifer ( http://code.google.com/p/badvpn/wiki/tun2socks ). – Ambroz Bizjak Jul 26 '12 at 15:34
  • Thanks for the comment Ambroz. I need it to work in cygwin, and I see from the wikipedia page on proxifiers that all of the ones it mentions are either not implemented in cygwin or not applicable. Is there a way to get a proxifier to work in cygwin? –  Jul 26 '12 at 15:41
  • you don't need it to specifically support Cygwin. Cygwin programs are in the end just Windows programs, but with a POSIX interface implemented as a library. If a proxifier works on Windows, it should be able to proxify Cygwin programs just fine. – Ambroz Bizjak Jul 26 '12 at 16:50

6 Answers6

63

You are using 'connect' for HTTPS as your proxy version, this is from man nc:

-X proxy_version Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ''4'' (SOCKS v.4), ''5'' (SOCKS v.5) and 'connect' (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.

So you should use the following to use SOCKS 5: 

ProxyCommand /usr/bin/nc -X 5 -x 127.0.0.1:7777 %h %p

Or simply:

ProxyCommand /usr/bin/nc -x 127.0.0.1:7777 %h %p

I hope it helps.

  • Thanks Saman, that worked! Also, thanks for the explanation, it helps. –  Jul 26 '12 at 18:19
  • The `ProxyCommand` must be the first line of your `~/.ssh/config', or else nested inside a specify `Host` section. Not really sure why. It doesn't work if it's the last line in the `~/.ssh/config` – Aaron McDaid Jul 14 '16 at 19:21
  • @AaronMcDaid: From `man ssh_config`: "For each parameter, the first obtained value will be used." Therefore... global settings need to be **before** any `Host` sections. The last line of `~/.ssh/config` is part of the final `Host` section. – mpb Jun 26 '17 at 02:41
  • Worth mentioning is that netcat is in `/bin/nc` on Debian and Ubuntu. – Per Lundberg May 18 '18 at 10:25
  • 2
    Worth noting that `netcat-traditional` doesn't work. Install `netcat-openbsd` for this purpose. – iBug Mar 11 '22 at 17:01
17
ssh -o ProxyCommand='nc --proxy-type socks4 --proxy 127.0.0.1:9050 %h %p' user@host

fc19 x86_64, Ncat: Version 6.25

user264910
  • 171
  • 1
  • 2
  • just curious - why `proxy-type socks4`? – suspectus Oct 19 '13 at 09:57
  • 4
    Can you add a little more explanation to this to say *why* it's the solution. – ChrisF Oct 19 '13 at 10:48
  • 1
    @ChrisF it is the same as accepted solution, but it is one-liner! No need to modify any config file. – j123b567 Dec 02 '15 at 09:39
  • On Gentoo, right command name is `ncat` and not `nc` like on other distros. – j123b567 Dec 02 '15 at 09:40
  • 1
    This is the [nmap](https://en.wikipedia.org/wiki/Nmap) `ncat` program (comes via `apt install nmap` on APT systems like Ubuntu and Debian), which is different from [netcat](https://en.wikipedia.org/wiki/Netcat) (be it netcat-openbsd or Hobbit's netcat-traditional). – Adam Katz Nov 05 '16 at 00:07
  • 1
    @suspectus related to @Adam Katz comment, the `proxy-type` is `socks4` because the nmap `ncat` program didn't support sock5 until more recently. Indeed, this is an issue even now (Nov 2017), as RHEL 7/Centos 7 switched to the nmap package but used an older build that does not support socks5 – Randall Nov 27 '17 at 16:09
  • on macos: `ssh -o ProxyCommand='nc -X 5 -x 127.0.0.1:9050 %h %p' user@host`. Otherwise, there will be an error: `nc: unrecognized option `--proxy'` – Sang Jul 31 '22 at 13:45
8

tsocks (http://tsocks.sourceforge.net/) is a nice wrapper that uses LD_PRELOAD to make any program use SOCKS proxy transparently:

tsocks ssh example.com

Just works, remember to configure SOCKS proxy IP in /etc/tsocks.conf

neutrinus
  • 189
  • 1
  • 3
  • it's too complex to have a configuration file – Jiang YD Mar 14 '17 at 03:10
  • 1
    tsocks is the only solution that worked for me, so I think this is an important answer to maintain here. the tsocks config file is fairly simple – Arlo Jul 23 '20 at 22:50
  • 1
    thanks. it's straightforward to use. just use `export LD_PRELOAD=libtsocks.so` – Akhil Nov 19 '21 at 08:44
2

This following command will do, to just use nc:

ssh examplehost.com -o "ProxyCommand=nc --proxy localhost:7000 %h %p"

Default is HTTP proxy, there is an HTTP proxy running on port 7000.

Hamid Rouhani
  • 185
  • 1
  • 7
Chinglin Wen
  • 21
  • 2
  • `ssh root@server -p 22 -o "ProxyCommand=nc -X 5 -x 127.0.0.1:1080 %h %p"` works – a55 Apr 21 '21 at 09:27
2

Just to make it more simple, you could put these in ~/.ssh/config

host = example.com
ProxyCommand nc -X 5 -x 127.0.0.1:9150 %h %p

Any ssh command in terminal will now get through this proxy.

azerafati
  • 121
  • 6
2

ssh is able to understand ALL_PROXY environment variable so apparently something like this

ALL_PROXY=socks5://127.0.0.1:9150 ssh example.com

does the trick also for me at least.

Ebrahim Byagowi
  • 436
  • 4
  • 10