how to tunnel ssh through ssl

the only outgoing traffic that some restrictive firewalls are web requests. since they usually allow https urls, one can tunnel ssh connections via ssl using stunnel. there is even a version for windows available.

stunnel configurations

for these configurations, assume:

  • server is destination host on internet

    • ip: 64.62.222.180 (grox.net)

  • client is host behind firewall (e.g., on the company lan)

  • server accepts connections from any internet host. this relies on the security of ssh, and just a tad of security through obscurity- the average script-kiddie won’t be banging on 443 for ssh servers.

server - /etc/stunnel/ssh.config
    cert=/etc/stunnel/ssh.pem
    pid=/tmp/stunnel.pid
    [ssh]
    accept = 64.62.222.180:443
    connect = 127.0.0.1:22
client - /etc/stunnel/sshclient.config
cert = ssh.pem
# for testing
#foreground=yes
client=yes
[ssh]
  accept=44322
  connect=64.62.222.180:443

script to create a self-signed cert:

#!/bin/sh
PATH=/usr/bin:/bin:/sbin:/usr/sbin

[ $# -eq 1 ] || { echo "usage: `basename $0` filename" ; exit 1; }

echo "US
CO
Denver
GROX Networks
ssh server
grox.net
null@example.com
" |
openssl req -new -x509 -extensions usr_cert -nodes -keyout "$1" -out "$1" -days 1460 -passin "pass:"

running:

server:
  • stunnel /etc/stunnel/ssh.config

  • test: + openssl s_client -connect 64.62.222.180:443

    • expected output is ssh banner. e.g., SSH-1.99-OpenSSH_5.1

client:

start tunnel:

stunnel /etc/stunnel/sshclient.config

test - should create ssh session to server:

ssh -p 44322 localhost