[Savannah-hackers] Re: ssh port strategy

[Andrew Innes]

On Tue, 06 Mar 2001 20:53:08 -0500, "Joel N. Weber II" <address@hidden> said:
>I would like to see us have sshd listening on ports that will help
>people behind firewalls be able to connect to the sshd on various GNU
>machines.  For example, my understanding is that Miles can connect to
>port 80 and port 443 on remote machines, but nothing else.  So if we
>run an sshd on port 443 on each machine he cares to connect to, he
>ought to be able to use ssh to connect to GNU machines.
>
>I'm not sure if this sort of hack would also remove the need for
>andrewi to run his proxy on fencepost.

Hi Joel,

I've been looking into this, and I'm still not able to do without the
tunnel just yet.  It might be possible with some work on Miles' proxyfwd
program though.

I originally thought your change to make sshd listen on port 443
wouldn't help me, because my understanding is that our corporate
firewall only allows internet access from our proxy servers, and the
proxies only support http and ftp.  It doesn't restrict which ports we
connect to using HTTP though, which is the problem you were addressing.

In fact my understanding above is correct, but what I've discovered is
that the proxies do support CONNECT (the connection forwarding command)
-- I had investigated months ago to see if this was supported and had
come to the conclusion it wasn't.  Hence I thought my only solution was
to use the HTTP tunnel.

But I tried it again and discovered CONNECT is supported; my original
test was flawed.  Using Miles' proxyfwd program I can manage to connect
to fencepost using ssh.  However the connection is very flaky, and falls
over within a few seconds - that is, if it even manages to get past the
ssh handshake.

I think the flakiness could possibly be cured by supplying some headers
with CONNECT, to enable keep-alive and possibly to make clear that the
data is binary.

But for the moment, it isn't usable.

AndrewI