Bitbucket is a code hosting site with unlimited public and private repositories. We're also free for small teams!

Close
sshttp - hiding a SSH server behind a HTTP server
=================================================

In case your FW policy forbids SSH access to the DMZ or internal
network from outside, but you still want to use SSH on machines
which only have one open port, e.g. HTTP, you can use "sshttpd".

sshttp can multiplex the following protocol pairs:

- SSH/HTTP
- SSH/HTTPS
- SSH/SMTP (without SMTP multiline banners)

sshttpd is an easy to use OSI-Layer5 switching daemon. It runs
transparently on HTTP port (-L switch, default 80) and decides
on incoming connections whether this is SSH or HTTP traffic.
If its HTTP traffic it switches the traffic to the HTTP_PORT
(-H, default 8080) and if its SSH traffic to SSH_PORT (-S, default
22) respectively.

You might need to edit "nf-setup" script to match your ports (22, 80 and 8080
are just fine) and run it to install the proxy rules.
Your sshd has to run on $SSH_PORT and your webserver on $HTTP_PORT.
Thats basically it. Go ahead and run sshttpd (as root) and it will layer5-switch
your traffic destinated to TCP port 80.

If you want to mux SMTP with sshttp, just give "25" as -L parameter, "2525"
as -H parameter, and setup your smtp daemon to listen on 2525. Then
edit the nf-setup script to match these ports. In the Makefile, change the
SMTP_DOMAIN and SSH_BANNER to your needs (SSH_BANNER must match exactly
yours of the running sshd).
SMTP/SSH muxing was tested with OpenSSH client and Postfix client and server.

You dont need to patch any of your ssh/web/smtp client or server software. It
works as is. sshttpd runs only on Linux and needs IP_TRANSPARENT support.
It would work without, but by using IP_TRANSPARENT it is possible to even
have unmodified syslogs, e.g. the original source IP/port of incoming connections
is passed as-is to the SSH/HTTP/SMTP servers.

sshttpd is also a tricky anti-SSH0day (if ever:) and anti SSH-scanning/bruteforcing
measurement.
sshttpd has small footprint and was optimized for speed so it also runs
on heavily loaded web servers.

Since version 0.24, sshttpd also supports multiple CPU cores. Unless
"-n 1" is used as switch, sshttpd binds one thread per CPU core,
to better exploit the hardware if running on heavily used web servers.
It still runs this fixed number of threads no matter how many 1000s connection
it handles at the same time.
sshttpd also runs as user nobody in a chroot now (configurable via -U and -R switch)
if compiled with USE_CAPS. It can now also distinguish between SSH and SSL
sessions, you just have to use an LOCAL_PORT (-L) of 443 or 4433 and change
the HTTP_PORT in the nf-setup script to match your webservers HTTPS port.
You cannot mix HTTP/SSH and HTTPS/SSH in one sshttpd instance but you can
run two sshttpd's to reach that goal: one on LOCAL_PORT 80 and one on
LOCAL_PORT 443.

If you want to use the least-privilege feature you need to
install libcap and libcap-devel packages.

Hints/bug reports beyond RTFM to sebastian.krahmer [at] gmail com.

Recent activity

Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

5b33fc6 - - typo fixes, better README
Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

3e83d95 - - added SMTP mux support - made protocol decision for ssh/http easier - change STATE_CLOSING timeout to be faster (and again match that in lophttpd, ...
Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

5a7f85f - - changed state engine to match logic of lophttp's frontend ( POLLIN/POLLOUT setting/clearing)
Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

2fc4c21 - - shutdown/cleanup logic is now the same as in lophttpd
Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

e76b8b3 - revert one piece from last commit that made hanging connections last forever due to POLLIN in .revents (pulled plug)
Sebastian Krahmer

Commits by Sebastian Krahmer were pushed to piorekf/sshttp

878daf6 - - added STATE_CLOSING to try as best as we can to deliver any pending data to peer, if one peer HUPed connection
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.