Is it possible to SSH through port 80?
Solution 1
A good corporate firewall will inspect traffic regardless of port so changing port just might not work.
If you have control over the server, and still want to try it, you can change the sshd port to port 80. Warning If you have something else running on port 80 (on the server) this will not work and will likely mean you completely lose SSH access to the server!
You'll need to edit /etc/ssh/sshd_config and change Port to 80. Then run
sudo restart ssh
And then connect:
ssh user@host -p80
Your bzr path would then look something like: bzr+ssh://host:80/path/
Another method is to use WebDav. This should skirt around the firewall problem completely because it all happens on Port 80 but it will require you to be running Apache and set up a number of things:
- Get WebDav installed
- Move your branch into the right place
- Use the bzr-webdav plugin to connect
A VPN might be an option but if ssh is locked out, I'd expect that to be excluded too.
You might just want to have a word with your network admins. You need to do something and they're stopping you. If they've got a reason for blocking ssh, it's likely they'll view any extreme attempts to circumvent it fairly negatively...
In short, it might just be safer to talk to them.
Solution 2
SSH through the proxy
If the firewall lets you, you can run ssh to any port, but that requires the ssh server to be listening on that port. Port 80 is unlikely to work, because most places that have firewalls analyse the traffic on that port and block anything that isn't HTTP. But port 443, which is normally the HTTPS port, often works, because SSH and HTTPS look a lot like each other to filtering software, so your SSH session will look like an HTTPS session. (It is possible to distinguish HTTPS and SSH, so this won't work if the firewall is sophisticated enough.)
If you have control over the server, make it listen on port 443 in addition to 22 (the normal ssh port). You can configure the port in /etc/ssh/sshd_config: add a line
Port 443
in addition to the Port 22 that should already be there. Note that this assumes that the ssh server is not also an HTTPS server. If it is, you'll need to find another port that the firewall lets you use or to find another ssh server (see forwarding below).
If you don't need to set a web proxy in your web browser, then you can try connecting directly:
ssh -p 443 myserver.example.com
If that works, define an alias in your ~/.ssh/config:
Host myserver
HostName myserver.example.com
Port 443
If you need to set a web proxy in your web browser, tell ssh to go through the proxy. Install corkscrew. Define an alias like this in your ~/.ssh/config, where http://proxy.acme.com:3128/ is the proxy you use for HTTPS to outside (replace by the proper host name and port):
Host myserver
HostName myserver.example.com
Port 443
ProxyCommand /usr/bin/corkscrew proxy.acme.com 3128 %h %p
SSH over SSH
If you can get to some outside machine by one of the techniques above but not to the machine you're interested in, use that to forward a connection. Assuming you can ssh to a machine called mygateway and you want to reach the SSH server on mytarget, install netcat-openbsd on mygateway (or, if it's not running Ubuntu, make sure it has the nc command). Put this in your ~/.ssh/config:
Host mytarget
ProxyCommand ssh mygateway nc %h %p
SSH to Apache
If the host you want to connect to is already running Apache and listening on port 443, and you have control over that host, you can set up this Apache to accept SSH connections and forward them. See Tunneling SSH over HTTP(S).
Solution 3
I've just read a sophisticated solution here:
http://benctechnicalblog.blogspot.hu/2011/03/ssh-over-connect-over-port-80.html
You can SSH home on port 80 even if your home server runs a webserver on port 80 too.
Assuming the home server runs Apache. The idea involves enabling mod_proxy in your server, then restricting it into connecting to localhost (proxy.conf):
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
</Proxy>
<Proxy localhost>
Allow from all
</Proxy>
AllowCONNECT 22
ProxyVia On
</IfModule>
Now you can do a HTTP connect request to the localhost and the webserver will establish a tunnel for you, you only need to make sure all traffic goes through your proxy:
ssh -o 'ProxyCommand nc -X connect -x myhost.example.com:80 localhost 22' myhost.example.com
Make sure localhost connections to SSH is not privileged (to avoid letting strangers in...)
This should work if you are behind a router that allows only port 80 out.
If you are behind a proxy (so you need to set proxy in your browser to get web), you will need to first establish a tunnel to your own host, then issuing another CONNECT request inside this tunnel to get to your host. This is more sophisticated, you will need to use 2 netcats for this.
Everything is possible, but do it for your own risk...
UPDATE:
Or simply, just use a web application that gives you SSH via a browser. http://en.wikipedia.org/wiki/Web-based_SSH
Solution 4
I am sorry, I have to play devils advocate.
I know that there is most likely a reason for doing this, however, why won't your networking/firewall admin's open the specific port you are looking for? From a security standpoint, do you want to take the chance that web-inspect will miss anything? If it's configured to by-pass port 80 for std traffic, and you are putting yourself in harms way.
I agree with a few suggestions above, where as a point to point vpn may be a more secure option. Again, from a security standpoint, I would be interested to know the reason you are truly bypassing security policies and why you cannot either put your server in a dmz or backbone for access. Just me. Good luck.
Solution 5
If you don't have any control over the server to change the SSH port to port 80 or if you can't SSH over port 80 because the firewall blocks you from transferring such data through port 80, you can try TOR.
TOR is a huge network. Your computer connects to another computer somewhere in the world, that computer connects to another one until it reaches the SSH server. This is all firewall-friendly, happens on port 443 (which your company doesn't block, or else.. well, that's not so smart of them). It's literally just a huge proxy or VPN, and it's encrypted too. This way, you can access any host on any port (also a server's SSH on port 22).
Take a look at it online at www.torproject.org.
Related videos on Youtube
02 : 53
12 : 50
17 : 43
04 : 47
03 : 01
jokerdino
I am part of the team behind developing Unity Tweak Tool. http://about.me/jokerdino Fake edit to test stuff.
Updated on September 18, 2022Comments
-
jokerdino almost 2 years
I am behind a network firewall that doesn't let me ssh through the default port. Because of that, I can't push any bzr branches to my repository. I would like to know if it is possible to somehow proxy the ssh through port 80 so I can push the branches.
I heard that corkscrew lets you do that but I am not sure how to do that exactly.
If you know any working proxy server that lets you do that, please do mention them.
-
Panther over 12 years+1 to discussing your needs with your IT department. In many environments, mine included, this type of activity would be grounds for termination. -
Dan Hibbert over 12 yearsAlso, if he's going to make the ssh server listen on another port, he could make it listen on both port 22 and 80 by having two
Portlines, with one for each port in the/etc/ssh/sshd_configfile. -
Eliah Kagan about 12 yearsI'll avoid making a list (the list is long and discussion of some of the items on it can get very political quickly), but this question covers many situations besides that of an employee seeking to circumvent a company policy that is loyally implemented by the company's own IT department. I'm all for people discussing their work needs with IT, but that's not always applicable, and sometimes IT departments even reply with, "It's fine, but we're not changing anything to accommodate you." Separately, it's quite plausible that port 22 is blocked by VPN's aren't, so I think that's worth a try.
-
Jeremy Bicha over 11 yearsIt's not always possible to talk to the network admins, and the network admins aren't always reasonable.
-
Philippe Paré over 10 yearsyou can also use nc instead of corkscrew for https, yes? stackoverflow.com/a/15577758/32453 -
old-ufo almost 7 yearsFor example, if you are sitting in cafe, connected to WiFi, but admin restricted access (and you still need to connect right now).
-
NeverEndingQueue over 6 years@Panther Then some people would be even happier to end that corporate regime.
