Why isn't openssl s_client passing my private key to proxytunnel?
You are confusing the clients of two completely different protocols.
The openssl s_client
tool is purely a TLS (SSL) client; it is capable of peeling away the TLS layer that HAproxy or stunnel might add. Once that's done, however, it merely transfers arbitrary data from one end to another. The prompt you're seeing is the initial SSH handshake, and the server expects you to reply to it; therefore, you still need to run a program like ssh
that would talk the SSH protocol on top of the TLS tunnel.
Usually ssh
connects to the server over TCP directly, but you can use the ProxyCommand
option tell it to go through another program:
ssh -o ProxyCommand="openssl s_client -connect localhost:7000 -quiet" dummyname
If you have a SSH keypair, you'll need to specify it as an option to ssh
as well:
ssh -i ~/.ssh/id_workplace -o ProxyCommand.....
(Don't need this for ~/.ssh/id_rsa
though – it is used by default.)
The s_client options -cert
and -key
are of course for authenticating to the TLS server. However, they need a full X.509 certificate as "-cert"; just the public key isn't enough, as it would be for SSH.
Related videos on Youtube
cjones26
Updated on September 18, 2022Comments
-
cjones26 over 1 year
I currently have HAProxy set up on my home PC and I am attempting to access it through a HTTP proxy. Currently I am accessing the SSH logon prompt like so:
openssl s_client->proxytunnel->HTTP(S) proxy->remote HAProxy->SSH server
I am getting to the point where I receive the
SSH-2.0-OpenSSH
prompt but for some reason it just hangs at the prompt and doesn’t pass through the private key.Here’s the commands I am executing on the client side & how I set up proxy tunnel to use the organization's proxy:
proxytunnel -p httpproxy.organization.com:8080 -d ssh.homeserver.com:443 -a 7000
Next I am running
openssl
like so:openssl s_client -connect localhost:7000 -quiet -key /home/user/.ssh/id_rsa
But for some reason the certificate does not appear to get passed through. I am most likely missing a step so any suggestions would be greatly appreciated!
-
cjones26 over 9 yearsAccidentally had -cert instead of -key in the openssl command...I've corrected this.
-
Giacomo1968 over 9 years“Accidentally had -cert instead of -key in the openssl command…” So does this solve your issue? Or are you pointing out a typo?
-
cjones26 over 9 yearsIt did not solve the issue, I just typed it wrong inside the post. Apologies :).
-
Giacomo1968 over 9 yearsAre you 100% positive of the permissions on
/home/user/.ssh/id_rsa
? -
cjones26 over 9 yearsI've used 400, 600, and 700 all to no avail.
-
-
cjones26 over 9 yearsgrawity, I'm doing something a little funky here in the first place--I've followed this guide blog.chmd.fr/… as the proxy blocks SSH outbound so I'm trying to encapsulate it in SSL. I am able to access my SSH console without the HTTP proxy in place simply by using the ProxyCommand within the ssh configuration file...I'm trying to get around the fact that I don't know how to direct openssl through the proxy without proxytunnel....I'm sure I am a bit confused but get what I'm saying?