Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 01-17-2006, 02:36 PM
dfisherng01 dfisherng01 is offline
Registered User
 
Join Date: Jan 2006
Posts: 3
Using SSH via HTTP Proxy

Anyone knows how to configure SSH via an HTTP proxy. I uses "Generic Proxy" type; but it does not work. The firewall did not prompt me for ID and password. Also, I can't find where in secureCRT that I can specify my firewall ID and password. Thanks.
Reply With Quote
  #2  
Old 01-17-2006, 05:39 PM
FuzzyFox's Avatar
FuzzyFox FuzzyFox is offline
Registered User
 
Join Date: Feb 2005
Location: Dallas, TX
Posts: 59
Send a message via ICQ to FuzzyFox Send a message via AIM to FuzzyFox Send a message via MSN to FuzzyFox Send a message via Yahoo to FuzzyFox
The "Generic Proxy" option must be taught how to interact with your proxy server. There have been many proxy servers invented over the years, and the Generic Proxy option was created to give you maximum flexibility, but it is difficult to configure at first.

To use an HTTP proxy, you must teach Generic Proxy how to give the HTTP commands.

Proxy Prompt: (leave this field blank)

Proxy Command: CONNECT %h:%p HTTP/1.0\r\n\r\n
This information was shamelessly stolen from the SecureCRT Help File.
Reply With Quote
  #3  
Old 01-17-2006, 07:05 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 953
dfisherng01,

SecureCRT doesn't currently provide native support for authenticated HTTP proxies (username + password).

Although this functionality is currently under consideration for a future version of SecureCRT, it isn't yet on the SecureCRT roadmap.

Perhaps the information in this other forum post might help you get connected with your authenticated HTTP proxy in the meantime?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #4  
Old 01-18-2006, 01:47 PM
dfisherng01 dfisherng01 is offline
Registered User
 
Join Date: Jan 2006
Posts: 3
Yes. I followed the instruction and it works when I connect to a SSH server running on a linux box. However, when I tried to connect to a windows XP box running freeSSHD, it failed. Below is the traces. Any idea? Thanks.
SecureCRT - Version 5.0.4 (build 1065)
Initializing Firewall[Generic Proxy]: internetabh.eds.com:443
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT.
[LOCAL] : Using protocol SSH2
[LOCAL] : PRE-IDENT: HTTP/1.0 200 Connection established
[LOCAL] : PRE-IDENT:
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = "SSH-2.0-WeOnlyDo 1.2.7"
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly sends UTF8 where UTF8 is specified
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote is IETF-DRAFT compliant
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : WARNING : Could not get remote FQDN: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for.
[LOCAL] : GSS : [Kerberos] SPN : host@69.14.32.248
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : GSS : [Kerberos w/ Group Exchange] SPN : host@69.14.32.248
[LOCAL] : GSS : [Kerberos w/ Group Exchange] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos w/ Group Exchange] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos w/ Group Exchange] The specified target is unknown or unreachable
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_CLOSED.
[LOCAL] : Connected for 13 seconds, 472 bytes sent, 126 bytes received
Reply With Quote
  #5  
Old 01-18-2006, 02:48 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 953
It's not a problem with the firewall any longer, as you're actually getting a response back from the server, but the following is important:

> [LOCAL] : SEND : KEXINIT
> [LOCAL] : RECV: TCP/IP close

This indicates that the remote server had difficulty during key exchange initialization.

SecureCRT sends a key exchange initialization packet to the server, but the server responds by disconnecting.

Can you provide debug logging information from the server?

Also, there might be more detailed information SecureCRT can provide to us in this situation. Would you be able to increase the amount of debug information provided by SecureCRT by performing the following additional steps?
  1. Close all instances of SecureCRT.

  2. Edit the .ini file for the session you are using (Located in the Sessions subfolder of the SecureCRT Configuration folder -- Options / Global Options / General category) and replace the following line:
    D:"Trace Level"=00000000
    to be:
    D:"Trace Level"=00000010

  3. Start SecureCRT anew, attempt the connection once again, and provide the resulting trace option output.

Thanks,
Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #6  
Old 01-24-2006, 06:25 AM
dfisherng01 dfisherng01 is offline
Registered User
 
Join Date: Jan 2006
Posts: 3
I enabled the advanced logging per your instruction. However, the only message that I got from the sshd server is still the same:

> [LOCAL] : RECV: TCP/IP close

I want to blame it on the SSHD server; but the same server is working fine if I am using PuTTY. PuTTY has built-in interface for HTTP proxy. Also, it works fine with secureCRT if I am not HTTP proxying. To summarize:

secureCRT-----HTTP proxy Firewall---- open SSHD server: fail
secureCRT---------------------------- open SSHD server: success
puTTY---------HTTP proxy Firewall---- open SSHD server: success

That tells me the problem may be with secureCRT HTTP proxy (with authentication). What do you think? Thanks for your help.
Reply With Quote
  #7  
Old 01-24-2006, 04:44 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
We've received reports that the following connect works with some authenticated proxy servers. Open Global Options / Firewall, for Type select Generic Proxy, and use the following as the Proxy command:
CONNECT %h:%p HTTP/1.0\r\nUSER username\r\nPASS password\r\n\r\n
If that doesn't work, we might be able to figure out how to get SecureCRT to work with the proxy by viewing ethernet packets from a successful connection when through the proxy when using PuTTY. This could contain sensitive information so rather than posting it to the forum, if you are willing to send output from a packet sniffer (such as Ethereal) of a successful connection when using PuTTY, please send it to support@vandyke.com
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #8  
Old 04-27-2006, 07:01 PM
Maureen's Avatar
Maureen Maureen is offline
VanDyke Product Director
 
Join Date: Feb 2004
Location: Albuquerque, NM
Posts: 1,563
Basic and authenticated HTTP proxy support has been added to SecureCRT 5.2 and SecureFX 3.2, which are in pre-beta testing. If you're interested in trying either or both, please send me an e-mail at Maureen.Jett@vandyke.com.

Maureen
Reply With Quote
  #9  
Old 06-27-2006, 04:20 PM
mathieul mathieul is offline
Registered User
 
Join Date: Mar 2005
Posts: 15
Quote:
Originally Posted by Maureen
Basic and authenticated HTTP proxy support has been added to SecureCRT 5.2 and SecureFX 3.2, which are in pre-beta testing. If you're interested in trying either or both, please send me an e-mail at Maureen.Jett@vandyke.com.
Does it do something like ProxyCap (http://proxylabs.netwu.com/)?

I just started using this in conjunction with the SOCKS gateway of SecureCRT. Its very nice in that I can tell it to redirect all connection to an IP range through the gateway, without needing to reconfigure each browser.

It's especially good for me since I need to connect to multiple subversion server, each behind its own SOCKS gateway, and TortoiseSVN didn't support multiple proxy.
Reply With Quote
  #10  
Old 06-28-2006, 09:16 AM
rlpm's Avatar
rlpm rlpm is offline
VanDyke Developer
 
Join Date: Jun 2004
Location: Albuquerque, NM
Posts: 69
Lightbulb About HTTP proxy support in SecureCRT and SecureFX

Hi mathieul,

Quote:
Originally Posted by mathieul
Does [HTTP proxy support in SecureCRT and SecureFX] do something like ProxyCap (http://proxylabs.netwu.com/)?
No. HTTP proxy support allows SecureCRT and SecureFX to connect through an HTTP proxy, much the same way that SecureCRT and SecureFX support connecting through SOCKS proxies (which is different than SecureCRT's dynamic port forwarding, which allows SecureCRT to act as a SOCKS server/gateway).

ProxyCap appears to be a modification the Windows IP stack that allows users to define rules specifying that traffic to certain IP ranges be routed through specified proxies.

Quote:
Originally Posted by mathieul
I just started using this in conjunction with the SOCKS gateway of SecureCRT. Its very nice in that I can tell it to redirect all connection to an IP range through the gateway, without needing to reconfigure each browser.

It's especially good for me since I need to connect to multiple subversion server, each behind its own SOCKS gateway, and TortoiseSVN didn't support multiple proxy.
That sounds very interesting, and an excellent use of SecureCRT's dynamic port forwarding.
Reply With Quote
  #11  
Old 06-28-2006, 09:50 AM
mathieul mathieul is offline
Registered User
 
Join Date: Mar 2005
Posts: 15
Ah, the other side of proxying...
Reply With Quote
  #12  
Old 10-10-2006, 04:24 PM
krelvinaz krelvinaz is offline
Registered User
 
Join Date: Feb 2006
Posts: 8
Just so happens that I need to move to a new XP box which no longer has Eborder proxy... so I have to use HTTP Proxy.

I had been trying to use SecureCRT 5.1 to do it using the basic connection strings...

Using the Example I found in the help file which uses the connect string... CONNECT %h:%p HTTP/1.0\r\n\r\n

Alas, it did not work.

I did try using telnet to the proxy server and entering in the same, and that worked. but I could not get the connection type above to work.

Just as I was playing with this, I got the 5.2 notice that it was no offical.

So I tried it...

Using non-Authenticate HTTP proxy still results in no connection.

Is there a way to turn on debug so that i can see what it is actually doing??
Reply With Quote
  #13  
Old 10-10-2006, 04:27 PM
krelvinaz krelvinaz is offline
Registered User
 
Join Date: Feb 2006
Posts: 8
Hmmm .. just noticed there is a new setting that selects which firewall type to use...

THAT WORKED!
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:08 AM.