Proxying connections through SSH

Ever wonder how you can tunnel web and AIM traffic securely from one location to another? This can be accomplished with ssh’s “-D” option. This allows traffic to be sent securely over a SSH session, and routed out through a remote endpoint. This looks like:

Firefox/GAIM < -- HTTP/AIM--> loopback:PORT < -- SSH --> REMOTE END < -- HTTP/AIM --> Internet

To create a local proxy on TCP port 8000, we can pass the value 8000 to the “-D” option:

$ ssh -C -D 8000 -p 443 ick@ick.net

Once the SSH connection is established, you need to configure your client (e.g., firefox, gaim) to proxy connections to the loopback interface on TCP port 8000. Once your clients are configured to use the localhost.8000 listener, all application traffic will be sent securely through your ssh session, and routed through the Internet connection on the remote end.

Since most web proxies tunnel secure connections, you can setup your remote endpoint to accept SSH connections on TCP port 443. This is amazingly useful for routing around corporate firewalls and proxies. You don’t want to get caught looking for jobs while your at work, right? ;)

Passive FTP on Solaris

The FTP protocol uses a control channel to send commands to a server, and a data channel to send and receive files. The control channel by default uses TCP port 21, and the data channel is negotiated with the FTP PORT and PASV comands. When ACTIVE mode FTP is in use, the client chooses the port to use for data transfers. When PASSIVE mode FTP is used, the server is responsible for picking the data port.

With ACTIVE mode FTP, the client picks a high numbered port to use for the data transfer, and instructs the server to use this port by issuing a PORT command. For non application aware firewalls, these connections are usually problematic.

With PASSIVE mode FTP, the client issues a PASV FTP command to the server, and the server picks a port for the client to connect back on. All data is then transfered over this channel. This method works with most stateful firewalls, and is supported in most mainstream FTP clients.

The Solaris “ftp” command defaults to ACTIVE mode FTP, but supports PASSIVE mode FTP when invoked with the “-p” option:

$ ftp -p sunsite.unc.edu

Connected to sunsite.unc.edu.
220 ProFTPD Server (Bring it on...)
Name (sunsite.unc.edu:matty): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password:
230-
Welcome to ftp.ibiblio.org, the public ftp server of ibiblio.org. We
hope you find what you're looking for.

If you have any problems or questions, please send email to

ftpkeeper@ibiblio.org

Thanks! 

230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

For a super detailed explanation of ACTIVE and PASSIVE FTP, check out Slacksite:

http://slacksite.com/other/ftp.html

This is a super useful resource.

Apache HTTP to HTTPS redirects

The Apache web server provides a flexible and customizable web hosting environment, and contains a plethora of features. One nice feature is the ability to redirect clients to different areas of a site based on URL location, or the port they are connecting to. Redirection is accomplished with the “Redirect” and “RedirectMatch” directives, which are part of the mod_alias module. To redirect all HTTP:// connections to HTTPS://, you can setup a VirtualHost, and use the Redirect directive to forward all requests for /* to a secure URL:

<VirtualHost *:80>
        Redirect permanent / https://www.daemons.net/something/blah.jsp
</virtualhost>

This assumes that non-secure connections are terminated on TCP port 80, and secure connections are terminated on TCP port 443.

Printing VxVM DMP path information

In addition to providing volume management capabilities, the Veritas volume manager can manage multiple paths to a disk device. This allows I/O to be load-balanced across multiple paths, and ensures that I/O is transparently routed around failed paths. To print path information for a specific disk, you can use the “vxdisk” or “vxdmpadm” utilities:

$ vxdisk list c2t21d36

[ ... ]

Multipathing information:
numpaths:   4
c2t21d36s2      state=enabled
c2t23d36s2      state=enabled
c3t20d36s2      state=disabled
c3t22d36s2      state=disabled

$ vxdmpadm getdmpnode nodename=c2t21d36s2

NAME                 STATE     ENCLR-TYPE   PATHS  ENBL  DSBL  ENCLR-NAME
=========================================================================
c2t21d36s2           ENABLED   EMC          4      2     2     EMC0

$ vxdmpadm getsubpaths dmpnodename=c2t21d36

NAME         STATE         PATH-TYPE  CTLR-NAME  ENCLR-TYPE   ENCLR-NAME
====================================================================
c2t21d36s2   ENABLED        -        c2         EMC          EMC0
c2t23d36s2   ENABLED        -        c2         EMC          EMC0
c3t20d36s2   DISABLED       -        c3         EMC          EMC0
c3t22d36s2   DISABLED       -        c3         EMC          EMC0

The vxdisk(1m) and vxdmpadm(1m) output shows the number of paths to a disk device, and the current state of each path (e.g., enabled or disabled).

Encrypting data with GNU Privacy Guard

The GNU privacy guard provides a command line tool (gpg) to encrypt data and manage digital signatures. GPG supports the OpenPGP standard, and provides easy access to a variety of key distribution servers. To view the full list of options available to gpg, you can run gpg with the “-h” option:

$ gpg -h | head -20

gpg (GnuPG) 1.2.4
Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
sign, check, encrypt or decrypt
default operation depends on the input data

[ ... ]

To use the gpg utility to encrypt a text file, we can invoke gpg with the “-c” option:

$ gpg -c –cipher-algo AES256 services

$ ls -l service*
-rw-r–r– 1 matty matty 572576 11 Feb 12:50 services
-rw-r–r– 1 matty matty 168375 11 Feb 12:50 services.gpg

The “-c” option instructs gpg to encrypt the file with a symmetric key algorithm. The “–cipher-algo” option picks the algorithm to use, and the file to encrypt is passed to gpg as an argument. The full list of algorithms is included in the header of the help screen.

To decrypt a file encrypted with gpg, we can use the “-d” option:

$ gpg –output services -d services.gpg

gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase

The “–output” option is passed to gpg to control where the decrypted file contents are written. By default, gpg will print the decrypted contents to standard out. For sensitive or binary data, this is probably not what you want.