SSH Proxy Server

Notes on how to setup a ssh proxy server that work as a vpn using iptables.

  1. Setup server
  2. Setup client
  3. Notes

Setup server

Check openssh software and setup openssh server. Opessh manual pages:


User using the proxy should not have permissions to run commands, run shell or kill any process. Using system-wide configuration to restrict the user is more reliable than restricting the user on file ~/.ssh/authorized_keys.

AllowGroups admin users gitolite sshproxy

Match Group gitolite
    AllowAgentForwarding no
    AllowTcpForwarding no

Match Group sshproxy
    AllowAgentForwarding no
    PermitTTY no
    ForceCommand echo 'This account can only be used for web proxy'

Add the user:

sudo useradd -r -U -d /srv/sshproxy -s /bin/false sshproxy

The option ForceCommand is not necessary if the shell is set to /bin/false.

Setup client

Add proxy to ~/.ssh/config;

Host proxy
    Hostname c2.ank
    IdentityFile ~/.ssh/sshproxy
    Port 2222
    User sshproxy

Start listening with debug information;

$ ssh proxy -v -C -N -D 8080

Start listening and run on background on successful connection;

$ ssh proxy -f -N -D 8080

Add foxyproxy-standard plugin to configure proxy settings by domain patterns. When configuring the server run the following permission tests;

Connection closed (/bin/date is not executed):

$ ssh proxy $ ssh proxy /bin/date

Administratively prohibited (2x):

$ ssh proxy -N -D 443 $ curl -I --socks5 localhost:443 $ ssh proxy -N -L $ curl -I localhost:8080 $ sftp proxy

Should be possible because the client should forward his SSH server

$ ssh host -N -R $ curl -I localhost:8080

This works, it forwards the client SSH to the server

$ ssh host -N -R 443:localhost:2222

Unfortunately, the client can listen on that port too. Not a big issue

$ ssh host -N -L 1234:localhost:443

Proxy user should not be able to;

  • execute shell commands - done
  • access files or upload files to the server - done
  • use the server as proxy (e.g. webproxy) - done
  • access local services which were otherwise not publicly accessible due to a firewall - partially, the client cannot access other ports than 62222, but can listen and connect to port 62222 on the server
  • kill the server - done (note that these checks are limited to the SSH server. If you've an other vulnerable service on the machine, it could allow a possible attacker to run commands, kill the server, etc. )

Routing all traffic (vpn)

To route all traffic thru socks proxy, on the client;

ssh -D 5222 -N

Redirect all triffic using iptables;

iptables -t nat -A OUTPUT ! -d -j REDIRECT --to 1081