ssh proxy for DMZ?

Posted on 2004-11-30
Medium Priority
Last Modified: 2008-01-09

    A requirement has come up for the implementation of an ssh proxy in our dmz to proxy inbound and outbound connections.  I was wondering how I'd go about setting up an ssh proxy that can be used from the clients command line (like the suse ftp proxy).  Use of a socks proxy is not an option, it needs to be something that can be specified in the username field on the client side.  Please let me know what you've got.


Question by:convex001
LVL 51

Expert Comment

ID: 12710493
do you think of a transparent proxy?
Inbound or outbound?
Do you realy mean a proxy, or something fomerly known a "bastion host"?

Author Comment

ID: 12714086
it will be in the middle of a firewall sandwich, so I don't know if you could really consider it a bastion host.  But it needs to be as transparent in the sense that users shouldn't be connecting to a shell on the machine...let me give an example of how the ftp proxy works;

- make a connection to ftp-proxy.abc.com

- as a login name use


- as a password use the target_ftp_server password


I would like to connect to ftp.nice.com, with a login name "myname" and a

"mypass" password:

- connect to ftp-proxy.abc.com

- login name: myname%ftp.nice.com

- password: mypass

I'd like to see this done with ssh and sftp aswell.  any ideas?


LVL 51

Accepted Solution

ahoffmann earned 1400 total points
ID: 12720852
use folloing script as shell for your user (myname) at the proxy, then connect like:  ssh myname@proxy
It works with ssh -port-forwarding too, not shure for sftp (which is obsolete when having scp).
Keep in mind that you probably need to adjust some things for the -T switch
.. and to be improve in many ways ...

I'll await you donations ;-))

#! /usr/bin/perl -T
sub sane { my ($sig) = @_; exit( 1 ); }         # be very pedantic
foreach $s (keys %SIG) { $SIG{$s} = 'sane'; }
($host, @ports) = split( /\s+/, $ENV{'SSH_CLIENT'} );
print "hostname: ";
$host   = <>; chomp $host;
print "username: ";
$user   = <>; chomp $user;
# we allow hostnames which must be defined herein, 'cause we've no internal DNS
%hosts = ( 'marvin'=> '',);

if ( grep( /^$host$/, keys %hosts ) != '' ) {
        $ip = $hosts{$host};
} else {
    $_ = $host;
    if ( m/^\d+\.\d+\.\d+\.\d+$/ ){
        $ip = $host;    # IP as hostname is ok
    } else {
        exit( 2 );
#print "#dbx: /usr/bin/ssh -l $user $host";
exec "/usr/bin/ssh", "-l", $user, $ip;
exit( 3 );

Expert Comment

ID: 12941889
The problem with ssh is that it's end-to-end secure.
a HTTP or FTP proxy effectibvley executes a man-in-the-middel attack, pretending to be the server for the client and visa versa.

I believe MS has such a web-proxy for HTTPS. It pretends to be a fake CA, then generates fake certificates for all the sites you go to using https. Using the fake certificates it is able to re-encrypt the traffic in such a way that your browser trusts it (after manually iporting the original fake-CA certificate).

I guess you could do something similar to ssh, but it does introduce a common weakness to all ssh comms.

You could run a web-based ssh client on the DMZ server, so from inside the company you browse to https://dmz.example.com, a web-based ssh client starts up and you use that to connect to the outside world.

I guess it really depends on what problem you're trying to solve, i.e. why you're not just letting internal systems connect directly.

Expert Comment

ID: 13510364
you can proxy the traffic via an http tunnel thru a proxy server.

take a look at this, it describes how to do it.


my strong advice to you however is to use a bastion host in your DMZ, you should never allow this sort of connection from unknown networks. They should come into a secure and monitored bastion and from there they access your internal resources.

What your doing is very risky and becuase its encypted, you will not be able to monitor it.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question