Home > Uncategorized > ssh and https on port 443 in the same time

ssh and https on port 443 in the same time

It’s possible thanks to this Martin Renold wonderful hack

.

A copy of his site (hope he won’t get angry, but I want to keep this):

It is a bit a hack, but it works like this:

You run a small wrapper program (ssh-https.c, compile with ‘gcc -o ssh-https ssh-https.c’) listening on port 443. Ssh runs on port 22 anyway, and you run apache-ssl on port 8888 instead of 443. The wrapper program detects what kind of traffic is comming and runs netcat, either ‘nc localhost 22′ or ‘nc localhost 8888′.

To make it work, add this line to your /etc/inetd.conf:

443 stream tcp nowait nobody /usr/sbin/tcpd /usr/local/sbin/ssh-https

The Drawback is that sshd as well as apache-ssl will see all traffic comming from localhost, so make sure this is secure.

So how does the ssh-https do its decision? Well, it’s just 23 lines of source code, you’ll find out :)
No, honest. It waits for one second for data from the client. If there was data, it’s https, and if there was no date, it’s the ssh client waiting for the server greeting (I think it is not clearly stated in the RFC whether the client or the server has to greet first, but I found that the clients always waits for the server).
It did work. I’m not running this on my site any more because I don’t run apache-ssl any more nor am I firewalled out anywhere at the moment, lucky me!

ssh-https.c source code:

#include
#include
#include 

int main()
{
  struct timeval tv;
  fd_set set;
  tv.tv_sec = 2;
  tv.tv_usec = 0;
  FD_ZERO(&set);
  FD_SET(0, &set);

  if (select(1, &set, NULL, NULL, &tv)) {
    /* Got data from the client side - it must be his https-request. */
    /* FIXME: analyze it, it could be the client ssh greeting */
    execl("/usr/bin/nc", "/usr/bin/nc", "localhost", "8888", NULL);
  } else {
    /* No data sent by the client - it must be waiting for the ssh
       greeting from the server. Connect it to the sshd server. */
    execl("/usr/bin/nc", "/usr/bin/nc", "localhost", "ssh", NULL);
  }
}

For my use, I changed the execl lines like this:

execl("/bin/nc", "/bin/nc", "-q5", "localhost", "8888", NULL);
execl("/bin/nc", "/bin/nc", "-q5", "localhost", "ssh", NULL);
About these ads
Categories: Uncategorized Tags:
  1. Rob
    October 5, 2008 at 6:10 pm

    Exceptionally handy that!

  2. anonymous
    November 8, 2010 at 12:06 am

    sslh (check Google and/or Ubuntu package) does the same thing.

  1. September 7, 2009 at 3:35 pm
  2. September 7, 2009 at 3:40 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: