Monday 05, September 2011

Simulating ssh tunnel using netcat

Some of my shells don't accept smtp access from outside their network. This is intended to avoid spam, they say. After some reading people pointed me out to ssh tunnels. But, I'm not authorized to open ssh tunnels in some of my accounts:

channel 3: open failed: administratively prohibited: open failed

Nice.

So I've heard about netcat. Armed with my humble networking strategy skills I've decided to create a small script to simulate a tunnel using nc(1) and ssh(1):

#!/bin/sh

if [ -n "$1" ]
then
    host=$1
else
    host=`echo $0 | cut -s -d'-' -f2-`
fi
if [ -n "$host" ]; then
    echo "tunneling to $host"
    while nc -l -p 2525 127.0.0.1 -vv \
        -c"`which ssh` -o 'IdentitiesOnly yes' -qyi ~/.ssh/priv/smtp-id_dsa $host"
    do
        :
    done
else
    echo "Usage: $0 HOST"
fi

It uses netcat to open a socket in the localhost (in my case on 2525) and pipe out to an external command. That command is ssh, connecting to the shell host of my choice. In the host I've setup a specific identity file using restrict access prefix, which force run another netcat process. That one reads from stdin and copy to a socket to mail.example.com:25 (the smtp server host:port).

command="nc mail.example.com 25",no-X11-forwarding,no-agent-forwarding,\
    no-port-forwarding ssh-dss AAAAB3NzaC1kc[rest-of-the-pub-key]

The IdentitiesOnly option is important, since ssh will always use keys through ssh-agent when available, even with -i. The first if is there to grab the host to connect from command name instead of passing args every time (assuming your command name won't have a '-' before the appended hostname).

With that I can connect to localhost:2525 and output will be dealt to mail.example.com:25. Sweet.

Now on a personal opinion. One of the things that give me a rush of anxiety and anger is the inability to use some traditional network services (like smtp, or irc) in public networks. Since the web is a synonymous for internet most network admins (and in my particular case they're found in universities and public wifi spots) only let 80-port-requests pass by. I'm not a network expert but IMHO that seems like more a lazy-ass solution so the lazy-admin can satisfy most of the users and ignore the small portion which may try to explore the technology available.