login about faq

How to configure Tectia Client/ConnectSecure to use a separate SOCKS proxy server for connections?

asked Mar 20 '12 at 21:50

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114


You can configure Tectia Client/ConnectSecure to utilize a SOCKS server in two different ways (NOTE: this article is not about SOCKS tunneling using localhost SOCKS server for application tunneling! This article will show you how you can configure Tectia to use SOCKS proxies in outgoing SSH connections):

  1. Use SOCKS proxy in all outgoing connections (or connections going to a certain network, configurable)
  2. Configure target server specific proxy settings using connection profiles

From these, the option #2 is often used.

How to configure generic SOCKS proxy for all connections?

Like this using GUI:

alt text

Or like this using the ssh-broker-config.xml file, note the "proxy ruleset" configuration option in the XML:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM "ssh-broker-ng-config-1.dtd">
<secsh-broker version = "1.0" >

<default-settings>
<ciphers>
  <cipher name="crypticore128@ssh.com" />
  <cipher name="aes128-cbc" />
  <cipher name="aes192-cbc" />
  <cipher name="aes256-cbc" />
  <cipher name="aes128-ctr" />
  <cipher name="aes192-ctr" />
  <cipher name="aes256-ctr" />
  <cipher name="3des-cbc" />
  <cipher name="seed-cbc@ssh.com" />
</ciphers>

<macs>
  <mac name="crypticore-mac@ssh.com" />
  <mac name="hmac-md5" />
  <mac name="hmac-sha1" />
  <mac name="hmac-sha256-2@ssh.com" />
  <mac name="hmac-sha512@ssh.com" />
  <mac name="hmac-sha384@ssh.com" />
  <mac name="hmac-sha224@ssh.com" />
  <!-- Backwards compatible to 4.x (uses 16-byte key). -->
  <mac name="hmac-sha256@ssh.com" />
</macs>

<transport-distribution num-transports="3" />

<rekey bytes="1000000000" />

<authentication-methods>
  <authentication-method name="publickey" />
  <authentication-method name="password" />
  <authentication-method name="keyboard-interactive" />
</authentication-methods>

    <proxy ruleset="socks5://192.168.157.128:1080" />

<idle-timeout type="connection" time="5" />

<server-banners visible="yes" />

<forwards>
  <forward type="x11" state="off" />
  <forward type="agent" state="on" />
</forwards>

<authentication-success-message enable="yes"/>
<sftpg3-mode compatibility-mode="tectia"/>
</default-settings>

</secsh-broker>

How can you configure destination server specific SOCKS proxy settings using connection profiles?

Connection profiles are pre-defined SSH server settings, and each connection profile will allow you to define a lot of settings for SSH servers, like i.e. proxy server settings (SOCKS!), possible user names, authentication methods, tunneling settings, X11, and the list goes on.

Here is how you can configure connection profiles using Tectia Client's/ConnectSecure's GUI:

alt text

Or alternatively, here is how you can define connection profile specific SOCKS proxy settings in the ssh-broker-config.xml file (below). This ssh-broker-config.xml file is based on the current default XML configuration file and it has one pre-configured connection profile where the SOCKS proxy has been defined using "proxy ruleset" configuration option:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE secsh-broker SYSTEM "ssh-broker-ng-config-1.dtd">
<secsh-broker version = "1.0" >

<default-settings>
<ciphers>
  <cipher name="crypticore128@ssh.com" />
  <cipher name="aes128-cbc" />
  <cipher name="aes192-cbc" />
  <cipher name="aes256-cbc" />
  <cipher name="aes128-ctr" />
  <cipher name="aes192-ctr" />
  <cipher name="aes256-ctr" />
  <cipher name="3des-cbc" />
  <cipher name="seed-cbc@ssh.com" />
</ciphers>

<macs>
  <mac name="crypticore-mac@ssh.com" />
  <mac name="hmac-md5" />
  <mac name="hmac-sha1" />
  <mac name="hmac-sha256-2@ssh.com" />
  <mac name="hmac-sha512@ssh.com" />
  <mac name="hmac-sha384@ssh.com" />
  <mac name="hmac-sha224@ssh.com" />
  <!-- Backwards compatible to 4.x (uses 16-byte key). -->
  <mac name="hmac-sha256@ssh.com" />
</macs>

<transport-distribution num-transports="3" />

<rekey bytes="1000000000" />

<authentication-methods>
  <authentication-method name="publickey" />
  <authentication-method name="password" />
  <authentication-method name="keyboard-interactive" />
</authentication-methods>

<idle-timeout type="connection" time="5" />

<server-banners visible="yes" />

<forwards>
  <forward type="x11" state="off" />
  <forward type="agent" state="on" />
</forwards>

<authentication-success-message enable="yes"/>
<sftpg3-mode compatibility-mode="tectia"/>
</default-settings>

<profiles>
<profile name="linuxserver_via_socks"
         id="id10"
         host="linuxserver"
         port="22"
         connect-on-startup="no"
         user="testuser"
         gateway-profile="">
  <hostkey>
  </hostkey>

  <authentication-methods>
    <auth-password />
    <auth-publickey signature-algorithms="ssh-dss,ssh-rsa,ssh-dss-sha256@ssh.com,ssh-rsa-sha256@ssh.com,x509v3-sign-dss,x509v3-sign-rsa,x509v3-sign-dss-sha256@ssh.com,x509v3-sign-rsa-sha256@ssh.com">
      <key-selection policy="automatic">
        <public-key type="plain"/>
      </key-selection>
    </auth-publickey>
    <auth-keyboard-interactive />
    <auth-gssapi />
  </authentication-methods>

  <compression name="none" 
               level="0"/>
  <proxy ruleset="socks5://socks.company.com:1080" />

  <forwards>
  </forwards>

  <tunnels>
  </tunnels>

</profile>
</profiles>

</secsh-broker>

Hopefully this helps!

Regs, SamiM

link

answered Mar 20 '12 at 22:25

Sami%20Marttinen's gravatar image

Sami Marttinen ♦
191114

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×29
×1

Asked: Mar 20 '12 at 21:50

Seen: 9,499 times

Last updated: Mar 20 '12 at 22:25

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.