Heres a solution. The post is a bit longer, sorry. I'd love comments... Assumptions: there's no way to get in, and 3 ways to get out: ftp (to which ports?), telnet to port 23, http to any port.
With that I did a google search for bad tunneling hacks, and found httptunnel. It tunnels any tcp connection over http, allowing use of an http proxy. http://www.nocrew.org/software/httptunnel.html Scenario (for argument's sake): ssh from home to uni. Only the tunnel client supports proxying, so it must be started at uni: htc -P uniproxy:port -F 1234 homebox:555 That leaves the tunnel server for home: hts -F localhost:22 555 This forwards port 1234 on the uni box to the home ssh daemon. As we want to connect from home to uni, we use ssh with reverse port forwarding (backwarding?), which needs to be started at uni: ssh -p 1234 -R 2345:localhost:22 -n homeuser@localhost sleep 600 Now we can connect from home to uni with ssh -p 2345 uniuser@localhost Ok, no doubt, it's a PITA, but it works in principle (tried it). Wrote a quick script for it. httptunnel 3.0.5 compiles cleanly on solaris 2.7. Notes: The connection (home->uni) is encrypted twice - oh well. hts at home can be run by a dedicated user id. The tunnel needs to be started *from* uni. To do this remotely, sending an email and a bit of procmail would do it. The ssh from uni needs to log into home without password prompt. The tunnel client at home is open to the internet, but does nothing but reading from one port and sending it to the local ssh daemon (theoretically). Assuming no bugs in hts, this is equivalent to the home ssh port being open to the net. Any user on the home machine can connect to the uni-ssh daemon, but this is encrypted. Any user on the uni machine can connect to the local port and thus contact the home ssh daemon. httptunnel occasionally spits warnings when sockets are closed, and sometimes needs to be restarted, esp when trying to run more than one simultaneous connection over the tunnel. That limit is a bit unfortunate, but I have successfully run xterm and nedit on uni with display at home. ssh channel compression should be enabled. htc should be killed when the uni ssh terminates (any reliable way of doing this?). The uni ssh terminates after 10min, or when a forwarded connection terminates if there is one active when the sleep quits. What can we do with it? Well ssh to uni. That also means rsync(!!!!!). I would be interested in comments about the security of the lot. The general assumption is that the uni LAN is secure and that local users can be trusted (both home and uni). Obviously the setup can be DoSed, but so can any server. Thanks, Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
