Home / server / Questions / 336067
In Process
davyzhang
Asked: 2011-11-30 19:30:08 +0800 CST

How can I setup a SOCKS proxy over ssh with password based authentication on CentOS?

  • 772

I know how to setup a simple proxy using ssh -D ,but I want to use username and password based authentication for this case. Is there any way?

linux centos ssh proxy socks

2 Answers

  1. Dynamic application-level port forwarding (ssh -D) doesn't support this feature. Take a look at the Dante for instead:

    [I] net-proxy/dante
     Available versions:  1.1.19-r4 (~)1.2.3 (~)1.3.0 (~)1.3.1 (~)1.3.1-r1 (~)1.3.2 {debug kerberos pam selinux static-libs tcpd}
     Installed versions:  1.3.2(04:14:03 PM 11/08/2011)(pam static-libs tcpd -debug -kerberos -selinux)
     Homepage:            http://www.inet.no/dante/
     Description:         A free socks4,5 and msproxy implementation

    But note that the password is transmitted in cleartext.

    To configure username based authentication, open the /etc/sockd.conf file and add/change the following:

    logoutput: syslog /var/log/dante.log

# methods for socks-rules.
method: username #rfc931

# when doing something that can require privilege, 
# it will use the userid "sockd".
user.privileged: root

# when running as usual, 
# it will use the unprivileged userid of "sockd".
user.notprivileged: sockd

pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    protocol: tcp udp
    command: bind connect udpassociate
    log: error
    method: username
}

    Check the listening sockets after starting:

    # netstat -nlp | grep sockd
tcp        0      0 127.0.0.1:1080          0.0.0.0:*               LISTEN      5463/sockd          
tcp        0      0 192.168.15.36:1080      0.0.0.0:*               LISTEN      5463/sockd

    Take a look at the logs file (/var/log/messages or /var/log/dante.log) if you get something wrong.

    PS: the system password file (/etc/passwd) is used to verify a username and password combination.

    • 5

  2. ssh -D doesn't require require a password for access, and with the current implementation can't be made to require a password. If you want, you could set up a multi-stage proxy using an exiting http server (e.g. apache) which then uses the ssh tunnel for its outbound connection.

    Then again, if you get that far into the weeds, then you're probably going down the wrong road and perhaps may need to re-think what you're trying to accomplish.

    • 4