You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Skye Sweeney <sk...@fll-freak.com> on 2011/01/28 14:44:51 UTC

[users@httpd] Remote shell access via Apache

I have now been monitoring this distribution list for a month and now feel
like I can ask my question...

Recently my company has but a filter in their firewall to prevent any access
to any outside computer over SSH or FTP. This has broken my ability to
access my home computer to do such things as powering it off during
thunderstorms. Only a very few ports are open on the firewall. These include
port 80.

Question: Is it possible to configure Apache and/or other components to
allow a client to have a simple "bash shell" into the computer running
Apache? I do not need X11 or any other graphic interfaces, just a good old
shell and even that could be limited. Now before people freak out about
security, it should be known that my firewall only allows connections from
very specific MAC addresses. As long as I do not publish those, I consider
my home Linux server very safe.

I have tried to Goggle the answer, but I have not found the right key words
to home in on a solution. I would be happy with just a few product or
keyword names to help my search or an indication that I am barking up the
wrong tree!

-Skye

Re: [users@httpd] Remote shell access via Apache

Posted by Nick Kew <ni...@webthing.com>.

On 28 Jan 2011, at 13:44, Skye Sweeney wrote:

> I have now been monitoring this distribution list for a month and now feel like I can ask my question...
>  
> Recently my company has but a filter in their firewall to prevent any access to any outside computer over SSH or FTP. This has broken my ability to access my home computer to do such things as powering it off during thunderstorms. Only a very few ports are open on the firewall. These include port 80.

I think I once wrote about you.  Or rather, about companies like yours!

Probably a waste of time, but maybe you could try pointing your powers-that-be
towards http://www.theregister.co.uk/2007/08/24/everything_over_http/

-- 
Nick Kew

Available for work, contract or permanent
http://www.webthing.com/~nick/cv.html


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Remote shell access via Apache

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 1/28/2011 2:03 PM, Sean Conner wrote:
> It was thus said that the Great William A. Rowe Jr. once stated:
>> On 1/28/2011 7:51 AM, Rich Bowen wrote:
>>>
>>> On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:
>>>
>>>> Question: Is it possible to configure Apache and/or other components to
>>>> allow a client to have a simple "bash shell" into the computer running
>>>> Apache? I do not need X11 or any other graphic interfaces, just a good
>>>> old shell and even that could be limited. Now before people freak out
>>>> about security, it should be known that my firewall only allows
>>>> connections from very specific MAC addresses. As long as I do not
>>>> publish those, I consider my home Linux server very safe.
>>>>  
>>> Yes, it's possible, but it's the wrong solution. The right solution is
>>> ssh. I hear you saying that your company forbids ssh, but I think that
>>> once you understand the risks of doing what you're talking about here,
>>> you'll be able to communicate to your firewall admin that ssh is *BY
>>> FAR* more secure than any other remote shell options available. This is
>>> why so many commercial firewalls come with ports 80, 443, and 22 open by
>>> default.
>>
>> Set up your ssh responder on 443, it will look to the powers-that-be
>> and to your network proxy server as a tunneled https:// connection.
>>
>> Not sure how to have ssh client follow-the-tunnel offhand, but it can't
>> be impossible
> 
>   % ssh -p 443 ...
> 
>   I've set this up after I found myself stuck behind a particularly nasty
> network that only allowed outgoing TCP traffic on ports 80 and 443.  

But if direct https: is blocked?  How to use the http proxy CONNECT via ssh?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Remote shell access via Apache

Posted by Sean Conner <sp...@conman.org>.

It was thus said that the Great William A. Rowe Jr. once stated:
> On 1/28/2011 7:51 AM, Rich Bowen wrote:
> > 
> > On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:
> > 
> >> Question: Is it possible to configure Apache and/or other components to
> >> allow a client to have a simple "bash shell" into the computer running
> >> Apache? I do not need X11 or any other graphic interfaces, just a good
> >> old shell and even that could be limited. Now before people freak out
> >> about security, it should be known that my firewall only allows
> >> connections from very specific MAC addresses. As long as I do not
> >> publish those, I consider my home Linux server very safe.
> >>  
> > Yes, it's possible, but it's the wrong solution. The right solution is
> > ssh. I hear you saying that your company forbids ssh, but I think that
> > once you understand the risks of doing what you're talking about here,
> > you'll be able to communicate to your firewall admin that ssh is *BY
> > FAR* more secure than any other remote shell options available. This is
> > why so many commercial firewalls come with ports 80, 443, and 22 open by
> > default.
> 
> Set up your ssh responder on 443, it will look to the powers-that-be
> and to your network proxy server as a tunneled https:// connection.
> 
> Not sure how to have ssh client follow-the-tunnel offhand, but it can't
> be impossible

  % ssh -p 443 ...

  I've set this up after I found myself stuck behind a particularly nasty
network that only allowed outgoing TCP traffic on ports 80 and 443.  

  -spc


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Remote shell access via Apache

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 1/28/2011 7:51 AM, Rich Bowen wrote:
> 
> On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:
> 
>> I have now been monitoring this distribution list for a month and now feel like I can ask my question...
>>  
>> Recently my company has but a filter in their firewall to prevent any access to any outside computer over SSH or FTP. This has broken my ability to access my home computer to do such things as powering it off during thunderstorms. Only a very few ports are open on the firewall. These include port 80.
>>  
>> Question: Is it possible to configure Apache and/or other components to allow a client to have a simple "bash shell" into the computer running Apache? I do not need X11 or any other graphic interfaces, just a good old shell and even that could be limited. Now before people freak out about security, it should be known that my firewall only allows connections from very specific MAC addresses. As long as I do not publish those, I consider my home Linux server very safe.
>>  
>> I have tried to Goggle the answer, but I have not found the right key words to home in on a solution. I would be happy with just a few product or keyword names to help my search or an indication that I am barking up the wrong tree!
> 
> Yes, it's possible, but it's the wrong solution. The right solution is ssh. I hear you saying that your company forbids ssh, but I think that once you understand the risks of doing what you're talking about here, you'll be able to communicate to your firewall admin that ssh is *BY FAR* more secure than any other remote shell options available. This is why so many commercial firewalls come with ports 80, 443, and 22 open by default.
> 
> I would strenuously encourage you to have a long talk with your network guy about security, and if he/she doesn't understand the issues, have a talk with his/her boss about his/her lack of credentials. This isn't a difficult issue - it's pretty fundamental to network security.

Set up your ssh responder on 443, it will look to the powers-that-be
and to your network proxy server as a tunneled https:// connection.

Not sure how to have ssh client follow-the-tunnel offhand, but it can't
be impossible

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Remote shell access via Apache

Posted by Len Parker <lp...@cox.net>.

Rich is 100% correct. However, if all else fails, google "Anyterm". It
works for me.

Len

On Fri, 2011-01-28 at 08:51 -0500, Rich Bowen wrote:

> On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:
> 
> > I have now been monitoring this distribution list for a month and now feel like I can ask my question...
> >  
> > Recently my company has but a filter in their firewall to prevent any access to any outside computer over SSH or FTP. This has broken my ability to access my home computer to do such things as powering it off during thunderstorms. Only a very few ports are open on the firewall. These include port 80.
> >  
> > Question: Is it possible to configure Apache and/or other components to allow a client to have a simple "bash shell" into the computer running Apache? I do not need X11 or any other graphic interfaces, just a good old shell and even that could be limited. Now before people freak out about security, it should be known that my firewall only allows connections from very specific MAC addresses. As long as I do not publish those, I consider my home Linux server very safe.
> >  
> > I have tried to Goggle the answer, but I have not found the right key words to home in on a solution. I would be happy with just a few product or keyword names to help my search or an indication that I am barking up the wrong tree!
> 
> Yes, it's possible, but it's the wrong solution. The right solution is ssh. I hear you saying that your company forbids ssh, but I think that once you understand the risks of doing what you're talking about here, you'll be able to communicate to your firewall admin that ssh is *BY FAR* more secure than any other remote shell options available. This is why so many commercial firewalls come with ports 80, 443, and 22 open by default.
> 
> I would strenuously encourage you to have a long talk with your network guy about security, and if he/she doesn't understand the issues, have a talk with his/her boss about his/her lack of credentials. This isn't a difficult issue - it's pretty fundamental to network security.
> 
> --
> Rich Bowen
> rbowen@rcbowen.com
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Re: [users@httpd] Remote shell access via Apache

Posted by Rich Bowen <rb...@rcbowen.com>.

On Jan 28, 2011, at 9:04 AM, Skye Sweeney wrote:

> "Long talk with IT" has happened more than once with the IT staff!. But I work at a company of 30K people and IT is non yielding. Only RSA tunnels are allowed and then only into the company. All outgoing ports are blocked including such things as network time protocol. About the only things that seems to get out are 80.
>  
> My fall back position is to write a custom program to take a message on port 80 and then initiate a powerdown, but I would prefer something more capable.

If I were in that situation (and, alas, I have been) I would run an ssh server on port 80, or do some kind of port forwarding. Somehow, in your first note I missed the fact that you were talking about *OUTGOING* connections, which rather changes the game a little. I would say bring up a secondary IP address on the box you want to get to, and run an ssh server on port 80 on that address.

Failing that, yes, there are some shell-access-over-http kinds of solutions.

http://dag.wieers.com/howto/ssh-http-tunneling/ is one example of how you could persuade mod_proxy to allow ssh connections to be tunneled through the proxy. There's some other similar recipes at http://www.google.com/search?q=ssh+over+http

There used to be a wide variety of telnet-via-cgi and ssh-via-cgi and terminal-via-java kinds of things out there, but in a quick search just now, I found none of them. I wonder if they were all finally exposed as the security nightmares we always suspected, and discontinued. I remember several java apps that would run in the browser and give you access to a shell. But it always made me very nervous. If you must, then definitely run it over https.

--
Rich Bowen
rbowen@rcbowen.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Remote shell access via Apache

Posted by Skye Sweeney <sk...@fll-freak.com>.

"Long talk with IT" has happened more than once with the IT staff!. But I
work at a company of 30K people and IT is non yielding. Only RSA tunnels are
allowed and then only into the company. All outgoing ports are blocked
including such things as network time protocol. About the only things that
seems to get out are 80.

My fall back position is to write a custom program to take a message on port
80 and then initiate a powerdown, but I would prefer something more capable.



On Fri, Jan 28, 2011 at 8:51 AM, Rich Bowen <rb...@rcbowen.com> wrote:

>
> On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:
>
> > I have now been monitoring this distribution list for a month and now
> feel like I can ask my question...
> >
> > Recently my company has but a filter in their firewall to prevent any
> access to any outside computer over SSH or FTP. This has broken my ability
> to access my home computer to do such things as powering it off during
> thunderstorms. Only a very few ports are open on the firewall. These include
> port 80.
> >
> > Question: Is it possible to configure Apache and/or other components to
> allow a client to have a simple "bash shell" into the computer running
> Apache? I do not need X11 or any other graphic interfaces, just a good old
> shell and even that could be limited. Now before people freak out about
> security, it should be known that my firewall only allows connections from
> very specific MAC addresses. As long as I do not publish those, I consider
> my home Linux server very safe.
> >
> > I have tried to Goggle the answer, but I have not found the right key
> words to home in on a solution. I would be happy with just a few product or
> keyword names to help my search or an indication that I am barking up the
> wrong tree!
>
> Yes, it's possible, but it's the wrong solution. The right solution is ssh.
> I hear you saying that your company forbids ssh, but I think that once you
> understand the risks of doing what you're talking about here, you'll be able
> to communicate to your firewall admin that ssh is *BY FAR* more secure than
> any other remote shell options available. This is why so many commercial
> firewalls come with ports 80, 443, and 22 open by default.
>
> I would strenuously encourage you to have a long talk with your network guy
> about security, and if he/she doesn't understand the issues, have a talk
> with his/her boss about his/her lack of credentials. This isn't a difficult
> issue - it's pretty fundamental to network security.
>
> --
> Rich Bowen
> rbowen@rcbowen.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
-Skye Sweeney

Re: [users@httpd] Remote shell access via Apache

Posted by Rich Bowen <rb...@rcbowen.com>.

On Jan 28, 2011, at 8:44 AM, Skye Sweeney wrote:

> I have now been monitoring this distribution list for a month and now feel like I can ask my question...
>  
> Recently my company has but a filter in their firewall to prevent any access to any outside computer over SSH or FTP. This has broken my ability to access my home computer to do such things as powering it off during thunderstorms. Only a very few ports are open on the firewall. These include port 80.
>  
> Question: Is it possible to configure Apache and/or other components to allow a client to have a simple "bash shell" into the computer running Apache? I do not need X11 or any other graphic interfaces, just a good old shell and even that could be limited. Now before people freak out about security, it should be known that my firewall only allows connections from very specific MAC addresses. As long as I do not publish those, I consider my home Linux server very safe.
>  
> I have tried to Goggle the answer, but I have not found the right key words to home in on a solution. I would be happy with just a few product or keyword names to help my search or an indication that I am barking up the wrong tree!

Yes, it's possible, but it's the wrong solution. The right solution is ssh. I hear you saying that your company forbids ssh, but I think that once you understand the risks of doing what you're talking about here, you'll be able to communicate to your firewall admin that ssh is *BY FAR* more secure than any other remote shell options available. This is why so many commercial firewalls come with ports 80, 443, and 22 open by default.

I would strenuously encourage you to have a long talk with your network guy about security, and if he/she doesn't understand the issues, have a talk with his/her boss about his/her lack of credentials. This isn't a difficult issue - it's pretty fundamental to network security.

--
Rich Bowen
rbowen@rcbowen.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org