the fast, reliable localhost tunneling solution


Tunneling SSH over PageKite

By Bjarni R. Einarsson 2013-01-04, 12:37

SSH can be tunneled over PageKite, allowing your SSH server to be reachable from anywhere, even if behind NAT or a strict firewall. This is very handy for remote administration, automated backups or simply copying files back and forth.

Contents:


Configuring the SSH server

Assuming you already have an SSH server running on port 22 on your local machine, and the machine has an active PageKite connection named user.pagekite.me, run the following command to add it to your configuration file:

$ pagekite.py --add 22 ssh:user.pagekite.me

Alternately, you can edit the configuration file yourself, adding a line like so:

service_on=raw/22:user.pagekite.me:localhost:22:SECRET

Restart pagekite.py, and the SSH server should be accessible.

Making sure you connect to the right server

If you want to verify later that you are indeed connecting to the correct server, you can display the server's public SSH key fingerprints using commands like so:

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

Exactly which of the above commands apply on your system may vary (and you may need to tweak the paths slightly), but one of the listed fingerprints should be displayed by your ssh client the first time you connect.

Configuring the SSH client

If your SSH client supports it, simply configure it to use user.pagekite.me:443 as the HTTP proxy and connect to user.pagekite.me on the standard port, 22.

Note: The Windows SSHAndTunnels page describes in more detail how to configure PuTTY for use with PageKite.

Configuring openssh for HTTP Proxying

The popular OpenSSH client allows you to permanently configure specific options on a host-by-host basis, by adding sections to the file ~/.ssh/config.

Assuming you have the OpenBSD version of netcat installed (openssh will use it to handle the HTTP proxy connection), you can add the following three lines to your SSH configuration to permanently enable SSH-over-PageKite for the host named user.pagekite.me:

Host *.pagekite.me
  CheckHostIP no
  ProxyCommand /bin/nc -X connect -x %h:443 %h %p

(Watch out for fake line-breaks, the above should be exactly 3 lines.)

After making this change, you should be able to use ssh, scp and any other ssh-based commands to connect to user.pagekite.me without any special arguments:

ssh user.pagekite.me  # That's all folks!

Note: Outdated instructions have been moved: HttpBeforeSsh

Configuring ConnectBot for HTTP Proxying (Android)

The official ConnectBot Android SSH client does not support HTTP proxying. However, we have submitted a patch to the developers, which will hopefully be included in a future release.

In the meantime, our patched .apk can be downloaded from:

This adds a "Use HTTP Proxy" to the "Edit host" settings. To connect over PageKite, change this setting to: user.pagekite.me:443

Troubleshooting

Here are a few common error messages you may encounter, along with the explanations and solutions we are aware of at the moment.

/bin/nc: invalid option -- 'X'

If you see the error above, or a similar one, then you are using the wrong version of netcat - you need the OpenBSD version, or some other version which has support for HTTP proxies. Another alternative which is known to work instead of netcat, is corkscrew.

ssh_exchange_identification: Connection closed by remote host

This error can mean many things - but it usually does not mean there is a problem with passwords or ssh keys!

One possible cause of this, is if you have not configured netcat or an alternative correctly for the domain name you are connecting to. Check for typos in your configuration file.

In other cases, this error may be preceded by an error from netcat or your connection tool, which will give hints about what the real problem is.

nc: getaddrinfo: nodename nor servname provided

This error means netcat was unable to look up the requested host in DNS. Usually this means you either have a typo somewhere, or your the pagekite.py connector on the SSH server side is not running properly.

nc: Proxy error: "HTTP/1.0 503 Unavailable"

This error generally means pagekite.py is not running on the SSH server or has failed to connect to the front-end relay server.

Files

Comments

  1. zellda said on 2011-12-20, 16:19
    No luck with that.
    Get:
    /bin/nc: invalid option -- 'X'
    when I try to connect.

    nc -h shows no x-option!
    Permalink
  2. Bjarni Rúnar Einarsson said on 2011-12-20, 16:24
    You need the OpenBSD version of netcat for these examples to work. There are other tools which can accomplish the same thing, for example corkscrew (ex. http://wiki.kartbuilding.net/index.ph...).

    Basically anything which will let you connect via. an HTTP proxy will work, you simply treat your PageKite hostname as the name of an HTTP proxy on port 443.
    Permalink
  3. Frédéric Gobry said on 2012-01-30, 19:12
    corkscrew worked quite nicely for me:

    ProxyCommand /usr/bin/corkscrew %h 443 %h %p
    Permalink
  4. Amit said on 2012-02-20, 02:40
    And it works like a charm. Beauty!
    Permalink
  5. Thiago Jung Bauermann said on 2012-02-23, 03:08
    Just FYI: I asked pagekite to listen for SSH connections on a different port than the standard one (22), and when trying to connect I got:

    nc: Proxy error: "HTTP/1.1 400 Bad request"

    When I changed pagekite to listen on port 22, it worked.
    Permalink
  6. Bjarni Rúnar Einarsson said on 2012-02-23, 09:20
    Hi Thiago!

    Note that there are two port settings that matter. One is the port setting on your local computer, where the ssh daemon is listening. Usually that is 22, but sometimes people move it. The other is the "virtual port" which is sent in the HTTP CONNECT request to PageKite - that can be anything.

    For example:

    # If sshd listens on port 23 instead of 22
    # SSH clients connect to foo.pagekite.me:22
    pagekite localhost:23 raw://foo.pagekite.me
    # config file: backend=raw-22:foo.pagekite.me:localhost:23:SECRET

    # If sshd listens on the standard port 22
    # SSH clients connect to foo.pagekite.me:23
    pagekite localhost:22 raw://foo.pagekite.me:23
    # config file: backend=raw-23:foo.pagekite.me:localhost:22:SECRET

    Hope this helps!
    Permalink
  7. Thiago Jung Bauermann said on 2012-02-23, 17:32
    Hello Bjarni!

    Indeed it worked now, using your examples as references. I must have screwed up somewhere.

    Thanks for your help!
    Permalink
  8. n00bboy said on 2012-10-20, 10:43
    I have my own sub domain SSH.example.com how would I set this up to use it instead of pagekite.me tried the tutorial on public front end but i must have messed up somewhere
    Permalink
  9. John Brisbin said on 2012-12-11, 21:07
    I seem to be able to login via ssh only using the public key authentication, no password option is offered.

    I see no mention of this limitation, how can I avoid it?

    I have seen this when pagekite is installed on a Linux host as well as a Mac host.
    Permalink
  10. Bob Solomon said on 2013-01-29, 23:47
    this works for me on port 22 but does not work on an alternative port. I have sshd configured and working to connect on that port. If I change 22 to my alternative port in .pagekite.rc I get:
    ssh_exchange_identification: Connection closed by remote host

    Permalink
  11. Bob Solomon said on 2013-01-30, 00:03
    Never mind. Read #6 above and got it.
    Permalink
  12. Lukas Zapletal said on 2013-01-30, 20:38
    FYI if you tried to get this working with ncat (non-OpenBSD nc), don't bother - it does not work.

    ProxyCommand /bin/nc --proxy-type http --proxy %h:443 %h %p
    Permalink
  13. zellda said on 2013-02-26, 09:27
    Simple!
    When I follow the guide and do a:
    $ pagekite.py --add 22 ssh:user.pagekite.me
    on the server, I can connect with:
    $ ssh user.pagekite.me
    from my Linux client. Nothing more necessary. No port or anything on the client to specify.

    Don't know if it is mentioned here. Couldn't gather that from the guide so I wrote it down for anybody having trouble to connect.
    Permalink
  14. Luke Timothy said on 2013-03-13, 22:10
    Can anyone help me configure cygwin SSH?
    Permalink
  15. Alan Brenner said on 2013-03-24, 14:44
    Under Mac OS 10.7, use /usr/bin/nc on the ProxyCommand line instead of /bin/nc, and it works fine.
    Permalink
  16. Rafal said on 2013-05-07, 15:57
    One other thing to check when you have trouble getting your .pagekite.rc read correctly -- the command line config overrides what's in the .pagekite.rc, so beware! Also, the command-line config seems not to accept the whole syntax of what can be done in the .pagekite.rc (e.g. I can't do "ssh-2222://foo.pagekite.me" or "raw-2222://foo.pagekite.me").
    Permalink
  17. Rafal said on 2013-05-07, 16:01
    Oh, to follow up to the last:

    ssh://foo.pagekite.me:2222

    does seem to do what I need when specified on the command line.
    Permalink
  18. Guillermo said on 2013-08-02, 16:51
    Couldnt get it work on my mac, followed the guide, checked for typos on the config file, i did:
    $ pagekite.py --add 22 ssh:user.pagekite.me
    $ pagekite.py user.pagekite.me
    >>> Hello! This is pagekite.py v0.5.6a. [CTRL+C = Stop]
    Connecting to front-end 173.230.155.164:443 ...
    - Protocols: http http2 http3 https websocket irc finger httpfinger raw
    - Protocols: minecraft
    - Ports: 79 80 443 843 2222 3000 4545 5222 5223 5269 5670 6667 8000 8080
    - Ports: 8081 9292 25565
    - Raw ports: 22 virtual
    Quota: You have 17458.23 MB, 13 days and 6 connections left.
    ~<> Flying localhost:22 as ssh://user.pagekite.me:22/ (HTTP proxied)
    << pagekite.py [flying] Kites are flying and all is well.
    $ ssh user.pagekite.me
    ssh_exchange_identification: Connection closed by remote host

    Of course i changed the user.pagekite.me with my own kite.
    Permalink

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!

Wiki

Links