Skip to main content

SSH/HTTPS multiplexer

Hm, this nmap scan looked funny:

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 5.2 (protocol 2.0)
80/tcp  open  http    Gatling httpd 0.13
443/tcp open  ssh     OpenSSH 5.2 (protocol 2.0)
SSH listening on :443, yet the site was serving a website there? Looking around a bit I came across a few SSH/HTTP/HTTPS multiplexers. There are even binary packages out there for a few distributions, nice! So, how is it done?

ssh-https


When using ssh-https.c, the ports are hardcoded:
$ grep execl ssh-https.c
                execl("/bin/nc", "/bin/nc", "localhost", "8443", NULL);
                execl("/bin/nc", "/bin/nc", "localhost", "22", NULL);

$ gcc -o ssh-https ssh-https.c
$ mv ssh-https /usr/local/sbin/
SSH will continue to listen on :22, the webserver will have to listen on :8443 and ssh-https will listen on :443:
$ grep ssh-https /etc/inetd.conf
https   stream  tcp  nowait  nobody  /usr/sbin/tcpd /usr/local/sbin/ssh-https

sslh


sslh is a bit more flexible, as ports can be passed on the command line:
$ grep sslh /etc/inetd.conf
https   stream  tcp  nowait  sslh  /usr/sbin/tcpd /usr/sbin/sslh \
       --listen 10.0.0.23:443 --inetd --ssh localhost:22 --ssl localhost:8443
In any case, we should now have 3 listening ports:
$ netstat -anptu | grep LISTEN
[...]
tcp    0      0 0.0.0.0:22      0.0.0.0:\*   LISTEN    2211/dropbear
tcp    0      0 0.0.0.0:443     0.0.0.0:\*   LISTEN    6510/inetd
tcp    0      0 0.0.0.0:8443    0.0.0.0:\*   LISTEN    6012/lighttpd
And it's even working :-)
$ ssh-keyscan -p 443 10.0.0.23
# foo SSH-2.0-dropbear_2012.55

$ wget -qO- https://10.0.0.23/
Hello, world :-)