SOCKS proxy support, like 'ssh -D' #955
Comments
|
Thought there was an open feature req for SOCKS but all I see is #508 which mentions it in passing. Let's make it this ticket. Thanks for the report! I also saw some offhand references to using ProxyCommand support to talk to a SOCKS process; I don't use SOCKS myself so not sure how workable that is, but if you haven't already looked into that I'd suggest doing so. |
bitprophet
changed the title
|
|
Any updates here? |
Look for your needs.
Problem
|
|
@Cellebyte Yes, I really need socks functionality... |
|
Support for dynamic port forwarding would be great! |
|
Same |
|
We need it |
|
we need it |
|
i need it . |
|
I need it! |
|
Need it :) |
|
I NEED IT! |
|
2 years |
|
I know man..came here looking for that too.. |
|
Same |
|
i need it |
|
ssh -D would be good!~ |
|
heh, I thought I was just missing something as I assumed this was part of the package.... another vote to include. |
|
+1 |
|
For those who have a need for this I adapted the socks5 server from Rushter ( https://github.com/rushter ) to forward the connection through a SSH tunnel using Fabric (https://github.com/fabric/fabric) because I'm lazy (and I use Fabric for my project). So with minor adaptation you can use this : |
|
As I've the need for a SOCKS proxy provided by paramiko as well, I started looking into this functionality. I have a working POC and would like to get some feedback on how interfacing with this functionality would be desired by other users. Depending on the outcome, this might allow me to upstream the functionality after polishing it (however no promises for that yet). So here is how using the SOCKS proxy looks like with my current POC: import paramiko
import requests
ssh_client = paramiko.SSHClient()
…
socks_proxy = ssh_client.open_socks_proxy(bind_address="127.0.0.1", port=1080)
proxies = {
'http': 'socks5://127.0.0.1:1080',
'https': 'socks5://127.0.0.1:1080',
}
session = requests.Session()
session.proxies.update(proxies)
response = session.get("https://example.tld/")
socks_proxy.close()
ssh_client.close()Calling To use the SOCKS proxy with requests one just has to configure requests to use the socket as SOCKS proxy. Of course the proxy can be used by any other application as well. Finally What do you think about this? Is that as you imagine SOCKS functionality in paramiko or do you have something different in mind? |
|
that would work for me! Much more convenient to access APIs behind a
jumphost
…On Wed, 24 Mar 2021 at 12:43, Daniel Roschka ***@***.***> wrote:
As I've the need for a SOCKS proxy provided by paramiko as well, I started
looking into this functionality. I have a working POC and would like to get
some feedback on how interfacing with this functionality would be desired
by other users. Depending on the outcome, this might allow me to upstream
the functionality after polishing it (however no promises for that yet).
So here is how using the SOCKS proxy looks like with my current POC:
import paramiko
import requests
ssh_client = paramiko.SSHClient()
…
socks_proxy = ssh_client.open_socks_proxy(bind_address="127.0.0.1", port=1080)
proxies = {
'http': 'socks5://127.0.0.1:1080',
'https': 'socks5://127.0.0.1:1080',
}
session = requests.Session()
session.proxies.update(proxies)
response = session.get("https://example.tld/")
socks_proxy.close()
ssh_client.close()
Calling ssh_client.open_socks_proxy() instanciates a SOCKS server which
binds to the given address and port. The resulting socket accepts SOCKS
connections, which get then unpacked by the SOCKS server and forwarded over
a direct-tcpip channel per request to the desired destination. That's
essentially the same as OpenSSH implements it.
To use the SOCKS proxy with requests one just has to configure requests to
use the socket as SOCKS proxy. Of course the proxy can be used by any other
application as well.
Finally socks_proxy.close() shuts down the proxy again. Calling this is
optional as the proxy gets stopped whenever the SSH client gets closed too.
What do you think about this? Is that as you imagine SOCKS functionality
in paramiko or do you have something different in mind?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#955 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHDBWJ3BEBNCA52P6PRZRNDTFHM6PANCNFSM4DKLANVQ>
.
|
I think that would be perfect! Any chance you have a fork of this working that I can access? |
|
You can find a fork with working code at https://github.com/yomagroup/paramiko/tree/wip-socks-proxy. Big disclaimer though: This code is not production ready yet and doesn't handle certain cases correctly! Don't use it for anything serious! I'll need some more time to iron out the remaining bugs and to polish it to make it ready for upstreaming. Until I get to that it might take a few weeks, as other topics have priority for me right now. I'll keep you posted about the progress. |
|
@Dunedan thanks for taking a stab at this! As noted upthread I've no personal SOCKS experience but when you feel it's ready for review, please do @ me (here or in a new PR, linking back to this ticket/comment) and I'll hopefully find the time to take a gander. |
|
@bitprophet Sounds good. I'll do. 👍 If anybody is wondering about the current status: I'm still working on getting the code into an upstreamable state, whenever I find some time. It might still take a few more weeks before I get to a state I'm satisfied with. |
|
@Dunedan Thanks! |
This adds SOCKS5 proxy functionality to paramiko as requested and discussed in paramiko#955. The functionality is nearly identical feature-wise to the one in OpenSSH, with the notable exception that it only support SOCKS5 and not SOCKS4. The reasoning behind it being that SOCKS4 was already superseeded by SOCKS5 25 (!) years ago and that SOCKS4 doesn't even support tunneling requests to hosts using IPv6. Common implementation details with OpenSSH include: - supports starting multiple SOCKS5 servers bound to different local addresses for a single SSH connection - exposes the SOCKS5 servers as local IPv4 or IPv6 stream sockets - only supports a subset of SOCKS5, in particular tunneling of UDP-traffic, authentication and incoming connections aren't supported - supports tunneling connections to IPv4 and IPv6 addresses, as well as connections to host names, by resolving them on the SOCKS server side - 1:1 mapping between SOCKS5 requests and direct-tcpip channels The implementation works with all Python versions supported by paramiko. It has so far only been tested with Linux, but should work on other operating systems as well. The implementation has been used productively for several weeks so far, using `requests` with its SOCKS5 proxy functionality as SOCKS5 client, and works without any problems.
This adds SOCKS5 proxy functionality to paramiko as requested and discussed in paramiko#955. The functionality is nearly identical feature-wise to the one in OpenSSH, with the notable exception that it only support SOCKS5 and not SOCKS4. The reasoning behind it being that SOCKS4 was already superseded by SOCKS5 25 (!) years ago and that SOCKS4 doesn't even support tunneling requests to hosts using IPv6. Common implementation details with OpenSSH include: - supports starting multiple SOCKS5 servers bound to different local addresses for a single SSH connection - exposes the SOCKS5 servers as local IPv4 or IPv6 stream sockets - only supports a subset of SOCKS5, in particular tunneling of UDP-traffic, authentication and incoming connections aren't supported - supports tunneling connections to IPv4 and IPv6 addresses, as well as connections to host names, by resolving them on the SOCKS server side - 1:1 mapping between SOCKS5 requests and direct-tcpip channels The implementation works with all Python versions supported by paramiko. It has so far only been tested with Linux, but should work on other operating systems as well. The implementation has been used productively for several weeks so far, using `requests` with its SOCKS5 proxy functionality as SOCKS5 client, and works without any problems.
|
I've finally found time to put the SOCKS proxy code into a PR, so here it is: #1873 |
|
Hi @Dunedan, I wrote a small python app using this new branch, and it's ok for the most part. It connects to an SSH server and creates a socks proxy. It works fine when I set my OS network proxy setting to manual (Ubuntu 20) using ('localhost', 1080). But when I try to use a PAC file for automatic proxy, it raises the error below. I should mention that the same PAC file is completely functional when I use an 'ssh -D' command. It seems to me that it's unhappy about the struct.unpack on line 143, but I can't spot the issue. Would you please look into this and help me solve it? Many thanks. Exception happened during processing of request from ('127.0.0.1', 57916)
|
|
I'm getting another exception that is not affecting the connection, but I thought there might be some value in pointing it out. What do you think is going wrong here? Secsh channel 29 open FAILED: open failed: Connect failedException happened during processing of request from ('127.0.0.1', 60522)
|
|
@FredAmouzgar To debug this, can you please provide the PAC file you're using and a recording of the TCP packets between the browser and the proxy? |
|
I guess it'd be easier if I provided my code and you see it for yourself. |
|
You're using the branch |
|
Thanks for your help and your quick reply. I tested this new branch, and it led to the same issues. I should also clarify that I'm not a network guru, and I may have made a mistake in setting up the PAC file through the HttpServer. After all, the SSH proxy is working fine when I manually access it. So, I play around with my code and let you know if I can resolve the issue. |
This adds SOCKS5 proxy functionality to paramiko as requested and discussed in paramiko#955. The functionality is nearly identical feature-wise to the one in OpenSSH, with the notable exception that it only support SOCKS5 and not SOCKS4. The reasoning behind it being that SOCKS4 was already superseded by SOCKS5 25 (!) years ago and that SOCKS4 doesn't even support tunneling requests to hosts using IPv6. Common implementation details with OpenSSH include: - supports starting multiple SOCKS5 servers bound to different local addresses for a single SSH connection - exposes the SOCKS5 servers as local IPv4 or IPv6 stream sockets - only supports a subset of SOCKS5, in particular tunneling of UDP-traffic, authentication and incoming connections aren't supported - supports tunneling connections to IPv4 and IPv6 addresses, as well as connections to host names, by resolving them on the SOCKS server side - 1:1 mapping between SOCKS5 requests and direct-tcpip channels The implementation works with all Python versions supported by paramiko. It has so far only been tested with Linux, but should work on other operating systems as well. The implementation has been used productively for several weeks so far, using `requests` with its SOCKS5 proxy functionality as SOCKS5 client, and works without any problems. Co-authored-by: Daniel Roschka <daniel.roschka@yoma-solutions.de>
and others
Hi, I'd like to create a SOCKS proxy from an accessible SSH server, in order to pass Python Requests over that server.
Is it possible to do this using paramiko?
The text was updated successfully, but these errors were encountered: