On 18/02/2022 12:15, Darren Tucker wrote:
Other than the ProxyUseFdpass part you can do that with a shell one
liner in ProxyCommand and netcat:
ProxyCommand sh -c 'nc %h %p || nc --proxy lsocksserver:1080
--proxy-type=socks4 %h %p'
Just a quick follow-up to this: I found that macOS 12.2.1's "nc" command
is broken when using a SOCKS5 proxy and the proxy returns an IPv6 bind
address.
X -----------> Y --------------> Z
macOS SOCKS5 IPv6 target
nc server
$ nc -X 5 -x 1.2.3.4:1080 2001:db8::1 22
�ݐSSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
^^
(Notice the extra spurious bytes in response)
Checking with tcpdump I see the exchange as:
--> 05 01 00
<-- 05 00
--> 05 01 00 04 ZZ(x16) 00 16 [connect, ATYP 4 = IPv6 address/port]
<-- 05 00 00 04 YY(x16) PP PP [success, ATYP 4 = IPv6 bind address/port]
<-- start of data
This is the case with two standalone SOCKS5 servers I tried: dante and
Mikrotik.
Interestingly, the problem doesn't manifest when using ssh -D as the
proxy server.
$ ssh -D 1080 Y
...
$ nc -X 5 -x localhost:1080 2001:db8::1 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
--> 05 01 00
<-- 05 00
--> 05 01 00 04 ZZ(x16) 00 16 [connect, ATYP 4 = IPv6 address]
<-- 05 00 00 01 00 00 00 00 00 00 [success, ATYP 1 = IPv4 bind
address 0.0.0.0:0]
<-- start of data
That is, ssh -D always returns IPv4 0.0.0.0:0 as the bind address/port,
even if the target is reached via IPv6, and regardless of whether
localhost is 127.0.0.1 or ::1. It appears macOS's /usr/bin/nc is
hard-coded to expect that.
Workaround is to switch to "ncat" (from the makers of "nmap") which
works correctly. Homebrew also has "netcat" and "netcat6" packages, but
neither of those support SOCKS. With ncat, the connection fallback works.
Anyway, I just thought I'd mention it in case it trips up anyone else.
Regards,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
