从 NTLM 代理后面的客户端连接到 SSH 服务器

tag-icon tag-icon ssh proxy putty ntlm cntlm
从 NTLM 代理后面的客户端连接到 SSH 服务器

我正在尝试从公司网络访问互联网上的 SSH 服务器。所有与外部互联网的连接都必须通过服务器进行代理,该服务器会检查每个客户端的每次请求的 NTLM 哈希值。我正在使用控制论为此,它只工作了一半。它对于基于 HTTP 的连接工作正常,但对于 SSH 风格的连接不起作用。我知道这一点,因为我可以连接到Sublime Text包控制插件获取和更新插件。但是,我无法使用它通过 Cntlm 的隧道配置通过 SSH 进入我的服务器。

查看 Cntlm 的日志,我可以看到以下内容......

cntlm: PID 1460: 127.0.0.1 TUNNEL ts.io:443
Tunneling to ts.io:443 for client 6...
Starting authentication...
NTLM Request:
       Domain: domain.tld
     Hostname: D-HOSTNAME
        Flags: 0xA208B205

NTLM 握手(类型 1)

Sending PROXY auth request...
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM [REDACTED]
Content-Length                 => 0

正在读取 PROXY 身份验证响应...

HEAD: HTTP/1.1 407 Proxy Authentication Required ( Access is denied.  )
Via                            => 1.1 FOLLICLE
Proxy-Authenticate             => NTLM [REDACTED]
Connection                     => Keep-Alive
Proxy-Connection               => Keep-Alive
Pragma                         => no-cache
Cache-Control                  => no-cache
Content-Type                   => text/html
Content-Length                 => 0
NTLM Challenge:
    Challenge: 4AC9211DC2875FFF (len: 178)
        Flags: 0xA2898205
    NT domain: NTDOMAIN
       Server: PROXY
       Domain: domain.tld
         FQDN: proxy.domain.tld
          TLD: domain.tld
        TBofs: 64
        TBlen: 114
        ttype: 0
NTLMv2:
        Nonce: CB4E6617ABF19C24
    Timestamp: -1581153408
NTLM Response:
     Hostname: 'D-HOSTNAME'
       Domain: 'domain.tld'
     Username: 'username'
     Response: '[REDACTED]' (162)
     Response: '[REDACTED]' (24)
Sending real request:
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM [REDACTED]

最后我明白了......

Reading real response:
HEAD: HTTP/1.1 200 Connection established
Via                            => 1.1 PROXY
Connection                     => Keep-Alive
Proxy-Connection               => Keep-Alive
Ok CONNECT response. Tunneling...
tunnel: select cli: 6, srv: 7
Joining thread 537272664; rc: 0

由于防火墙只允许通过代理服务器从端口 80 和端口 443 连接到外部互联网,因此我重新配置了 SSH 服务器以接受来自端口 443 的连接。

我看到的问题是,一旦我尝试 SSH 连接,使用 Sublime Text 时连接就会报告连接超时SFTP 插件. 使用 PuTTY 立即获得结果PuTTY Fatal Error: Server unexpectedly closed network connection. Google Chrome 扩展程序安全外壳给了我更详细的错误ssh_exchange_identification: Connection closed by remote host NaCl plugin exited with status code 255.

控制配置

# The username of the client you wish to masquerade as.
#
Username    username

# The domain name of the network you are connected too.
# 
Domain      domain.tld

# The Password, LM, NTLM, or NTLMv2 Password.
# You should leave this blank and then start cntlm
# with the -M arg to get the hash information, then
# place that information here.
#
PassNTLMv2  [REDACTED]

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
#
Workstation D-HOSTNAME

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
#
Proxy       PROXY:8080

# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on 127.0.0.1:3128 by default
#
Listen      3128

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
#
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#
Auth        NTLMv2

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>
# 
Tunnel      1443:ts.io:443

这是我在 Cntlm 中用于 Tunnel 的配置部分。

PuTTY 配置

IP:PORT     localhost:1443

这就是我用于 PuTTY 连接的内容。

Sublime Text

"http_proxy": "http://localhost:3128",

有什么办法可以修复这个问题吗?我想通过 SSH 进入我的服务器,一定有办法只使用 Cntlm 的隧道功能来实现这一点,我只是不知道我做错了什么。

我可以告诉你,我可以从公司网络外部使用端口 443 连接到我的 SSH 服务器。

答案1

当我尝试使用 Putty 通过 CNTLM 连接到 SSH 服务器时,我收到了 407 响应。Forefront TMG 代理反对来自 PuTTY 的 DNS 查找,而不是 SSH 流量本身。您需要关闭在代理端进行 DNS 名称查找在里面代理人PuTTY 配置页面。设置作品,汽车或者是的将导致 407 响应。

答案2

您可以不读取日志,而是使用 -v 选项调用 cntlm,这会使其保持在前台并在生成日志的同时在终端上发出诊断输出。

您的身份验证和隧道设置似乎都正常工作。所以我无法解释为什么您的连接不起作用(除非“localhost”可能未正确解析为 127.0.0.1)。

我刚刚测试了 SSH 转发(对于不需要用户身份验证的简单情况)——这是我在发出命令后得到的结果,供您比较

$ cntlm-L 443:远程主机:22-v

section: global, Username = ...
section: global, Domain = ...
section: global, PassNTLMv2 = ...
section: global, Proxy = '139.23.33.27:81'
section: global, NoProxy = 'localhost, 127.0.0.*, 10.*, 192.168.*'
Default config file opened successfully
Adding no-proxy for: 'localhost'
Adding no-proxy for: '127.0.0.*'
Adding no-proxy for: '10.*'
Adding no-proxy for: '192.168.*'
cntlm: Workstation name used: mchn256c
cntlm: Using following NTLM hashes: NTLMv2(1) NT(0) LM(0)
cntlm[27413]: Cntlm ready, staying in the foreground

(在不同的终端上发出“ssh -p 443 localhost”):

   NO: remotehost (localhost)
   NO: remotehost (127.0.0.*)
   NO: remotehost (10.*)
   NO: remotehost (192.168.*)
cntlm[27413]: Using proxy 139.23.33.27:81
cntlm[27413]: Resolving proxy 139.23.33.27...
Resolve 139.23.33.27:
  -> 139.23.33.27
cntlm[27413]: 127.0.0.1 TUNNEL remotehost:22
Tunneling to remotehost:22 for client 6...
Starting authentication...
NTLM Request:
           Domain: ...
         Hostname: ...
            Flags: 0xA208B205

Sending PROXY auth request...
Proxy-Connection               => keep-alive
Proxy-Authorization            => NTLM ...
Content-Length                 => 0

Reading PROXY auth response...
HEAD: HTTP/1.1 200 Connection established
Via                            => 1.1 MCHP941X
Connection                     => Keep-Alive
Proxy-Connection               => Keep-Alive
Ok CONNECT response. Tunneling...
tunnel: select cli: 6, srv: 7

相关内容