Using SSH for DeleGate tunneling

Yutaka Sato
June 28, 2000

(January 24, 2000, I wrote another way to use SSH with DeleGate in DeleGate-En.)

Various TCP based application protocols relayable by DeleGate (HTTP, FTP, NNTP, POP, Telnet, Socks, etc.) can be relayed on a secure SSH connection which tunnels communication between chained DeleGate servers.

DeleGate has a generic mechanism to make itself be chained with another upstream DeleGate which will communicate with target servers. A persistent communication channel between chained DeleGates, which multiplexes bi-directional data transmission of multiple sessions, can be established using the TUNNEL parameter.


    ...... --+                                               +-> ......
    client --+                    TUNNEL                     +-> server
    client --+-> DeleGate ======================> DeleGate --+-> server
           (TCP)           a single persistent              (TCP) 
                        channel on an arbitrary
                           transport protocol

The TUNNEL parameter specifies which type of tunnel is used and how will it be established. Although DeleGate has nothing to do with SSH, a channel for TUNNEL can be established on SSH connection to make communication between DeleGates be secure.

The TUNNEL mechanism has been implemented in an ancient version of DeleGate, but relaying FTP (data connection by PASV) on TUNNEL was supported recently in DeleGate/6.1.16.

EXAMPLE

Use DeleGate to relay HTTP and other protocols on SSH connection from local host (HostL) to remote host (HostR).

HostL

#### A script to establish a DeleGate tunnel on SSH
####
#### HostR: a remote host running sshd
#### Path: a directory where delegated exists on HostR
####
o ssh HostR Path/delegated SERVER=tunnel1 \n
i READY\r\n
=
####

HostL% delegated -v -P8080 TUNNEL=tty7:ssh.shio

06/28 15:04:20.81 [17429] 0+0: --INITIALIZATION START: 6.1.16 on xxxx--
...
06/28 15:04:20.85 [17429] 0+0: {T}.TeleportPorts[1]: 4362
06/28 15:04:20.85 [17430] 0+0: -- Fork(bindTeleportVehicle): 17429 -> 17430
06/28 15:04:20.86 [17432] 0+0: -- Fork(Tunnel): 17430 -> 17432
06/28 15:04:20.88 [17429] 0+0: [17429] ADD BeforeExit[0] STTY-ECHO
06/28 15:04:20.88 [17429] 0+0: >>>>>> Teleport[17430] <<<<<< tty7:0
...
06/28 15:04:20.92 [17429] 0+0: --INITIALIZATION DONE--

enter password for ssh here

06/28 15:04:24.02 [17430] 0+0: Remote Peer Says: INVITE WhereIs/* ^M
06/28 15:04:24.02 [17430] 0+0: {T}.Teleport: tty7:0 [0.0.0.0:0] opened[11/11]
...

ADVANCED USAGE

If you have multiple protocols to be tunneled to a remote host via SSH, making SSH tunnels for each protocol can be complicated. In such case, running a generalist-DeleGate (without SERVER parameter) dedicated to tunneling and use it as a upstream DeleGate from DeleGates for each protocol will make it easy.

-> ............. --+ +-> -> HTTP-DeleGate --+ +-> -> FTP-DeleGate --+ MASTER TUNNEL +-> -> Telnet-DeleGate --+--------> DeleGate ============> DeleGate --+-> client (specialists) (generalist) (generalist) server hosts (--------- on HostL ------------------) (on HostR) hosts

Yutaka Sato <ysato@delegate.org> Electrotechnical Laboratory (ETL), AIST, MITI, Japan