Secret Socks

Summary

This is a front-end graphical interface for using SSH as a secure SOCKS proxy, on Mac OS X. It is meant mainly for users who don't like using the command line. You can download Secret Socks here:

Secret Socks-1.0.2.dmg (628K)

Background

Online proxies are a useful way to get around restrictive firewalls that block you from accessing parts of the internet. Maybe your corporate environment has rules against accessing sites like GMail from work, and you need to find out what time to pick up your kids after work. Or maybe you live in a country that censors all foreign media, and you need to upload a video recording to YouTube. Proxies can help with that.

Chances are, you do not want your boss or government to be able to spy on what you do online. That's why it is important to use encryption with your proxy connection. An SSH SOCKS proxy is perfect for that. However, some environments have deep packet inspection (DPI) equipment in place that blocks or throttles all encrypted online communications, rendering your secure SSH useless. We know that this is being done in Iran, for instance.

But there is still hope. Security pro Bruce Leidl has written a patch for the widely-used OpenSSH program. This patch makes the encrypted connection undetectable to DPI. Please see Bruce's documentation for details on how it works. With this new patch, you can securely connect to a SOCKS proxy server without the online watchdogs knowing, or being able to target you for throttling. Hence the name Secret Socks.

(Note that although this type of proxy is secure, it is still a single-hop proxy, meaning that you have to trust the person running the proxy server. A multiple-hop solution like Tor provides superior security and anonymity because even the person running the relay node you connect to has no way of knowing what you are doing. At the moment, Tor still works in Iran, but may be throttled, making it seem much slower than normal there.)

Secure SOCKS Proxy

Ok great, now how do we use SSH as a proxy? Normally, we would need to start an ssh connection from the command line. The point of Secret Socks is that you won't need to worry about that, so you can skip this section if you like. On the Unix command line, we would do something like this:

ssh -ND 9999 -p <portnumber> <username>@<hostname>

With obfuscated-openssh, we add a couple more options:

ssh -ND 9999 -p <portnumber> -zZ <key> <username>@<hostname>

That will open up port 9999 on our local computer, as a SOCKS proxy, and relay all traffic through the SSH server. After that, we just need to update the OS X network preferences to start using the SOCKS proxy.
(System Preferences -> Network -> Advanced... -> Proxies)

If you use a Mac, and that didn't make any sense to you, then Secret Socks is for you. Download it below.

Graphical User Interface

Just type in your SSH account info, and click connect! The program takes care of updating your Mac's network settings for you. It also remembers your account info (everything except your password).

Screenshots:

Download

Add new comment

Is it possible to install of

Anonymous — Thu, 07/23/2009 - 15:02

Is it possible to install of obfuscation patch on Leopard's SSH daemon?

Installing obfuscated-openssh server on OS X

josh — Thu, 07/23/2009 - 19:41

It is very possible to install an obfuscated-openssh daemon on Leopard. But instead of modifying or replacing the original sshd, I recommend installing a separate copy. The ssh source code listed above is for the full set of OpenSSH, including the server program.

(You will probably need to have Developer Tools installed for this.)

Use the usual method of building the programs from source.

./configure

make

sudo make install

By default, this will install obfuscated-openssh under /usr/local. The ssh client will be in /usr/local/bin, the ssh daemon will be in /usr/local/sbin, and the config file will be in /usr/local/etc. So it will not interfere with the original OS X binaries and configuration in /usr/bin, /usr/sbin, and /etc. I like this because I know that software updates from Apple will not accidentally overwrite my custom ssh setup.

The only disadvantage is the custom sshd will not be started/stopped automatically by OS X from the Sharing preference pane. But you can still do it yourself from the command line, or write a shell script for that.

Server-side requirements

Anonymous — Fri, 07/24/2009 - 03:53

Thanks a lot for this !

What are the server-side requirements ?

Do I just need to have sshd running or do I need more configuration ?

Server-side requirements

josh — Mon, 07/27/2009 - 10:39

There are two additional configuration options for sshd_config:

ObfuscatedPort

This option is similar to the Port option and specifies one or more ports
on which to listen for obfuscated handshake connections. Both this option
and the Port option may be used in the same configuration file to create a
configuration with both regular and obfuscated listening ports.
ObfuscateKeyword

Enables the keyword protected obfuscated handshake which prevents initiating
a handshake to the server without knowing the keyword.

If you are using Secret Socks, and you want to enable obfuscation, then you need to specify the ObfuscateKeyword option.

The sshd_config file should be located in /usr/local/etc. The man page may be useful for configuring the normal options from OpenSSH. You might also want to refer to my example sshd_config.

Snow Leopard

Anonymous — Thu, 09/03/2009 - 11:24

Dear Josh,

Thank you for secret socks - its brill. However it doesn't seem to play nice with Snow Leopard.

Have apple done something that breaks your code??

I'd look myself at the source if I know how to but all I can do is thank others.

Snow Leopard

josh — Thu, 09/03/2009 - 20:35

Thanks.

Actually this one was my fault. There was a programming error that went unnoticed in version 1.0.1. Somehow the program still worked fine even with the error, but only in Leopard. Snow Leopard just brought it to light.

So here is Secret Socks 1.0.2, tested to work under Leopard and Snow Leopard. It's got a new user interface too. I hope you like it.

(Special thanks to Ryan Pfleghaar for help with testing.)

Thank you

Anonymous — Mon, 09/14/2009 - 09:19

Dear Josh,

I'm the same 'anonymous' that posted the message about snow leopard above.

New version works great and saves me a LOAD of time - thank you, thank you,

Also new screen is very good.

Paul

Windows executable?

Anonymous — Sun, 09/13/2009 - 17:20

Is there a Windows XP executable for this? If not does anyone know where to get one that has support for obfuscation?

It sounds great!

Windows executable?

josh — Thu, 09/17/2009 - 20:31

Secret Socks is currently only available for Mac OS X. But obfuscated-openssh itself can be compiled on many different platforms. I have not tried this myself, but I imagine that you could do so on Windows with Cygwin. That is, first install Cygwin, then use it to compile obfuscated-openssh from the source code available above. It will be a command line only program though.

Or maybe if enough people ask for it, one of the maintainers of the Windows SSH alternatives will include support for obfuscation.

proxy

Anonymous — Thu, 11/19/2009 - 07:01

Hi,
I very much like your Secret Socks programme. Do you have any plans of integrating the Keychain, so that one would not have to type one's password each time?