While I’m commenting on interesting stuff on Dave Dribin’s blog, let me point out a couple things about his post on SSH proxies.
The problem with this technique is DNS. One, it becomes possible to figure out which sites you’re talking to by snooping your DNS traffic. Two, if you’re tunnelling into a site instead of out, the internal DNS records you need to see to connect to internal sites are not visible to your non-tunneled DNS mechanism.
There are two solutions for this. The one I favored when I was doing this (trying to gain access to intranet HTTP resources) was to simply set up a Squid proxy on an internal host and port forward with ssh bastionhost -L 8080:squidhost:8080
. Then point your browser at an HTTP proxy on localhost:8080
The second, more fun way, is to write an HTTP proxy into the ssh client that listens on port 8080 and sets up ad hoc forwards (basically using the same mechanism as the SOCKS proxy, but reading HTTP headers and using the URL or Host: host/port to decide who to connect to). Originally I wrote this as a realtime detection mechanism inside ssh -D, but I think it would be better off as a separate service. Such a patch would never be accepted into openssh mainline, I imagine. (de Raadt turned down my previous patch, though looking back on it, I would too). You can see the patch, and disclaimer, near the bottom of my code page.
Yeah, I had talked to Dave about the DNS thing when he and I were talking in person. Although, I didn’t really provide any solutions to the “not being tracked” problem.