Obfuscated ssh

Since the performance of Great LAN is so frustrating, I have to use some new approaches to evade censorship.
Although with ssh I can circumvent most of the censorship, the DPI equipment interferes my ssh connection all the day. This is terribly annoying.
Rather than reconnect ssh without cease, I finally deployed an obfuscated ssh and enjoying it now.

Here is obfuscated ssh deploy instructions for debian/ubuntu.

If you are using debian, here is self-starting method for debian.

If you are using ubuntu, here is self-starting method for ubuntu.

Some notable security information:
1. Vulnerability Summary for CVE-2012-2110
2. OpenSSL ASN.1 vulnerability: sshd not affected
 

 

The following is setting of client (For Windows)

You can simply download the PoTTY client for windows, and use the following command to connect your obfuscated ssh server.

Usually the above command is work.
Since the obfuscated ssh client PoTTY has not yet auto-reconnect feature.
I can only use batch to implement this feature.
Place following 4 batch files to the PoTTY directory.
(Of course you need to fill out the highlighted lines)

CheckConn.bat keeps checking the tcp connection status in order to confirm whether the ssh connection is disconnected.

So, run CheckConn.bat , then PoTTY will reconnect on connection failure.

At last. Compared with regular ssh's handshake, the obfuscated ssh's is apparently different.

regular ssh handshake:

obfuscated ssh handshake:

  1. Jay
    2012年11月7日 01:37 | #1
    Surfing Google Chrome 23.0.1271.60 Google Chrome 23.0.1271.60 On Mac OS X  10.8.2 Mac OS X 10.8.2

    请问,当我输入
    # /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
    结果出现以下错误:
    PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
    Could not load host key: /etc/ssh/ssh_host_ecdsa_key
    是什么情况?

    我确定编译安装都没问题,配置也都是按照你的Sample来的,系统是 Ubuntu 12.10

    • dzf
      2012年11月8日 09:18 | #2
      Surfing Firefox 14.0.1 Firefox 14.0.1 On Ubuntu x64 Ubuntu x64

      If you get error message : 'Could not load host key: /etc/ssh/ssh_host_ecdsa_key' when restarting ssh,

      you need to create new ecdsa key with following command
      ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''

      then restart the sshd service
      service ssh restart

      However, if you get 'unknown key type ecdsa' when using ssh-keygen. Then your ssh probably not support ecdsa algorithm...
      Try to use rsa algorithm instead.

  2. 刚子
    2013年2月3日 16:14 | #3
    Surfing Google Chrome 23.0.1271.95 Google Chrome 23.0.1271.95 On Windows XP Windows XP

    跪求centos 服务器的配置啊,怎么能联系到您?

    • dzf
      2013年2月3日 23:53 | #4
      Surfing Firefox 18.0.1 Firefox 18.0.1 On Ubuntu x64 Ubuntu x64

      Here is obfuscated ssh deploy instructions for CentOS, which is very similar to Debian/Ubuntu.

      yum update
      yum -y install gcc
      yum -y install make
      #yum -y install zlib-devel #CentOS x86
      yum -y install zlib-devel.x86_64 #CentOS x64
      #yum -y install openssl-devel #CentOS x86
      yum -y install openssl-devel.x86_64 #CentOS x64

      wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master
      tar zxvf ofcssh.tar.gz
      cd brl-obfuscated-openssh-ca93a2c
      ./configure
      make
      make install

      Configuration is the same as Debian/Ubuntu.

  3. 2013年2月11日 15:37 | #5
    Surfing Firefox 18.0 Firefox 18.0 On Mac OS X  10.8 Mac OS X 10.8

    问一下客户端只能用potty么,用openssh能连 obfuscated ssh server么

    • dzf
      2013年2月11日 16:40 | #6
      Surfing Firefox 18.0 Firefox 18.0 On GNU/Linux GNU/Linux

      Of course, because putty and openssh does not support the -Z parameter.

  4. dzf fans
    2013年3月15日 13:46 | #7
    Surfing Firefox 19.0 Firefox 19.0 On Windows XP Windows XP

    if you encountered the ssh-host-key cannot load error, please regenerate it follow the steps below, it may fix it.

    Step # 1: Delete old ssh host keys

    Login as the root and type the following command:
    # /bin/rm /etc/ssh/ssh_host_*
    Step # 2: Reconfigure OpenSSH Server

    Now create a new set of keys, enter:
    # dpkg-reconfigure openssh-server

    Sample output:

    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Restarting OpenBSD Secure Shell server: sshd.

  5. dzf fans
    2013年3月15日 14:31 | #8
    Surfing Firefox 19.0 Firefox 19.0 On Windows XP Windows XP

    Bad news!!
    It seems that GameFirstWin may probably "guess" out some sync information of obfuscated handshaking.

    I set up both the client and the server side with obfuscated patched ssh, i t works fine for 2 weeks.
    But today, once I try to connect to my server with PoTTY, the connection timed out, and I got timed out ping feedback.
    After 3 or 5 minutes later, ping to my server reconnected, but it would fail once I try to visit my server again.
    I've no idea how to overcome this right now 🙁

    • dzf
      2013年3月16日 23:14 | #9
      Surfing Firefox 19.0 Firefox 19.0 On Ubuntu x64 Ubuntu x64

      I have deployed obfuscated SSH on several VPS and routers, but none of them is subject to interference from WHYGAAAFBBBWhat. At least, they are working properly so far.

      Did you install some services that it is very easy to identify by GoGoFireWork on the same IP? Like pptp vpn.

      Obfuscated SSH is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.

      "overcome this" ...... change your VPS IP?
      Or...change your port to a SSL service port, like 563,636 ...
      Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

  6. Xw.Y
    2013年3月18日 15:46 | #10
    Surfing Google Chrome 25.0.1364.172 Google Chrome 25.0.1364.172 On Windows 7 x64 Edition Windows 7 x64 Edition

    Thank you for the post. very useful.

  7. dzf fans
    2013年3月19日 18:22 | #11
    Surfing Firefox 19.0 Firefox 19.0 On Windows XP Windows XP

    I found that lots of nodes in Japan have being messing by openGameFamidWyou, the nodes only set up apache server on them will also be interrupted once someone is connecting to. From this perspective of view, it's not ofc-ssh's fault, it's safe 🙂 and thanks for your explanation.

    I've fixed it by switching my node's IP, say goodbye to Japan and say hello to the world 🙂

    By the way, there is another version of ofc-ssh on github at "https://github.com/aligo/obfuscated-openssh", does this version work?

    • dzf
      2013年3月20日 11:14 | #12
      Surfing Firefox 19.0 Firefox 19.0 On Ubuntu x64 Ubuntu x64

      Glad to hear you solved the problem.

      The aligo version of ofc-ssh is based on OpenSSH6.1p1, which is newer than brls.
      And as mentioned in his blog
      http://aligo.me/2013/01/13/obfuscate-six-stucked-hogs/
      and his post
      http://www.v2ex.com/t/52105
      , that version supports MAC.

      But I have not tested that version.

      • dzf fans
        2013年3月26日 17:40 | #13
        Surfing Firefox 19.0 Firefox 19.0 On Windows XP Windows XP

        There was a host_key issue while connection to sshd via PoTTY, someone feeded that back to aligo, and he has fixed it. His latest version of ofc-ssh seems work properly from another user's prespective of view.

        Fight for freedom, and thank you DZF & aligo, you're bravo!

  8. Thanksforyourhelp
    2013年3月21日 08:43 | #14
    Surfing Google Chrome 25.0.1364.172 Google Chrome 25.0.1364.172 On Mac OS X  10.7.4 Mac OS X 10.7.4

    Thanks. Since the hiGirl-ifF-wwWill came out, I kind feel insecure about some softwares from Chinese, although I am Chinese too, really sucks! I would rather believe Hong-Kongnese or Taiwanese at this point, am I crazy?!! sad. I knew the new version of openSSH client support Obfuscated SSH too, your article is good if you can add some about how to do from Mac or Linux with openSSH client, would be great.

    • dzf
      2013年3月21日 17:37 | #15
      Surfing Firefox 19.0 Firefox 19.0 On Ubuntu x64 Ubuntu x64

      "I would rather believe Hong-Kongnese or Taiwanese (software)", Agree.
      I don't have a Mac, so I don't know how to use SSH on Mac.
      But, on Linux, there are many ways to run SSH proxy. You can install proxychains and obfuscated ssh and autossh, etc.

      sudo apt-get update
      sudo apt-get install proxychains
      sudo sed -i '/^socks4/d' /etc/proxychains.conf
      sudo sed -i '/^socks5/d' /etc/proxychains.conf
      sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
      ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
      proxychains firefox

  9. aaviskaar
    2013年4月14日 21:47 | #17
    Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

    Hi

    Thanks for your great blog 1st.

    But I am facing one problem, when i try to run the connect using Potty.

    I am getting an "server unexpectedly closed connection" message.

    What should I do

    Thanks in advance

  10. aaviskaar
    2013年4月17日 23:44 | #19
    Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

    Hi thank you for your quick response. I myself has done some debugging practice and get the following things

    ssh -p 1234 -vvv ip
    OpenSSH_5.9p1, OpenSSL 0.9.8o 01 Jun 2010
    debug1: Reading configuration data /usr/local/etc/ssh_config
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to 127.0.0.1 [127.0.0.1] port 1234.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    ssh_exchange_identification: Connection closed by remote host

    Please note that my /etc/hosts.allow has the following entry sshd: ALL
    and /etc/hosts.deny has none but the default values.

    We don't want the public key thing we just want to login with username and password like you have explained in this blog.

    My system is Debian 6-64bit.

    Please suggest me what should I do to make the server working.

    Thanks in advance.

    Regards

    Aaviskaar

    • dzf
      2013年4月18日 22:52 | #20
      Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

      Hi,
      aaviskaar. You probably still use system's ssh client, which dose not supports obfuscation. And obviously you have not add the -z parameter. So, ssh handshake is unsuccessful. You need to use a new ssh client that supports obfuscation.

  11. aaviskaar
    2013年4月18日 11:13 | #21
    Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

    Hi

    Again I am adding some new information please look at them and help us in resolving the issue.

    We used PoTTY with the following command.

    PoTTY.exe -N -ssh user@ip -P 1234 -pw password -C -z -Z keyword -D 127.0.0.1:9998

    We changed the port number to 9998( also tried with 1080)

    Now the problems are-

    Sometimes the server works I mean a connection is established,but very rarely I have been able to do so for once only. During that time socks proxy 2 127.0.0.1:9998 worked fine.

    Most of the time, the PoTTY window opens with nothing and after a few minutes one error message is being showed saying "Server unexpectedly closed network connection"

    The problem should not be an ISP or firewall issue because using the same ISP and firewall we are able to setup Tunneling once from the same PC.

    We have also tried with different ISPs and from different countries but again we failed and got the same error message.

    The 1234 port is open in the server for outside access.

    What should be the problem and what to do for fixing it?

    Again thanks in advance for your kind help.

    Regards

    Aaviskaar

    • dzf
      2013年4月18日 23:08 | #22
      Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

      Hi,
      Can you get reply by using the Ping command? If so, then telnet to your server by running "telnet ServerIP 1234" command. If telnet is successful, then the obfuscated ssh server may work properly.
      Otherwise, your obfuscated ssh server or your network between server and client should be something wrong.

  12. Aaviskaar
    2013年4月28日 10:40 | #23
    Surfing Firefox 16.0 Firefox 16.0 On Ubuntu x64 Ubuntu x64

    Hi,

    Thank you for your reply. We have fixed the issue. Though it is not a valid reason, but it worked with plonk.exe without any issues and we are currently using it. Thank you for your kind help.

    We are using the following command now

    plonk -P 1234 -l user -D 1080 -N -z -Z keyword xx.xx.xx.xx

    it asks for the password for a the user, we type it and it works fine. Though I want to ask you that is there any way to embed the password in the plonk command like you have used with PoTTY? I have searched for plonk manual but didn't found it anywhere.

    Secondly I want to create the tunnel from a LAN gateway(Maybe windows or Linux) so that the gateway accepts requests from all ports and sends it through the tunnel. Is it possible? Linux or Windows, both solutions are OK.

    If possible please help us in doing it.

    Thanks for your great blog again, this is the only one blog available for step by step obfuscated ssh support.

    Regards

    Neelim

    • dzf
      2013年4月29日 09:45 | #24
      Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

      1.
      C:\>plonk

      PoTTY Link: command-line connection utility
      Mr. Hinky Dink's build, Aug 26 2011 23:23:10
      Usage: plonk [options] [user@]host [command]
      ("host" can also be a PuTTY saved session name)
      Options:
      -V print version information and exit
      -pgpfp print PGP key fingerprints and exit
      -v show verbose messages
      -load sessname Load settings from saved session
      -ssh -telnet -rlogin -raw -serial
      force use of a particular protocol
      -P port connect to specified port
      -l user connect with specified username
      -batch disable all interactive prompts
      The following options only apply to SSH connections:
      -pw passw login with specified password
      -D [listen-IP:]listen-port
      Dynamic SOCKS-based port forwarding
      -L [listen-IP:]listen-port:host:port
      Forward local port to remote address
      -R [listen-IP:]listen-port:host:port
      Forward remote port to local address
      -X -x enable / disable X11 forwarding
      -A -a enable / disable agent forwarding
      -t -T enable / disable pty allocation
      -1 -2 force use of particular protocol version
      -4 -6 force use of IPv4 or IPv6
      -C enable compression
      -i key private key file for authentication
      -noagent disable use of Pogeant
      -agent enable use of Pogeant
      -m file read remote command(s) from file
      -s remote command is an SSH subsystem (SSH-2 only)
      -N don't start a shell/command (SSH-2 only)
      -nc host:port
      open tunnel in place of session (SSH-2 only)
      -z obfuscate key exchange (SSH-2 only)
      -Z keywd obfuscate with keyword (SSH-2 only)
      -sercfg configuration-string (e.g. 19200,8,n,1,X)
      Specify the serial configuration (serial only)
      ------------------------------------------------------------------------
      So, -pw parameter will meet your demand.

      2.
      Do you mean that you want to use SSH like using VPN?
      If so, there are some ways to do it.
      In Windows, you can use Proxifier to proxy any ports and any applications you want, and even global proxy.
      In Linux, usually use ProxyChain.
      sudo apt-get install proxychains
      sudo sed -i '/^socks4/d' /etc/proxychains.conf
      sudo sed -i '/^socks5/d' /etc/proxychains.conf
      sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
      ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
      proxychains firefox

    • aaviskaar
      2013年4月29日 20:48 | #25
      Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

      Hi

      Thanks for your great reply.

      First one worked for us. Thanks again.

      Secondly, we don't need an VPN exactly, Actually what we want is that, for our LAN, it is not a good idea to allow the users to connect from their PC's as they are not technically so much good.

      What we want to do is that,we will have a local gateway with internet connection. in one interface it will listen to requests from all ports and in the other interface it will create a obfuscated SSH tunnel, using that tunnel it will send all network traffic received from the other hosts.

      We can use windows or Linux.

      Will proxychain work in this configuration or I have to use something else. Please answer this question.

      Thanks

      Aaviskaar

      • dzf
        2013年5月1日 13:02 | #26
        Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

        Hi,
        Do you mean that all LAN users use that local gateway to connect your local server first, and then the local server run a obfuscated ssh client and setup a NAT service?
        I never done that before.

        But, a alternative method is running a obfuscated ssh client( -D 0.0.0.0:1080 ) in your local server, then all LAN users connect the server's socks proxy. LAN users can use Proxifier(Windows) or Proxychains(Linux) to proxy applications without proxy setting options.

        • Aaviskaar
          2013年5月1日 13:14 | #27
          Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

          Thanks for your reply first.

          Yes all LAN users use that local gateway to connect my local server first, and then the local server run a obfuscated ssh client and setup a NAT service. This is exactly what I want.

          Theoretically it is possible with iptables, but I do not know it will work or not. However with the -D 0.0.0.0:1080 option i will try to setup a local proxy and then I will use NAT to redirect all traffics to that server.

          I will let you know if it works or not.

          I have some VOIP devices that can not use a proxy so I have to setup a gateway.

          However if you have any suggestions please suggest me.

          You have helped us very much.

          Thanks Again

  13. Amir
    2013年4月30日 22:14 | #28
    Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

    Hi Thanks for your great blog first

    We have successfully installed the SSH+using your guide in Debian 6.07 and using it now. But when we tried to install it in Debian 6.05 and Ubuntu 12.04 we got some issues. We installed all dependencies and configured as you have said. But when we try to start the server using the command

    /usr/local/sbin/sshd -f /usr/local/etc/sshd_config

    It works perfectly with Debian 6.07, it do not show any output but the port starts listening and we can do SSH+ tunneling

    But when we use the same command with Debian 6.07 and Ubuntu 12.04 we do not get any output like the above one but the SSH+ service is not started. We have also done port scanning but the port for SSH+ is not opened.
    What should we do to solve this issue.

    Thanks Again

    Amir

    • dzf
      2013年5月1日 11:37 | #29
      Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

      Hi,
      run "netstat -an", can you see sshd_ofc binding to the port 1234?
      If so, then the SSH+ service is working properly. you need to check the firewall and iptables settings if they block the port 1234.

      • Amir
        2013年5月1日 13:04 | #30
        Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

        Thanks for your reply. After testing many things with different versions of Ubuntu and Debian we figured out that the problem was not with the OS.

        SSH+ server is working with ports starting from 1025 to 1234 but when we try to use any port after 1234 it do not work. The netstat -an or nmap do not show any open port for SSH+

        When we start the server with any port exceeding 1234 as Obfuscated port then the server starts without any error but the port is not opened. Though it is not a firewall issue as far as I know,I have tried with opening the port on firewall then started the server. the port is opened as per nmap scan result but the server didn't listened on the port.

        please help us in fixing the issue.

        • dzf
          2013年5月1日 13:30 | #31
          Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

          "SSH+ server is working with ports starting from 1025 to 1234", How is this possible??

          I have deployed many obfuscated SSH services on several VPS and routers, I used the port from 9xx to 3xxxx, and they are working properly so far.

          • Amir
            2013年5月4日 14:56 | #32
            Surfing Firefox 20.0 Firefox 20.0 On Windows 7 x64 Edition Windows 7 x64 Edition

            Yeah it sounds strange, even i am unable to believe this. However i have rented some other VPS and the port issue is resolved there. We are able to use any open ports here.

            I have another question for you, suppose I have a SSH+ and SSH server running in the same system. How can I find the active SSH+ users in a particular moment?

            I also want to know the failed login attempts of SSH+, the IP details of logged in users etc.

            Thanks in advance

            Regards

            Amir

            • dzf
              2013年5月4日 23:05 | #33
              Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

              Get list of online SSH(SSH+) users:
              netstat -an|grep :22
              w
              who

              Failed login attempts of SSH(SSH+):
              Redhat/Fedora:
              cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'

              Debian/Ubuntu/other:
              cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'

  14. John
    2013年5月6日 15:50 | #34
    Surfing Firefox 20.0 Firefox 20.0 On Windows 8 x64 Edition Windows 8 x64 Edition

    Dear Sir

    I am able to setup some SSH+ servers for my friend who lives in a country where everything is blocked, the credit goes to your blog.

    But unfortunately for last few days we are facing connection drop issues on SSH+. After a 2-5 minutes session the ssh+ connection drops saying FATAL ERROR: NETWORK ERROR: SOFTWARE CLOSED CONNECTION ABORT.
    However we are able to use ssh+ from my country without any problem and connection drop issue. I think the government has found some way to detect ssh+ packets. At the same time Psiphon 3 is also not working. We have played with ports but that didn't worked. Even we changed ssh+ to 22 and ssh to something else. It is working from my country but not from his country. I think the firewall inspects the packet pattern not the port.

    What will be our next step to fool the new inspection technique.

    Your help will be greatly appreciated.

    Thanks in Advance

    John

    • dzf
      2013年5月6日 17:34 | #35
      Surfing Firefox 20.0 Firefox 20.0 On Ubuntu x64 Ubuntu x64

      Hi,
      Psiphon is blocked in many country because too many people use Psiphon.
      SSH+ is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.

      You can change your port to a SSL service port, such as 443,563,636 ...
      Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
      Or you could consider using obfsproxy, ShadowSocks, etc.

      Of course, no matter what technology you use, if your proxy services have too many users or too much traffic, your proxy services will be blocked. It's just a matter of time.

  15. max
    2013年9月17日 01:31 | #36
    Surfing Google Chrome 28.0.1500.95 Google Chrome 28.0.1500.95 On GNU/Linux x64 GNU/Linux x64

    Hi, Sir.

    I have added SELinux support and set 'UsePAM yes" for my obfuscate openssh, because I think it would provide as much as security of official openssh-server.

    But I suffered error like "Sep 16 16:30:53 xxx sshd_ofc[11002]: Failed publickey for user from xxx.xx.xxx.xx port 6287 ssh2" and selinux error "Sep 16 17:03:47 xxx sshd_ofc[11188]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for user (in enforcing mode)" from /var/log/secure

    I want to secure my obfuscate ssh server as much as possible, rather than giving up most security feature (selinux, pam, etc) just for obfuscated ssh connection.

    Do you have any idea how to achieve it ? I'm looking forward to any hints on how to do that.

    Thank you!

    • dzf
      2014年2月20日 17:43 | #37
      Surfing Internet Explorer 11.0 Internet Explorer 11.0 On Windows 8.1 Windows 8.1

      Sorry for my late reply.
      I have been quite busy over the past few months.

      When run ./configure, there are some pam options disabled.
      ./configure | grep pam
      checking pam/pam_appl.h usability... no
      checking pam/pam_appl.h presence... no
      checking for pam/pam_appl.h... no
      checking security/pam_appl.h usability... yes
      checking security/pam_appl.h presence... yes
      checking for security/pam_appl.h... yes
      PAM support: no

      Then I read some source code, I found this

      /* Define to 1 if you have the header file. */
      #undef HAVE_SECURITY_PAM_APPL_H
      /* Define to 1 if you have the header file. */
      #define HAVE_PAM_PAM_APPL_H 1

      in "config.h.in" file.

      And the pam_appl.h is missing.

      To get pam_appl.h, just run "apt-get install libpam0g-dev" in debian or "yum install pam-devel" in centos, then you can get it in /usr/include/security/pam_appl.h

      Then add pam_appl.h to brl-obfuscated-openssh-ca93a2c/security/pam_appl.h
      and
      brl-obfuscated-openssh-ca93a2c/pam/pam_appl.h
      and
      #define HAVE_SECURITY_PAM_APPL_H 1
      #define HAVE_PAM_PAM_APPL_H 1

      Hope this may help you.

  16. 2013年12月17日 20:14 | #38
    Surfing Google Chrome 31.0.1650.63 Google Chrome 31.0.1650.63 On Mac OS X  10.9.0 Mac OS X 10.9.0

    tanks Bro, i reallly is useful

  17. Rainier
    2014年8月17日 20:52 | #39
    Surfing Google Chrome 36.0.1985.125 Google Chrome 36.0.1985.125 On Windows 7 x64 Edition Windows 7 x64 Edition

    这个potty用上以后,流量只要一大就会断线,目测potty有bug

  18. moot
    2015年2月21日 06:08 | #40
    Surfing Safari 8.0.3 Safari 8.0.3 On Mac OS X  10.10.2 Mac OS X 10.10.2

    If you get these errors


    # /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
    PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
    Could not load host key: /etc/ssh/ssh_host_ecdsa_key
    Could not load host key: /etc/ssh/ssh_host_ed25519_key

    Comment these lines in your sshd_config.


    #HostKey /etc/ssh/ssh_host_ecdsa_key
    #HostKey /etc/ssh/ssh_host_ed25519_key

  19. rabebo
    2015年2月28日 22:23 | #41
    Surfing Internet Explorer 11.0 Internet Explorer 11.0 On Windows 7 Windows 7

    Hello Sir,
    At first I would like to thank you for your great blog the instructions are clear and very helpful.
    I have tried to make a ssh+ connection on two different ISPs
    The first one Potty gives a black screen for 1 minute then it says: Software caused connection abort
    Plonk is the same: FATAL ERROR: Network error: Software caused connection abort
    When trying to ping in that ISP we get an ip address but no received packages so I guess that the DNS is working fine.
    -The second ISP, potty connects successfully then after a while a message pops up :
    “server sent disconnect message
    type 2 (protocole error):
    received oclose for nonexistent channel 3145224”
    When I checked the auth.log that time I get:
    “channel_by_id: 0: bad id: channel free
    Disconnecting: Received oclose for nonexistent channel 0.”
    Could you please tell me what to do to solve these problems?
    Thanks in advance

    • dzf
      2015年3月2日 10:38 | #42
      Surfing Firefox 31.0 Firefox 31.0 On Windows 7 x64 Edition Windows 7 x64 Edition

      Hi,

      For the first case, when you running "netstat -an" on your first VPS, can you see
      sshd_ofc binding to the port 1234(or the port you specified) ?
      if not, your configuration on server side may have some errors.
      if so, since you got "Software caused connection abort" and "no received packages", I think the network between your client and VPS may be unstable.
      (Or network is interfered by your Internet Service Provider? )

      The second case, that's some weird. I think you have to check your configurations, including server side and client side.

  20. anonymousz
    2015年4月3日 10:03 | #43
    Surfing Google Chrome 41.0.2272.101 Google Chrome 41.0.2272.101 On Windows 7 Windows 7

    It is significantly slow when using ofc-ssh.
    How can I imporve the speed?

    • a
      2015年4月3日 14:27 | #44
      Surfing Google Chrome 32.0.1664.3 Google Chrome 32.0.1664.3 On Mac OS X  10.9.0 Mac OS X 10.9.0

      If you use a very special port for ofc-ssh, perhaps your ISP will lower your traffic priority due to the QoS policy.

      • anonymousz
        2015年4月4日 12:40 | #45
        Surfing Google Chrome 41.0.2272.101 Google Chrome 41.0.2272.101 On Windows 7 x64 Edition Windows 7 x64 Edition

        Thanks.
        After change port to a regular one and enable compression explicitly.
        Speed improved.

发表评论

XHTML: 您可以使用这些标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*