Skip to content

Instantly share code, notes, and snippets.

@guillochon
Last active March 8, 2024 23:56
Show Gist options
  • Save guillochon/eeaa54b328952d260472c14c559f698a to your computer and use it in GitHub Desktop.
Save guillochon/eeaa54b328952d260472c14c559f698a to your computer and use it in GitHub Desktop.
Instructions on how to SSH on airplane WiFi that blocks port 22

Using SSH through airplane WiFi that blocks port 22

Many aircraft that offer wifi only permit access to machines on port 80/443, the standard http(s) ports. If you want to SSH, you have to set up an intermediate machine that hosts the SSH service on either port 80 or 443. An easy (and free) way to do this is via a Google free-tier micro instance. These instances have a 1 GB transfer ceiling per month, but so long are you are only transmitting textual data a few days per month, this limit should not be easily exceeded. Set up one of these VMs via the Google Cloud console, and select CentOS 7 as the disk image. Make sure that you allow http/https traffic on the instance, the two checkboxes in the Firewalls section of the VM settings. Optionally, set a static external IP address for your server in the VM config, in case you don't want to look up the IP each time. Then, ssh into the new VM (the IP address will be listed as the "external IP" in the list of instances) and edit your /etc/ssh/sshd_config file, changing the Port 22 line to Port 80.

By default selinux will only allow the SSH service to use port 22, so you have to change your selinux permissions as well. Enter the following commands into the VM:

sudo su
semanage port -m -t ssh_port_t -p tcp 80
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload
systemctl restart sshd.service

Make sure that SSH is listening on port 80:

ss -tnlp | grep ssh

Example output:

LISTEN     0      128          *:80                       *:*                   users:(("sshd",pid=1895,fd=3))
LISTEN     0      128         :::80                      :::*                   users:(("sshd",pid=1895,fd=4))

If so, log out and attempt to SSH into your server on the new port:

ssh 123.45.67.89 -p80

And you're done! Happy SSHing!

@MortenVinding
Copy link

I wasn't able to set it up at the time, but based on my observations, I think tunnelling ssh inside TLS on port 443 would work. I set up these configs on my server today:

https://github.com/slingamn/inconveniences/tree/master/system/ssh_tls_proxy

Excelent!
worked like a charm.

I did get a little confused about why you would needs stunnel and the go program on the client side, so that inspired me to look at OpenSSL.
and indeed it seems to work with simple OpenSSL s_client piping to stdin/out.

I have made a fork with the changes here: https://github.com/MortenVinding/ssh-ssl-tls-tunnel

@slingamn
Copy link

Oh, that's very nice, thanks! I always thought of s_client as brittle but it's actually probably fine as long as either -ign_eof or -quiet is enabled.

@MortenVinding
Copy link

Oh, that's very nice, thanks! I always thought of s_client as brittle but it's actually probably fine as long as either -ign_eof or -quiet is enabled.

yes s_client disconnected almost immediately without it.
but it looks stable with -ign_eof.
didn’t try -quiet but it seems to imply -ign_eof without any session info, so might actually be more suited here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment