Use the following BASH command-line instructions at your own risk!
I. Setting up a local SOCKS proxy for Safari on a single admin user account
# first enable remote login on your admin user account: System Preferences > Sharing > Services > Remote Login # test if remote login is enabled sudo launchctl list | grep com.openssh.sshd # com.openssh.sshd defaults read /System/Library/LaunchDaemons/ssh netstat -an | awk '/\*\.22[[:space:]]+.*LISTEN$/ {print}' # tcp4 ... *.22 ... LISTEN service --test-if-available ssh; echo $? # 0 service --test-if-configured-on ssh; echo $? # 0 # test if sshd daemon supports tcp_wrappers # cf. http://www.la-samhna.de/library/brutessh.html#5 otool -L /usr/sbin/sshd | grep libwrap # then make sure you are connected to the internet ping -c 10 checkip.dyndns.org curl -L -s --max-time 10 http://checkip.dyndns.org | grep -Eo -m 1 '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' # then set up the local SOCKS Proxy # cf. http://macapper.com/2007/05/22/advanced-os-x-secure-tunneling-via-ssh #ssh -q -D 8080 -f -C -N -x $(whoami)@$(ipconfig getifaddr $(route -n get default | awk '/interface:/ { print $2 }') 2>/dev/null) #ssh -v -D 8080 -f -C -N -x $(whoami)@$(ipconfig getifaddr $(route -n get default | awk '/interface:/ { print $2 }') 2>/dev/null) ssh -q -D 8080 -f -C -N -x $(whoami)@127.0.0.1 # cf. AllowUsers $(whoami)@127.0.0.1 below # ... enter your user account login password # SSH Without a Password # http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html # http://homepage.mac.com/kelleherk/iblog/C1901548470/E20061128145420/index.html # RSA mkdir -p $HOME/.ssh chmod -R 0700 $HOME/.ssh ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P '' cp -p $HOME/.ssh/id_rsa.pub $HOME/.ssh/authorized_keys2 chmod 0600 $HOME/.ssh/authorized_keys2 srm -v $HOME/.ssh/id_rsa.pub #ls -ld $HOME/.ssh #ls -l $HOME/.ssh/authorized_keys2 # encrypt the known_hosts file ssh-keygen -H -f $HOME/.ssh/known_hosts srm -v $HOME/.ssh/known_hosts.old chmod 0600 $HOME/.ssh/known_hosts # securing SSH # See: # - man sshd_config # - sudo nano /private/etc/sshd_config # - http://switch.richard5.net/2006/09/24/securing-your-ssh-access/ # - http://www.mactech.com/articles/mactech/Vol.21/21.02/Security/index.html # - Mac OS X Security Configuration Guides at http://www.apple.com/server/documentation/ sudo sh -c " echo ' # added Protocol 2 PermitRootLogin no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PubkeyAuthentication yes AuthorizedKeysFile $HOME/.ssh/authorized_keys2 #KeepAlive yes MaxAuthTries 3 LoginGraceTime 40 LogLevel INFO # QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG #AllowUsers $(whoami) # add more users if you like: ~" # then open Safari ... open -a Safari # ... and go to: # Safari > Preferences ... > Advanced > Proxies: Change Settings ... # > Select a proxy server to configure: SOCKS Proxy > SOCKS Proxy Server: 127.0.0.1 : 8080 > Apply Now sudo reboot # ... or just restart: System Preferences > Sharing > Services > Remote Login ssh -q -D 8080 -f -C -N -x $(whoami)@127.0.0.1 # should now work without password; cf. man ssh_config for configuring SSH shortcuts # check local SOCKS Proxy setup scutil --proxy # SOCKSProxy : 127.0.0.1, SOCKSEnable : 1, SOCKSPort : 8080 sudo ln -s "/Applications/Utilities/Network Utility.app/Contents/Resources/stroke" /bin/portscan portscan localhost 8000 8100 # Open TCP Port: 8080 http-alt lsof -i :22 -P lsof -i :8080 -P lsof -i TCP -P lsof -U -P # list UNIX domain socket files sudo lsof -U -P netstat -n -f inet #-------------------------- # now you can, for example, test if a website can discover your real internal IP address provided your computer # is behind a DSL router and you have a firewall running (cf. http://textsnippets.com/posts/show/1267) # cf. http://www.auditmypc.com/internal-ip.html # first get your internal IP address ipconfig getifaddr $(route -n get default | awk '/interface:/ { print $2 }') # note: to run the 'real IP' test you first have to enable Plug-ins, Java & JavaScript in Safari # Safari > Preferences ... > Security > Enable plug-ins & Enable Java & Enable JavaScript open -a Safari http://www.auditmypc.com/software_audit.asp (in Terminal.app) or dscl . -list /Users AllowUsers $(whoami)@127.0.0.1 # cf. ssh -q -D 8080 -f -C -N -x $(whoami)@127.0.0.1 above #AllowUsers $(whoami)@$(ipconfig getifaddr $(route -n get default | awk '/interface:/ { print $2 }') 2>/dev/null) # requires internet connection #AllowGroups sshusersgroup # cf. dscl . -list /Groups; groups ' >> /private/etc/sshd_config
II. Setting up a local SOCKS proxy for Safari using two different user accounts on the same computer
# The following BASH command-line instructions assume you have a regular user account # and an admin user account on the same computer! # First, log in to the regular user account regular_user_name="$(whoami)" regular_user_path="$HOME" echo $regular_user_name $regular_user_path # note down the output from the echo command # log out from the regular user account # Then log in to the admin account for the following instructions! # first make sure you are connected to the internet ping -c 10 checkip.dyndns.org curl -L -s --max-time 10 http://checkip.dyndns.org | grep -Eo -m 1 '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' # get internal IP address & set regular user account information regular_user_name="...insert information from regular user account above..." regular_user_path="...insert information from regular user account above..." internal_IP_address=$(ipconfig getifaddr $(route -n get default | awk '/interface:/ { print $2 }')) echo $internal_IP_address $regular_user_name $regular_user_path # enable remote login: System Preferences > Sharing > Services > Remote Login # test if remote login is enabled service --test-if-available ssh; echo $? # 0 service --test-if-configured-on ssh; echo $? # 0 # SSH Without a Password # admin user account # RSA mkdir -p $HOME/.ssh chmod -R 0700 $HOME/.ssh ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P '' cp -p $HOME/.ssh/id_rsa.pub $HOME/.ssh/authorized_keys2 chmod 0600 $HOME/.ssh/authorized_keys2 srm -v $HOME/.ssh/id_rsa.pub ls -ld $HOME/.ssh ls -l $HOME/.ssh # regular user account sudo mkdir -p $regular_user_path/.ssh sudo chmod -R 0700 $regular_user_path/.ssh sudo cp $HOME/.ssh/authorized_keys2 $regular_user_path/.ssh/authorized_keys2 #scp ~/.ssh/authorized_keys2 $regular_user_name@$internal_IP_address:~/.ssh/authorized_keys2 sudo chown -R $regular_user_name:$regular_user_name $regular_user_path/.ssh sudo chmod 0600 $regular_user_path/.ssh/authorized_keys2 sudo ls -l $regular_user_path/.ssh sudo ls -ld $regular_user_path/.ssh # delete all files in ~/.ssh on both user accounts #sudo find $regular_user_path/.ssh -type f -exec srm -fv "{}" \; #find $HOME/.ssh -type f -exec srm -fv "{}" \; # log in to regular user account via SSH # enter admin account login password if prompted ssh -i $HOME/.ssh/id_rsa $regular_user_name@$internal_IP_address exit # encrypt the known_hosts file ssh-keygen -H -f $HOME/.ssh/known_hosts srm -v $HOME/.ssh/known_hosts.old chmod 0600 $HOME/.ssh/known_hosts ssh -i $HOME/.ssh/id_rsa $regular_user_name@$internal_IP_address # test ls exit # securing SSH # man sshd_config # sudo nano /private/etc/sshd_config sudo sh -c " echo ' # added Protocol 2 PermitRootLogin no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no PubkeyAuthentication yes #AuthorizedKeysFile $regular_user_path/.ssh/authorized_keys2 #KeepAlive yes MaxAuthTries 3 #PermitUserEnvironment yes # requires ~/.ssh/environment file; see man ssh and man sshd_config LoginGraceTime 40 LogLevel INFO # QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG #AllowUsers $(whoami) $regular_user_name AllowUsers $(whoami)@$internal_IP_address $regular_user_name@$internal_IP_address ' >> /private/etc/sshd_config " # set up the local SOCKS Proxy # enter admin account login password if prompted ssh -q -D 8080 -f -C -N -x $regular_user_name@$internal_IP_address open -a Safari # Safari > Preferences ... > Advanced > Proxies: Change Settings ... # > Select a proxy server to configure: SOCKS Proxy > SOCKS Proxy Server: 127.0.0.1 : 8080 > Apply Now # restart sshd: System Preferences > Sharing > Services > Remote Login # check local SOCKS Proxy setup scutil --proxy # SOCKSProxy : 127.0.0.1, SOCKSEnable : 1, SOCKSPort : 8080 portscan localhost 8000 8100 # Open TCP Port: 8080 http-alt ssh -p 22 $regular_user_name@$internal_IP_address ls ssh -l $regular_user_name $internal_IP_address 'echo hello world; whoami; hostname; logname' # test privacy of internal IP address open -a Safari http://www.auditmypc.com/software_audit.asp
Further information on SSH & Mac OS X:
- Getting started with SSH
- Remote Login With SSH
- SSH Without A Password
- Exit Your SSH Session Without Killing Your Job
- SSH on Mac OS X
- SSH
- ssh tunnelling
- ssh X forwarding debugging
- Tutorial: SSH To Alternate Ports and Enabling Multiple SSH Daemons
- Route All Your Internet Traffic Through a Proxy
- SSH Notes
- SSH Host Key Protection
- Setup the SSH server to use keys for authentication
- Auto-closing SSH tunnels
- SSH Tunnelling (Port Forwarding)
- Defending against brute force ssh attacks
- SSH + Screen = Easy Administration
- SSH SOCKS Proxy From Behind a Gateway
- nylon - flexible Unix proxy server with mirror mode; sudo port install nylon
- tsocks - transparent SOCKS proxying library; sudo port install tsocks