Using OpenSSH through a SOCKS compatible PROXY on your LAN

This guide has been written by J. Grant. 2002-04-15 Version 0.9 Copyleft J. Grant.
Including this in any other documents is permitted under the GNU Free Documentation Licence, providing my name is given next to the section. Distributing this any other way is permitted providing it is complete and contains this message.

New versions can be found on the page hosted by Goto-san:

This guide has been featured on the Mandrake website:

Tested on Linux Mandrake 8.1, this will not affect you providing you have RPM support. This guide applys to other internet applications as well.


The SOCKS firewall protocol was fostered by NEC, they currently DO NOT support a free version of their tools for UNIX (free as in freedom, not beer). Many applications directly support the SOCKS 4/5 protocols, Netscape, Opera etc. The NEC software was previously available at before, now it is not. However there are other free solutions available now, which means you have choices. (The way of UNIX)

There are 5 solutions covered in this SSH through a SOCKS PROXY guide.

Currently I use Goto-san's connect.c and the wrapper "runsocks" for other applications, read this whole FAQ before making your decision!

1) Using the old NEC software

The packages NEC previously made available on Linux were rpm/tgz packages that implemented the server,
client programs and a wrapper program (for programs without compiled in SOCKS support).

I installed runsocks-1.0r11-3.i386.rpm successfully.
rpm -ivh

I have also rpm --rebuild the src.rpm to make the whole packages and installed those as well.

i rebuilt the source downloaded from
(sometimes this site not available, try later and it might work, anyone know why?) is another link.
Do this in your shell
$ export SOCKS4_SERVER = mysocks4server

Or you can specify it in the conf file as follows.

Create this file /etc/libsocks5.conf

$ cat /etc/libsocks5.conf
socks4 - - - - mysocks4server

There are problems with this

You have to be root to use runsocks ssh -l myusername <host> or you will get the
following error:

$ runsocks ssh -l myuser
ssh: error while loading shared libraries: cannot open
shared object file: No such file or directory

DNS does not work, you get this error from ssh
$ su

$ runsocks ssh -l youruser
ssh: Temporary failure in name resolution

The only way to connect is to be root and also use the IP. I can connect, its just not good practice to have to be root and use the IP address! Also you need to change the suid bit on the /usr/bin/ssh, type chmod 755. Wrapping suid is not allowed as a cracker could then get root on your system!

Read the man pages for libsocks5.conf and runsocks for further information.

These are the versions I have, I do not have ftp space to host them, if anyone has perminant ftp space for them please contact me. (I believe we are allowed to distribute them under the licence) I download them from places such as


2) Use Goto-san's connect.c (works transparently)

OpenSSH SOCKS support was removed from the OpenSSH implementation on 2000-02-07, using SSH through SOCKS firewalls is now ONLY supported using a ProxyCommand from within the SSH configuration files.

I found how to use OpenSSH through socks.

a) Download and compile this URL's source code. And put the binary in your path.

$ su
$ gcc -o sconnect connect.c
$ cp sconnect /usr/local/bin

b) Add the following line in your ssh_config, this is for a SOCKS4 server. Read his source for futher infomation.

ProxyCommand /usr/local/bin/sconnect -4 -S your-socks-server:1080 %h %p

That's it! Everything should work now

This is the best solution IMO.

3) Use the proprietary trial version

Only possible for non-commercial 30 day use, supports the SOCKS protocol.

export SSH_SOCKS_SERVER=socks://youruser@socks-server:1080/x.x.x.0/24

I gave up on proprietary solutions so I have not tested futher. is not open source, thus I would only use it in "legacy" systems that required it.

4) Dante OSS version

This has not been tested, but i have received good feedback about it. See for further information or


This is another option. Developed by Chris Maison at Linux SocksCap v0.1.1 sockscap-0.1.1-linux.tar.gz

Extract the library and place somewhere on your system. It does not really matter where you put it, but /usr/local/lib is usually a good starting place. Load up a Socks 5 server or run a Bouncer running in Socks 5 mode or alternatively have a Socks 5 server running on another machine. You will need to type the following two commands in to enable it:

export LD_PRELOAD=/usr/local/lib/ (Different if you placed it elsewhere)
export SOCKS_PROXY="" (Or your alternative Socks 5 server)

Then (hopefully) all connections you make will go through the Socks 5 server. To see which connections are being sent to the Socks 5 server then check syslog as it will output a single line status message on success. To enable it for an application just make sure you export the two symbols beforehand. BUT.. DO NOT export the symbols before loading the Socks 5 server otherwise it will get stuck in a loop. To disable it run the following command:


Suid binaries will not run with LD_PRELOAD which means they will not get sent through the proxy, unless you export LD_PRELOAD as root and run the suid binary as root. This is because LD_PRELOAD could be used to create a wrapper for the open() call and use that as a backdoor to gain root on the machine. ??Also, static built binaries will not evaluate LD_PRELOAD either as they will not attempt to dynamically load libraries and that defeats the object of static.

This looks very promising despite the low version number. Some infomation quoted from Chris Maison's site.


NEC never replied to any of my emails so I think it is best to not bother them anymore, there are enough solutions now anyway.
If you really want to contact them try, and



Thank you to the following people who helped me during my SOCKS with SSH investigations:
(Ordered alphabetically by first name)

Avi Alkalay
Alex Feinberg (, author of "Using SOCKS Proxy Firewalls on Linux". Introduction is based on his.
David Knight French - You have a great application, thank you to all the team.
Satoru Takeuchi <- Testing and general info
Shun-ichi Goto <- connect.c and hosting this guide!

Also, thank you to the other people who replied to my emails about these problems and offered sugestions.