home of the madduck/ blog/
How they do it

Previously, I wondered how the Myanmar government blocks SSH on port 443.

Sean Furey took the time to point out to me that sshd sends a banner when a client connects, before the SSL session is started. I forgot that. The Myanmar government, or rather Bagan Cybertech, which owns the Internet monopoly in the country (and is run by the government), uses Squid as a cache and content filter for port 80, so I thought they also use it on port 443 (as a CONNECT-proxy). But I cannot find of a way to make Squid prevent SSH-over-port-443, so they seem to be using some other content filter, which wouldn't be hard to write, after all.

Sean proposes to tunnel SSH over SSL, using stunnel (or the like), and this seems like a cleaner approach than his other suggestion, which is to delay the banner. In both cases, however, client support is needed, and I cannot see how PuTTY (the traveller's friend) can do it.

Update: of course, the delay approach does not need client support.

Ryan Lovett pointed me to AjaxTerm and AnyTerm, which both establish SSH connections from the webserver, and use Ajax to push the session to the web browser, where it can be interactively used. I'll have to try that the next time!

And I should finally get the DNS tunnel working again!