Your company network is "blocked"? Probably they are using a proxy to filter your outbound connections.
The usual solution is to encapsulate YOUR traffic inside the traffic your COMPANY ALLOWS.
- I will show how to establish a ssh connection to a server over the Internet. Then you will be able to create a socks proxy and use most applications freely.
- Before all you will need to be able to "browse" the Internet on the company assigned computer. Try opening https://encrypted.google.com/.
- You may be breaching your employment agreement doing this. You have a read a lot of "this is just academic, don't do this a home", but I really mean it. I've used this kind of "jailbreak" in 3 different companies up to now, but on their best interest. That means this is just a shortcut for having to ask the IT people to open the exception for our computer, or to deal with "that's to complicated"-type IT administrators.
- No method is perfect and even if the IT staff can't know exactly what are you doing over the tunnel, they can at least notice the potential high bandwidth usage from your machine to that weird server that no one else use.
- You will need a Linux server accessible over ssh on the Internet. And in most cases you also need root privileges to bind to TCP 443. Can you do this with a Windows server? I don't know, Windows Servers are expensive and I haven't used them that much.
The proxy very probably will be a HTTP proxy(CONNECT Method) that only allows connections to TCP port 443. You might get lucky and get one that allows to TCP port 22.
Start by collecting your proxy configuration. In Windows (supposing this is your company assigned OS) go to "Internet Options->Connections->LAN settings" and you might see something as proxy.mycompany.com:8080.
Then check if you need authentication. Do you type a username and password when you open the Internet Explorer?
I assume you have a linux server with openssh daemon running at myserverontheinternet.com:22
There are at least 3 methods to try to get connectivity. Method A will probably not work on most companies, Method B have worked everywhere I tried, Method C is proxy proof as it gets but will have some processor and network overhead.
I've tested the 3 Methods both on Windows and Linux.
To install on windows, download at http://nmap.org/download.html. On linux use your package manager, ex, on ubuntu: sudo apt-get install nmap
(nothing to do)
ncat -kl 8000 --sh-exec "ncat --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 22"
ssh -p 8000 root@localhost
sudo ncat -kl 443 --sh-exec "ncat localhost 22"
ncat -kl 8000 --sh-exec "ncat --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 443"
ssh -p 8000 root@localhost
Method C :
sudo ncat -kl 443 --ssl --sh-exec "ncat localhost 22"
ncat -kl 8000 --sh-exec "ncat --ssl --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword myserverontheinternet.com 443"
ssh -p 8000 root@localhost
This client instructions apply to linux with openssh ssh(1). If you are using Windows, just adapt accordingly.
There are quite a lot of other examples of doing this using other tools, probably smaller than nmap/ncat. But nmap is maintained and is available for most distributions, that's why it is my favorite.
OpenWrt have also ncat available now (package ncat and ncat-ssl), so if you are looking for a standalone linux machine for this, consider using a cheap router :).
Please comment if it worked for you.
 - You may bind openssh sshd directly to port 443 changing /etc/ssh/sshd_config. This is the recommend way of doing this and you shall replace it. I'm showing with ncat just to keep it similiar to the other examples.
 - Unless you have some kind of additional internet connection (like 3G) you can't set this from inside the company (because you haven't yet escaped the firewall). Just set it at home and create a script to start it on boot.
 - If you using linux you can set the ncat as a proxy command that will start each time you try to connect. Example, for method C add the following line to the end of /etc/ssh/ssh_config:
ProxyCommand ncat --ssl --proxy proxy.mycompany.com:8080 --proxy-type http --proxy-auth mike:mypassword %h %p
Now run ssh as:
ssh -p 443 firstname.lastname@example.org
 - This way your traffic will look like regular SSL traffic instead of SSH traffic. This might work to go over extensive network filtering. You migh notice that we are not doing any kind of certificate checks, and that is because we are not relying on SSL security, because openssh is secure by itself.
TOTP algorithm is still a draft RFC:
The TOTP is valid only for one login, and for a short period(usually around 60s), that means that both clocks must be in sync.TOTP(K,T) = Truncate(HMAC-SHA-1(K,T))K shared secret between client and server; each TOTP
generator has a different and unique secret K.
T value derived from a time reference.
The Google implementation also allows one-time scratch codes that can be used if some clock happen to be out of sync, or your phone just doesn't work when you need it.
1 - Install Google Authenticator on a Android or Blackberry phone.
2 - Install the Google Authenticator PAM at your linux PC.
3 - Generate the key and provision it to the phone.
4 - Set Linux authentication to use this PAM module.
1 - Generate the TOTP with the phone.
2 - Use it like a password.
This are the detailed instructions for Ubuntu 10.10 and Android 2.2:
1 - Go to the Market app on the phone and search for "Google Authenticator". Install it.
2 - Open a console and type:
To install all the needed dependencies:
sudo apt-get install mercurial libqrencode3 libpam0g-devTo checkout the Google Authenticator PAM module source code:
hg clone https://google-authenticator.googlecode.com/hg/ google-authenticatorTo compile and install:
cd google-authenticator/libpam/Delete the source:
cd ../.. rm -r google-authenticator/3 - Type:
nuno@test-box1:~$ google-authenticatorOpen the Google Authenticator at your phone and create an account, scanning the barcode.
Your new secret key is: IVCTSZVKG6ZJZ5P4
Your verification code is 853162
Your emergency scratch codes are:
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
4 - Type:
sudo bash -c 'cat >/usr/share/pam-configs/google-all <<EOFOn the next step you have to decide how you prefer to authenticate. Using only the TOTP, having to enter both the TOTP and the password, or just any of them.
Name: Google Authenticator (all)
sudo bash -c 'cat >/usr/share/pam-configs/google-enough <<EOF
Name: Google Authenticator (enough)
For TOTP only:.................select google-enough, deselect unix
For TOTP or Password:.......select google-enough, select unix
For TOTP and Password :.select google-all, select unix
sudo pam-auth-updateThis is all. You can also login with TOTP remotely using ssh, without any change to openssh-server.
If you want to use different authentication schemes for local and remove login, you have to tweak with /etc/pam.d/*. The documentation is not very good, so good luck.
If you have any corrections or improvements please leave a comment.
Thanks for reading!
 - This will work fine for Gnome login or sudo authentication, both of them will prompt for both codes. On the other hand it will not work for authentication on sshd or Synaptic Package Manager.
1 - Programmer
The board have dedicated connectors for a PICkit 2/PICkit 3 or ICD2/ICD3 programmer.
While I have a ICD3, we really don't need it. A direct USB cable from the computer to the board USB connector(J8) is enough.
The board was designed with a auxiliary MCU, the PIC18LF4550(U2), that was supposed, as it seems, to offer equivalent features to a PICkit 2.
Unfortunately Microchip never shipped the firmware needed to enable this feature.
Fortunately Rafal Waniurski did.
To update the PIC18LF4550(U2) to work as a programmer follow:
1 - Install PICkit 2 tool (latest as of 2010-11-08 PICkit 2 v2.61).
2 - Connect the board to power(J12) and a USB cable from J8 to the PC.
3 - Open PICkit 2 tool.
* you might get a error "PICkit 2 VDD and VPP voltage level errors.", just ignore it. Click OK and continue.
4 - Click Tools -> Download PICkit 2 Operating System, choose file PK2_Explorer16_V0210022.hex. The programming starts. It should take about 15s, and if it completes successfully you can read "PICkit 2 connected. ID = OIHoss".
5 - This will probably fail the first time. That is because the PICkit 2 tool will try to connect to the PIC18LF4550(U2) to verify the programing, but this will happen while windows is installing the driver for the new firmware you just flashed. While it probably is already working, you might repeat the previous step to get the successfully message.
*If this fails, your PIC18LF4550(U2) might be not programed from factory with a USB bootloader. In that case, you will need to use a regular programmer for loading this firmware(use PK2_Explorer16_V0210022-BL.hex instead).
2 - My first program
1 - Install MPLAB IDE and MPLAB C30. MPLAB IDE is free. MPLAB C30 have evaluation and free versions for academic use.
2 - Make sure Jumper J7 is set to "PIC24" Side and Switch S2 is set to "PIM" side
3 - Connect the board to power(J12) and a USB cable from J8 to the PC.
4 - Download explorer16_demo_v1.zip and unzip it.
5 - Double-click explorer16_demo.mcp to load the project in MPLAB.
6 - Click Project -> Build all.
7 - Select Programmer -> Select Programmer -> 8 PICkit 2.
8 - Click Programmer -> Program.
* If you click Programmer -> Dowload OS, the vanilla PICkit 2 firmware will be loaded in the PIC18LF4550(U2), and the programmer will not work anymore. You will need to flash the PIC18LF4550(U2) with the Rafal Waniurski modified firmware to get it working again. That must be done with the PICkit 2 tool.
You are done.
The program behavior is explained in the main.c file header.
3 - Starting to write code
Microchip is known for making MCUs with "trilions" of peripherals. A PIC24 will have ADCs, Comparators, Timers, Low-power modes, Watchdog, UARTs, ...
That integration allows to reduce the number of components, saving board space, power and money.
Mastering all this features is not a simple task, and you will need to read the full bible(s).
1 - Peripherals Libraries
* My demo program is using adc library, notice line "#include <adc.h>".
2 - Standard C Library
* My demo program is using the standard c input and output library, notice line "#include <stdio.h>".
3 - PIC24FJ128GA010 Family Data Sheet
4 - PIC24F Family Reference Manuals
* There is one Reference Manual for each Peripheral/Module. You should check this together with the Data Sheet. The Reference Manual explain in more detail, but might be only partially applicable to your MCU. The datasheet will clarify what your specific MCU has or hasn't.
5 - Explorer 16 Development Board User Guide
Even if you read all this twice you will probably still don't get the entire picture. Buying a book might help:
Lucio Di Jasio, Programming 16-Bit PIC Microcontrollers in C: Learning to Fly the PIC 24, ISBN 0-7506-8292-2
For last, a useful trick to reduce the code/compile/program/debug/code/compile/program/debug/code cycle is to activate the auto-program option in MPLAB. That way after changing the code, you only need to click "Make" and MPLAB will automatically compile and program the MCU for you.
1 - Select Programmer -> Settings -> Program after a sucessful build.
2 - Select Programmer -> Settings -> Run after a successful program.
3 horas depois de passar numa escola secundária em Palmela para um trabalho publicitário, estava a sair de Lisboa para S. Tomé e Príncipe.
Fui lá fazer um biscate para a Universidade da Beira Interior. Montar um GPS que não é TomTom.
Antes já me tinham avisado para levar "Blazer e gravata" para o 10 de Junho na embaixada.
> Estive 30m a nadar no mar (Nada mau!).
> Calor, calor, calor, odeio o calor :( Ou se está na praia ou em casa com ar condicionado, de resto é calor, calor, calor!
> Fiquei no Bairro da cooperação Portuguesa (IPAD). Muitos portugueses, muita animação. Muito porreiro pá!
> Explicaram-me que quando alguém diz "Blazer e gravata" também quer dizer "Calças e sapatos". Estava escuro e acho que só por isso é que me deixaram entrar na embaixada.
> Os miúdos não paravam de dizer o meu nome: "Branco, branco, branco!". Por momentos senti-me famoso novamente.
Foi assim na Sexta das 15h00m as 00h45m e o GPS gravou isto:
Total Time 9:48:14
Moving Time 9:39:55
Distance (km) 63.65
Moving Speed (kph) 6.6 avg.
Elevation Gain (m) +2,321 / -2,125
Temperature (°C) -2.7°C
Wind Speed ( kph) SW 3.4 avg. SW 7.4 max.
Cheguei vivo, mas já houve alturas em que estava mais bem disposto.