Hi Matt.
There is no /var/log/auth.log, only /var/log/messages.
(This is an OpenWrt-type device, loosely based on Chaos Calmer, using
logd/logread. Is there anything I should do to increase dropbear’s log
verbosity?)
I can see that successful ssh connections are logged to /var/log/messages. But
nothing is logged for my unsuccessful attempts to connect via the reverse
tunnel.
Attempted telnet from relayserver:
$ telnet localhost 10022
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Attempted ssh from relayserver:
$ ssh -p 10022 root@localhost
ssh_exchange_identification: Connection closed by remote host
Using tcpdump on the device, I can see that there is activity when the ssh
connection attempt fails:
# tcpdump host <relayserver> -i eth1 -vvvX
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144
bytes
12:13:06.442928 IP (tos 0x0, ttl 53, id 9167, offset 0, flags [DF], proto TCP
(6), length 152)
ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh >
172.24.20.205.58658: Flags [P.], cksum 0x1e43 (correct), seq
4215067679:4215067779, ack 1099402958, win 227, options [nop,nop,TS val
327307585 ecr 103952497], length 100
0x0000: 4500 0098 23cf 4000 3506 e2fb 23b1 59ff
E...#[email protected]...#.Y.
0x0010: ac18 14cd 0016 e522 fb3c d41f 4187 8ece
.......".<..A...
0x0020: 8018 00e3 1e43 0000 0101 080a 1382 5141
.....C........QA
0x0030: 0632 3071 b4df 8dd6 21d3 a1a9 10db 5274
.20q....!.....Rt
0x0040: 3da0 76c5 8894 0298 a40c 92af db23 dc63
=.v..........#.c
0x0050: 2434 786e 86a0 f2ec 3fd7 3844 46b4 c42e
$4xn....?.8DF...
0x0060: e3fd f14c f210 da47 0aca 3902 ca94 6d63
...L...G..9...mc
0x0070: b475 bc0b 7ece efe3 0f89 8476 cdd6 2ee9
.u..~......v....
0x0080: 3948 8d8b 421d 4a34 4720 04ed 17a9 d451
9H..B.J4G......Q
0x0090: 8275 d002 bca2 a018 .u......
12:13:06.471362 IP (tos 0x10, ttl 64, id 16162, offset 0, flags [DF], proto TCP
(6), length 104)
172.24.20.205.58658 >
ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh: Flags [P.], cksum 0x4da8
(correct), seq 1:53, ack 100, win 587, options [nop,nop,TS val 103968949 ecr
327307585], length 52
0x0000: 4510 0068 3f22 4000 4006 bcc8 ac18 14cd
E..h?"@.@.......
0x0010: 23b1 59ff e522 0016 4187 8ece fb3c d483
#.Y.."..A....<..
0x0020: 8018 024b 4da8 0000 0101 080a 0632 70b5
...KM........2p.
0x0030: 1382 5141 e61a ae5a 656a 3caa 4621 9194
..QA...Zej<.F!..
0x0040: 8302 c4fd 1267 b3bb 9396 d358 aabd c6ce
.....g.....X....
0x0050: e4fc 96b6 3c9e 8db2 3e70 9d00 0137 fb50
....<...>p...7.P
0x0060: 60a7 26f8 0cef df93 `.&.....
12:13:06.489051 IP (tos 0x0, ttl 53, id 9168, offset 0, flags [DF], proto TCP
(6), length 52)
ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh >
172.24.20.205.58658: Flags [.], cksum 0xd60a (correct), seq 100, ack 53, win
227, options [nop,nop,TS val 327307597 ecr 103968949], length 0
0x0000: 4500 0034 23d0 4000 3506 e35e 23b1 59ff
E..4#[email protected]..^#.Y.
0x0010: ac18 14cd 0016 e522 fb3c d483 4187 8f02
.......".<..A...
0x0020: 8010 00e3 d60a 0000 0101 080a 1382 514d
..............QM
0x0030: 0632 70b5 .2p.
Can you glean anything from these packets?
Thanks,
Ben.
From: Matt Johnston [mailto:[email protected]]
Sent: 29 May 2018 14:45
To: Ben Kinsella
Cc: [email protected]
Subject: Re: Problem using reverse ssh tunnel (remote port forwading)
Hi Ben,
Does the device log anything from Dropbear in /var/log/auth.log or similar? If
you "telnet localhost 10022" does it print anything?
Cheers,
Matt
On Fri 25/5/2018, at 11:05 pm, Ben Kinsella
<[email protected]<mailto:[email protected]>> wrote:
I have various devices on a private network behind a router, and I typically
use “ssh -R” to access them.
i.e. On the device I run
$ ssh -fN -R :10022:localhost:22 user@relayserver
Then I can ssh in via relayserver.
This works for several different device types.
However, it is not working for a particular device with dropbear v2017.75.
The initial “ssh -R” command works (I can confirm with netstat on relayserver),
but when I attempt to connect I get an error:
$ ssh -p 10022 root@localhost
ssh_exchange_identification: Connection closed by remote host
Any suggestions?
Regards,
Ben.
