Re: SSH tunnel valt weg
Op 19-12-2021 om 11:07 schreef Geert Stappers: On Sun, Dec 19, 2021 at 12:26:29AM +0100, Paul van der Vlis wrote: Hallo, Ik gebruik vaak SSH tunnels en sinds een paar dagen (nog voor de point release) vallen die tunnels na enige tijd weg. De belangrijke foutmelding is volgens mij deze (aan de server kant): ssh_dispatch_run_fatal: Connection from 45.95.238.187 port 56446: message authentication code incorrect Onderaan heb ik nog wat meer log geplakt, maar volgens mij is dat niet zo interessant en is dit de belangrijke melding. De logs aan de client kant heb ik helemaal onderaan geplakt, maar ik kan er niet veel mee. Wat me opvalt is dat hij een pakket "type 1" stuurt, en daarna valt de verbinding weg (de sessie was al even open): debug3: send packet: type 1 Iemand een idee waarom die verbindingen wegvallen? Verbindingen kunnen wegvallen, herstel gewoon de verbinding. Doe je voordeel met `autossh`. |$ apt show autossh 2> /dev/null | sed --silent -e '/^Description/,$p' |Description: Automatically restart SSH sessions and tunnels | autossh is a program to start an instance of ssh and monitor it, restarting it | as necessary should it die or stop passing traffic. The idea is from rstunnel | (Reliable SSH Tunnel), but implemented in C. Connection monitoring is done | using a loop of port forwardings. It backs off on the rate of connection | attempts when experiencing rapid failures such as connection refused. Een interessante applicatie! Toch denk ik dat er ook iets mis is wat gerepareerd kan worden. Eerder had ik dit probleem namelijk niet. Groet, Paul -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
Re: SSH tunnel valt weg
On Sun, Dec 19, 2021 at 12:26:29AM +0100, Paul van der Vlis wrote: > Hallo, > > Ik gebruik vaak SSH tunnels en sinds een paar dagen (nog voor de point > release) vallen die tunnels na enige tijd weg. De belangrijke foutmelding is > volgens mij deze (aan de server kant): > > ssh_dispatch_run_fatal: Connection from 45.95.238.187 port 56446: message > authentication code incorrect > > Onderaan heb ik nog wat meer log geplakt, maar volgens mij is dat niet zo > interessant en is dit de belangrijke melding. > > De logs aan de client kant heb ik helemaal onderaan geplakt, maar ik kan er > niet veel mee. Wat me opvalt is dat hij een pakket "type 1" stuurt, en > daarna valt de verbinding weg (de sessie was al even open): > debug3: send packet: type 1 > > Iemand een idee waarom die verbindingen wegvallen? > Verbindingen kunnen wegvallen, herstel gewoon de verbinding. Doe je voordeel met `autossh`. |$ apt show autossh 2> /dev/null | sed --silent -e '/^Description/,$p' |Description: Automatically restart SSH sessions and tunnels | autossh is a program to start an instance of ssh and monitor it, restarting it | as necessary should it die or stop passing traffic. The idea is from rstunnel | (Reliable SSH Tunnel), but implemented in C. Connection monitoring is done | using a loop of port forwardings. It backs off on the rate of connection | attempts when experiencing rapid failures such as connection refused. Groeten Geert Stappers -- Silence is hard to parse
SSH tunnel valt weg
Hallo, Ik gebruik vaak SSH tunnels en sinds een paar dagen (nog voor de point release) vallen die tunnels na enige tijd weg. De belangrijke foutmelding is volgens mij deze (aan de server kant): ssh_dispatch_run_fatal: Connection from 45.95.238.187 port 56446: message authentication code incorrect Onderaan heb ik nog wat meer log geplakt, maar volgens mij is dat niet zo interessant en is dit de belangrijke melding. De logs aan de client kant heb ik helemaal onderaan geplakt, maar ik kan er niet veel mee. Wat me opvalt is dat hij een pakket "type 1" stuurt, en daarna valt de verbinding weg (de sessie was al even open): debug3: send packet: type 1 Iemand een idee waarom die verbindingen wegvallen? Ik gebruik dit veel voor remote beheer. Heb de server onlangs gereboot, misschien dat het toen begonnen is. Ik bouw de verbinding op met zoiets: /usr/bin/ssh -4 -o ServerAliveInterval=30 -NR 5900:localhost:5900 \ usern...@hostname.vandervlis.nl Groet, Paul auth.log aan de serverkant: --- (...) Dec 18 23:52:30 kvm27 sshd[9955]: debug2: channel 2: window 1982570 sent adjust 114582 Dec 18 23:52:30 kvm27 sshd[9955]: debug2: channel 2: window 1992933 sent adjust 104219 Dec 18 23:52:30 kvm27 sshd[9955]: ssh_dispatch_run_fatal: Connection from 45.95.238.187 port 56740: message authentication code incorrect Dec 18 23:52:30 kvm27 sshd[9955]: debug1: do_cleanup Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: read<=0 rfd 7 len 0 Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: read failed Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: close_read Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: input open -> drain Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: ibuf empty Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: send eof Dec 18 23:52:30 kvm27 sshd[9958]: debug3: send packet: type 96 Dec 18 23:52:30 kvm27 sshd[9958]: debug2: channel 0: input drain -> closed Dec 18 23:52:30 kvm27 sshd[9953]: debug3: mm_request_receive entering Dec 18 23:52:30 kvm27 sshd[9953]: debug1: do_cleanup Dec 18 23:52:30 kvm27 sshd[9953]: debug1: audit_event: unhandled event 12 Dec 18 23:52:42 kvm27 sshd[9958]: debug2: channel 0: write failed Dec 18 23:52:42 kvm27 sshd[9958]: debug2: channel 0: close_write Dec 18 23:52:42 kvm27 sshd[9958]: debug2: channel 0: chan_shutdown_write: shutdown() failed for fd 7: Transport endpoint is not connected Dec 18 23:52:42 kvm27 sshd[9958]: debug2: channel 0: output open -> closed Dec 18 23:52:42 kvm27 sshd[9958]: debug2: channel 0: send close Dec 18 23:52:42 kvm27 sshd[9958]: debug3: send packet: type 97 Dec 18 23:52:42 kvm27 sshd[9958]: debug3: channel 0: will not send data after close Dec 18 23:52:42 kvm27 sshd[9958]: debug3: channel 0: will not send data after close Dec 18 23:52:42 kvm27 sshd[9958]: debug3: channel 0: will not send data after close Verbose aan de client kant: - (...) debug2: channel 0: rcvd adjust 114582 debug2: channel 0: rcvd adjust 104219 debug3: send packet: type 1 debug1: channel 0: free: ::1, nchannels 1 debug3: channel 0: status: The following connections are open: #0 ::1 (t4 r2 i0/0 o0/0 e[closed]/0 fd 4/4/-1 sock 4 cc -1) debug3: fd 1 is not O_NONBLOCK Connection to hostname.vandervlis.nl closed by remote host. Transferred: sent 123142180, received 612852 bytes, in 941.4 seconds Bytes per second: sent 130806.1, received 651.0 debug1: Exit status -1 -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
Re: Securing local host of reverse SSH tunnel?
On 9/17/20 1:27 AM, Nate Bargmann wrote: * On 2020 16 Sep 12:08 -0500, Alex Mestiashvili wrote: btw, there is package authprogs, doing exactly that and not only. It seems to only be in Bullseye right now. It's not in Buster nor Buster backports. As the target computer is a Freedombox, it is running Buster so I will have to see if I can build it locally. - Nate it should be as easy as pip --user install authprgos, but it is also available in buster-backports from today. Best, Alex
Re: Securing local host of reverse SSH tunnel?
* On 2020 15 Sep 13:54 -0500, Fabrice BAUZAC-STEHLY wrote: > To restrict what an SSH account can do, you can use the command="..." > setting in the autorized_keys file. It is documented in sshd(8). I use > it specifically to restrain the possible actions that can be done with > that private key. As the command, you can use any program or script > that can check the arguments and perform the requested action, without > allowing any unforeseen action. This proved to be easiest so far. Once I had the tunnel set up I prefixed the key with 'command="/usr/sbin/nologin"' which gives a failure message when a typical 'ssh user@server' command is issued from the remote computer. Thanks! - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819 signature.asc Description: PGP signature
Re: Securing local host of reverse SSH tunnel?
* On 2020 16 Sep 12:08 -0500, Alex Mestiashvili wrote: > btw, there is package authprogs, doing exactly that and not only. It seems to only be in Bullseye right now. It's not in Buster nor Buster backports. As the target computer is a Freedombox, it is running Buster so I will have to see if I can build it locally. - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819 signature.asc Description: PGP signature
Re: Securing local host of reverse SSH tunnel?
On 9/15/20 8:53 PM, Fabrice BAUZAC-STEHLY wrote: > Nate Bargmann writes: > >> I am going to be deploying a Debian system at a location where I am >> unsure if I can make any inbound connection into that system. I am >> going to set up an SSH tunnel from that system to a host in my LAN. >> What I am concerned about is the remote possibility of theft and >> therefore exposing my LAN to an inbound connection where a shell prompt >> can be obtained. I will be setting up a private/public key pair. My >> plan is to SSH into the internal host and then initiate an SSH >> connection to the defined port and ultimately log into the remote >> system. >> >> The site is physically secure, but ... While I understand that at the >> remote end I can instruct the SSH client not to request a pseudo tty, if >> a thief has the private key, all he needs to do is initiate a connection >> and get a shell prompt on my internal host (due to being run from a >> startup script, the private key cannot be password protected, or can >> it?). >> >> What I would like to do is in some way configure the ssh daemon on my >> internal host to not allow any access other than allocating the port for >> the reverse connection. Ideally, this restriction should be based on >> the public key of the pair but I've not seen in sshd_config(5) a way for >> the Match directive to use the public key as its trigger. > > To restrict what an SSH account can do, you can use the command="..." > setting in the autorized_keys file. It is documented in sshd(8). I use > it specifically to restrain the possible actions that can be done with > that private key. As the command, you can use any program or script > that can check the arguments and perform the requested action, without > allowing any unforeseen action. > > -- > Fabrice BAUZAC-STEHLY > PGP 015AE9B25DCB0511D200A75DE5674DEA514C891D > btw, there is package authprogs, doing exactly that and not only.
Re: Securing local host of reverse SSH tunnel?
Nate Bargmann writes: > I am going to be deploying a Debian system at a location where I am > unsure if I can make any inbound connection into that system. I am > going to set up an SSH tunnel from that system to a host in my LAN. > What I am concerned about is the remote possibility of theft and > therefore exposing my LAN to an inbound connection where a shell prompt > can be obtained. I will be setting up a private/public key pair. My > plan is to SSH into the internal host and then initiate an SSH > connection to the defined port and ultimately log into the remote > system. > > The site is physically secure, but ... While I understand that at the > remote end I can instruct the SSH client not to request a pseudo tty, if > a thief has the private key, all he needs to do is initiate a connection > and get a shell prompt on my internal host (due to being run from a > startup script, the private key cannot be password protected, or can > it?). > > What I would like to do is in some way configure the ssh daemon on my > internal host to not allow any access other than allocating the port for > the reverse connection. Ideally, this restriction should be based on > the public key of the pair but I've not seen in sshd_config(5) a way for > the Match directive to use the public key as its trigger. To restrict what an SSH account can do, you can use the command="..." setting in the autorized_keys file. It is documented in sshd(8). I use it specifically to restrain the possible actions that can be done with that private key. As the command, you can use any program or script that can check the arguments and perform the requested action, without allowing any unforeseen action. -- Fabrice BAUZAC-STEHLY PGP 015AE9B25DCB0511D200A75DE5674DEA514C891D
Re: Securing local host of reverse SSH tunnel?
>Ideally, this restriction should be based on the public key of the pair but I've not seen in sshd_config(5) a way for the Match directive to use the public key as its trigger Not an expert but did you look at the certificate based authentication? You can define your own certificate authority and allow only the certificates signed (it's a public key) by your ca can to connect to your ssh server. 1 - Generate a key pair for the ca ( and another for he remote user) $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/ca -m PEM 2- Sign the public key of the user ssh-keygen -s ca \ -I \ -V 20191220:20201220 \ user_key.pub will be logged on your server everytime a connection is opened with user_key.pub. -v stands for key validity. 3 - Allow on your LAN (ssh server) TrustedUserCAKeys /secure/permission/ca.pub This means, any certificate signed with this ca will be granted access to your server. Of course you can restrict what the users whose login is allowed (particularly prevent root login ). Note: using the certificate based authentication, you can even choose what kind of features are allowed to be used with a particular certificate. a k.a AllowX11Forward and many more. Maybe a good reading of ssh doc may provide you an better approach for your use case. ssh(1) Hope this will help.
Re: Securing local host of reverse SSH tunnel?
Nate Bargmann wrote: > I am going to be deploying a Debian system at a location where I am > unsure if I can make any inbound connection into that system. I am > going to set up an SSH tunnel from that system to a host in my LAN. Use Wireguard. It's available in newer kernels and in backports. wg sets up an encrypted, routed network between your remote system and your local system (or network). Then you can ssh directly into your remote system without giving it any new privileges back to your local system. -dsr-
Securing local host of reverse SSH tunnel?
Hi All. I am going to be deploying a Debian system at a location where I am unsure if I can make any inbound connection into that system. I am going to set up an SSH tunnel from that system to a host in my LAN. What I am concerned about is the remote possibility of theft and therefore exposing my LAN to an inbound connection where a shell prompt can be obtained. I will be setting up a private/public key pair. My plan is to SSH into the internal host and then initiate an SSH connection to the defined port and ultimately log into the remote system. The site is physically secure, but ... While I understand that at the remote end I can instruct the SSH client not to request a pseudo tty, if a thief has the private key, all he needs to do is initiate a connection and get a shell prompt on my internal host (due to being run from a startup script, the private key cannot be password protected, or can it?). What I would like to do is in some way configure the ssh daemon on my internal host to not allow any access other than allocating the port for the reverse connection. Ideally, this restriction should be based on the public key of the pair but I've not seen in sshd_config(5) a way for the Match directive to use the public key as its trigger. If there is another way, I've yet to find it. TIA - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819 signature.asc Description: PGP signature
Re: PgAdmin with SSH tunnel
On 2018-06-10, wrote: > > On Sat, Jun 09, 2018 at 03:23:06PM +0300, Georgi Naplatanov wrote: >> Hi, >> >> I'm using Debian Stretch and I'm trying to connect to PostgreSQL server >> (Debian 9) with PgAdmin (Debian 9) through SSH tunnel. >> >> PgAdmin has built-in SSH support but when I try to connect to remote >> PostgreSQL server I get this error in PgAdmin: >> >> Error: SSH error: Error when starting up SSH session with error code -8 >> [Unable to exchange encryption keys] >> >> I use key pair for OpenSSH authentication. > > You could try to ssh into it with -v (or even -vvv) to increase the > client's verbosity (or perhaps there's a corresponding option in > PgAdmin's client). That might give you more insight into what's going > on. > I read the following response to a similar conundrum (for what it's worth): If you require access to a Postgres 9.5 database, you can manually create the SSH tunnel, and then connect using pgAdmin3 by setting the host to localhost. On Linux or Mac, you can use the following: ssh -L 5432::5432 . It doesn't seem likely that pgAdmin3 will receive any updates with the direction pgAdmin4 is heading.
Re: PgAdmin with SSH tunnel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Jun 09, 2018 at 03:23:06PM +0300, Georgi Naplatanov wrote: > Hi, > > I'm using Debian Stretch and I'm trying to connect to PostgreSQL server > (Debian 9) with PgAdmin (Debian 9) through SSH tunnel. > > PgAdmin has built-in SSH support but when I try to connect to remote > PostgreSQL server I get this error in PgAdmin: > > Error: SSH error: Error when starting up SSH session with error code -8 > [Unable to exchange encryption keys] > > I use key pair for OpenSSH authentication. You could try to ssh into it with -v (or even -vvv) to increase the client's verbosity (or perhaps there's a corresponding option in PgAdmin's client). That might give you more insight into what's going on. Cheers - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlsc1OEACgkQBcgs9XrR2kYS4ACdEJXMpUtrCxMOXhkrQE9+hYIp dREAn3c/Gr6NQCo75vCilLSDN32Pg119 =h8DB -END PGP SIGNATURE-
PgAdmin with SSH tunnel
Hi, I'm using Debian Stretch and I'm trying to connect to PostgreSQL server (Debian 9) with PgAdmin (Debian 9) through SSH tunnel. PgAdmin has built-in SSH support but when I try to connect to remote PostgreSQL server I get this error in PgAdmin: Error: SSH error: Error when starting up SSH session with error code -8 [Unable to exchange encryption keys] I use key pair for OpenSSH authentication. Any ideas what is wrong? Kind regards Georgi
Timeout, on access to MTA/25, from offsite over SSH tunnel
List good morning, I am trying to access our MTA from offsite over an SSH tunnel, but the MUA (Thunderbird) is reporting a timeout on accessing the MTA. The server is Wheezy; sshd is running; the tunnel is set up to terminate on the same server that runs the MTA (exim), as well as running other services; exim is running; the same SSH tunnel works fine for access over the tunnel to other services (sftp, imap) on the same server. Additionally, when not using a tunnel, offsite devices can access the MTA without difficulty; exim is allowing connections. The server host is behind a NAT (forwarding of port 22 is working fine to this server) and the server LAN address is 192.168.0.199 The device running the MUA is usually a laptop (and the same symptoms occur whether a laptop is running Windows/Putty, Fedora/gSTM, or Wheezy/gSTM), and the laptops are set to tunnel to the server (using a DNS lookup) and create a Dynamic tunnel on (say) port . The MUA is set to proxy over localhost port (this picks up the SSH tunnel). The MUA's IMAP server configuration is 192.168.0.199 (note that this is also the host that the SSH tunnel terminates on) and access to the IMAP mail store over the SSH tunnel works without problems. This indicates that the MUA proxy is working, that the tunnel is working, that the MUA's IMAP server configuration is ok and its access to the IMAP service is working. The MUA's outbound email server is also configured as 192.168.0.199. (The MTA and the IMAP server are both running on this server, 192.168.0.199.) Access to the MTA, over the SSH tunnel, for outbound email results in the MUA reporting an access timeout, and this is before any STARTTLS or any login attempt. I wondered whether there might be some 'routing' problem on the server, at the point of the SSH tunnel output (as it were) that meant that a packet for 192.168.0.199 - which is itself - takes a long time to get to itself, or even gets lost. So I did another test, logging in to the server (not over a tunnel, just from the LAN) and issued: $ telnet 192.168.0.199 25 which was followed by a delay of around a couple of seconds or so before 220 mail.domain.tld ESMTP Exim 4.80 Mon, 03 Aug 2015, 08:37 +0200 which looks good - except, possibly, for the delay. I checked again, this time using localhost instead of 192.168.0.199: $ telnet localhost 25 which was followed by a delay of around a second before 220 mail.domain.tld ESMTP Exim 4.80 Mon, 03 Aug 2015, 08:39 +0200 So, on this server, using 'localhost' to access some running service on the machine is a second or so faster than using its LAN IP address. Incidentally, this server employs a geo-stationary satellite and its DNS resolution is over the satellite link. I wondered whether the server might be doing a DNS lookup for 192.168.0.199, but it wouldn't, would it? May I ask the list for some advice how to avoid the timeout? I'm open to suggestions as to how to alter the arrangements while keeping outbound email from the laptops over an SSH tunnel. If possible, I'd like to keep the MUA configurations as 192.168.0.199 because that means the MUA would continue to work even if a different tunnel is used that terminates on some other LAN machine - but I am open to reconsidering that. I'd be grateful for any suggestions or insights, regards, Ron -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/55bf3865.8010...@tesco.net
QT through ssh tunnel
Hi, I have gnome and I use a QT application (virtualbox) with a ssh tunnel in the same computer. I use a different user than the user that I use with Gnome. The problem is that I get the old QT theme (Windows 95/motif style) when I run virtualbox with a ssh tunnel. In the other hand, if I run a GTK application (ex gedit) with a ssh tunnel I do not have that problem. It is not a big deal, but i would nice to have the fancy QT theme. If I do the same thing in my laptop I get the right QT theme in virtualbox using a ssh tunnel. I have wheezy and gnome in both computers. I do not know why I have a different behaviour. Thanks, Dan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cak00fol3xpj7+njjsb878fc0wrghg5s5exx7cucko7y5ysp...@mail.gmail.com
Re: QT through ssh tunnel
On 11/22/2013 03:11 PM, Dan wrote: Hi, I have gnome and I use a QT application (virtualbox) with a ssh tunnel in the same computer. I use a different user than the user that I use with Gnome. The problem is that I get the old QT theme (Windows 95/motif style) when I run virtualbox with a ssh tunnel. In the other hand, if I run a GTK application (ex gedit) with a ssh tunnel I do not have that problem. It is not a big deal, but i would nice to have the fancy QT theme. If I do the same thing in my laptop I get the right QT theme in virtualbox using a ssh tunnel. I have wheezy and gnome in both computers. I do not know why I have a different behaviour. Thanks, Dan Hi Dan, try to delete all (old) configuration files in user's home directory like rm -Rf ~/.kde* I had an issue with Skype on Wheezy (amd64) and the problem was due an old configuration file/directory, I can not remember exact name, but I guess it was something like .kde4* HTH Best regards Georgi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/528fbef3.3080...@oles.biz
ssh tunnel delay
I'm seeing a delay when I attempt a connection through an ssh tunnel. The connection's fast without the tunnel, but has an inital 80 second delay with it. Here's the case that works, without the tunnel. I see lines I type echoed immediately: server nc -l -p 1212 client nc server 1212 But if instead I do this, the first line isn't seen for about 80 seconds. After that, everything's fine and lines appear immediately: server nc -l -p 1212 client ssh -o ExitOnForwardFailure=yes -fN -L1110:localhost:1212 server client nc localhost 1110 I can ssh to the server fine, with no delay. Any ideas why the tunnel has the delay? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910101005.GA13051@tuzo
Re: ssh tunnel delay
Hi, Can you launch the tunnel in verbose (-vvv) mode and send the logs? ssh -vvv -o ExitOnForwardFailure=yes -fN -L1110:localhost:1212 server Thank you Regards -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- 2013/9/10 Sean Alexandre s...@alexan.org I'm seeing a delay when I attempt a connection through an ssh tunnel. The connection's fast without the tunnel, but has an inital 80 second delay with it. Here's the case that works, without the tunnel. I see lines I type echoed immediately: server nc -l -p 1212 client nc server 1212 But if instead I do this, the first line isn't seen for about 80 seconds. After that, everything's fine and lines appear immediately: server nc -l -p 1212 client ssh -o ExitOnForwardFailure=yes -fN -L1110:localhost:1212 server client nc localhost 1110 I can ssh to the server fine, with no delay. Any ideas why the tunnel has the delay? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910101005.GA13051@tuzo
Re: ssh tunnel delay
On Tue, Sep 10, 2013 at 12:25:59PM +0200, Juan Sierra Pons wrote: Can you launch the tunnel in verbose (-vvv) mode and send the logs? ssh -vvv -o ExitOnForwardFailure=yes -fN -L1110:localhost:1212 server Here's what I'm seeing with -vvv: http://paste.debian.net/37873/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910104403.GA13329@tuzo
Re: ssh tunnel delay
Hi, I don't see anything strange in the logs provided. Do you see anything strange in your dmesg, /var/log/daemon.log, etc? Is the DNS on the server's side working properly? Sometimes when the reverse DNS is not properly configure some TCP based services get some delay on first connection: ssh, mysql, etc Can a network issue be discarded. Please check with mtr: mtr remote server Not a solution but a very tiny improvement , launch the tunnel with the -C (compression) parameter. Best Regards -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- 2013/9/10 Sean Alexandre s...@alexan.org On Tue, Sep 10, 2013 at 12:25:59PM +0200, Juan Sierra Pons wrote: Can you launch the tunnel in verbose (-vvv) mode and send the logs? ssh -vvv -o ExitOnForwardFailure=yes -fN -L1110:localhost:1212 server Here's what I'm seeing with -vvv: http://paste.debian.net/37873/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910104403.GA13329@tuzo
Re: ssh tunnel delay
On Tue, Sep 10, 2013 at 01:11:17PM +0200, Juan Sierra Pons wrote: Hi, I don't see anything strange in the logs provided. Do you see anything strange in your dmesg, /var/log/daemon.log, etc? Is the DNS on the server's side working properly? Sometimes when the reverse DNS is not properly configure some TCP based services get some delay on first connection: ssh, mysql, etc Can a network issue be discarded. Please check with mtr: mtr remote server Not a solution but a very tiny improvement , launch the tunnel with the -C (compression) parameter. Thanks for looking at this. The other things you list look fine. I did notice something else with the log, though. Below I type the line hello. Then there's the 80 second delay. And then there's the log messages after the hello: debug1: Entering interactive session. client nc localhost 1110 hello debug1: Connection to port 1110 forwarding to localhost port 1212 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: channel 2: new [direct-tcpip] debug2: channel 2: open confirm rwindow 2097152 rmax 32768 I think the delay no longer happens, with subsequent lines, because TCP_NODELAY and O_NONBLOCK get set. I wonder if there's a way to configure things to set those from the start? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910120513.GA14348@tuzo
Re: ssh tunnel delay
-- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- 2013/9/10 Sean Alexandre s...@alexan.org On Tue, Sep 10, 2013 at 01:11:17PM +0200, Juan Sierra Pons wrote: Hi, I don't see anything strange in the logs provided. Do you see anything strange in your dmesg, /var/log/daemon.log, etc? Is the DNS on the server's side working properly? Sometimes when the reverse DNS is not properly configure some TCP based services get some delay on first connection: ssh, mysql, etc Can a network issue be discarded. Please check with mtr: mtr remote server Not a solution but a very tiny improvement , launch the tunnel with the -C (compression) parameter. Thanks for looking at this. The other things you list look fine. I did notice something else with the log, though. Below I type the line hello. Then there's the 80 second delay. And then there's the log messages after the hello: debug1: Entering interactive session. client nc localhost 1110 hello debug1: Connection to port 1110 forwarding to localhost port 1212 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: channel 2: new [direct-tcpip] debug2: channel 2: open confirm rwindow 2097152 rmax 32768 I think the delay no longer happens, with subsequent lines, because TCP_NODELAY and O_NONBLOCK get set. I wonder if there's a way to configure things to set those from the start? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910120513.GA14348@tuzo Hi, I have found a kind of workaround: http://www.gossamer-threads.com/lists/openssh/bugs/56042 If the ssh client is invoked with: ssh -N host -R port # TCP_NODELAY is not set ssh -n host -R port sleep 1d # TCP_NODELAY is set - this is a workaround Can you try to launch the tunnel without the -N parameter (maybe you can send later the tunnel to background) Regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CABS=y9v7VnDndH1zPVqX2wfD=trfvbta5f-9gb6gnzopro6...@mail.gmail.com
Re: ssh tunnel delay
On Tue, Sep 10, 2013 at 02:28:37PM +0200, Juan Sierra Pons wrote: 2013/9/10 Sean Alexandre s...@alexan.org On Tue, Sep 10, 2013 at 01:11:17PM +0200, Juan Sierra Pons wrote: Hi, I don't see anything strange in the logs provided. Do you see anything strange in your dmesg, /var/log/daemon.log, etc? Is the DNS on the server's side working properly? Sometimes when the reverse DNS is not properly configure some TCP based services get some delay on first connection: ssh, mysql, etc Can a network issue be discarded. Please check with mtr: mtr remote server Not a solution but a very tiny improvement , launch the tunnel with the -C (compression) parameter. Thanks for looking at this. The other things you list look fine. I did notice something else with the log, though. Below I type the line hello. Then there's the 80 second delay. And then there's the log messages after the hello: debug1: Entering interactive session. client nc localhost 1110 hello debug1: Connection to port 1110 forwarding to localhost port 1212 requested. debug2: fd 6 setting TCP_NODELAY debug2: fd 6 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: channel 2: new [direct-tcpip] debug2: channel 2: open confirm rwindow 2097152 rmax 32768 I think the delay no longer happens, with subsequent lines, because TCP_NODELAY and O_NONBLOCK get set. I wonder if there's a way to configure things to set those from the start? Hi, I have found a kind of workaround: http://www.gossamer-threads.com/lists/openssh/bugs/56042 If the ssh client is invoked with: ssh -N host -R port # TCP_NODELAY is not set ssh -n host -R port sleep 1d # TCP_NODELAY is set - this is a workaround Can you try to launch the tunnel without the -N parameter (maybe you can send later the tunnel to background) I get the same thing, unfortunately, with this: ssh -o IPQoS=lowdelay lowdelay -o ExitOnForwardFailure=yes -f -L1110:localhost:1212 skoki3 sleep 1d I've also added this line to /etc/ssh/sshd_config on the server, and restarted ssh there: IPQoS lowdelay lowdelay This bug report makes it sound like the bug's been fixed on Debian 7.0, but maybe not: Debian Bug report logs - #643312 openssh-client: IPQoS option ignored for AF_INET since 5.9p1-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643312 I've got version 1:6.0p1-4 of openssh-client. The bug report says the problems fixed there, but maybe not. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130910130754.GA14913@tuzo
ssh tunnel help
Hello all, Seems I'm a bit brain dead this morning, and I'm having difficulty remembering how to set up an ssh tunnel to our development server through the public facing system I can ssh into pub1 just fine, and from that shell I can ssh into the development server, dev1. What I want to do is to be able to open a terminal on my local machine and connect my psql client directly to that development server, on it's port 5432. So I want to be able to locally run a command similar to: [me@mymachine]$ psql -U dbusername -h dev1 -p xxx where, if I remember correctly, xxx is the port I tunnel into the public system on. I know I've done this before, but since I rarely work from home like this I've forgotten the steps. Would someone care to enlighten me? On a related note, how do I kill the tunnel after I am done with it. I've just killed the process in the past, but I'm wondering if there is not a more elegant way? On a totally unrelated note, I have two old Compaq DL-580 G1s and a few 9GB drives that can go with them. Would any of that be of any value to the Debian project? If so, feel free to point me to a contact person. An off-list reply is perfectly fine. Thanks, Nelson
Re: ssh tunnel help
On Wed, May 22, 2013 at 08:15:24AM -0500, Nelson Green wrote: Hello all, Seems I'm a bit brain dead this morning, and I'm having difficulty remembering how to set up an ssh tunnel to our development server through the public facing system I can ssh into pub1 just fine, and from that shell I can ssh into the development server, dev1. What I want to do is to be able to open a terminal on my local machine and connect my psql client directly to that development server, on it's port 5432. So I want to be able to locally run a command similar to: [me@mymachine]$ psql -U dbusername -h dev1 -p xxx where, if I remember correctly, xxx is the port I tunnel into the public system on. I know I've done this before, but since I rarely work from home like this I've forgotten the steps. Would someone care to enlighten me? I'm not sure you can do exactly what you want, but it you issue: [me@machine]$ ssh my@pub1 -L5432:dev1:5432 then, assuming that pub1 can access port 5432 on dev1, you can do [me@mymachine]$ psql -U dbusername -h localhost p 5432 So your SSH client listens on localhost:5432 and pub1 connects to dev1:5432. If you can only access dev1 by ssh and need a second hop, thinks get more difficult :) On a related note, how do I kill the tunnel after I am done with it. I've just killed the process in the past, but I'm wondering if there is not a more elegant way? If you close the SSH session, it'll take the tunnel down with it. signature.asc Description: Digital signature
Re: ssh tunnel help
On 5/22/13 4:15 PM, Nelson Green wrote: ... connect my psql client directly to that development server, on it's port 5432. So I want to be able to locally run a command similar to: [me@mymachine]$ psql -U dbusername -h dev1 -p xxx where, if I remember correctly, xxx is the port I tunnel into the public system on. I know I've done this before, but since I rarely work from home like this I've forgotten the steps. Would someone care to enlighten me? One way you could try is like this[1]: ssh -L 5432:localhost:5432 \ -o 'ProxyCommand=ssh -W %h:%p pub1.example.org' \ devel.example.org Then you would connect to the local host: psql -U dbusername -h localhost -p 5432 On a related note, how do I kill the tunnel after I am done with it. I've just killed the process in the past, but I'm wondering if there is not a more elegant way? You can close the connection and the tunnel will close. Or, depending on which version of ssh you have, you can try one of the ssh escape sequences: ~C KL5432 Where K is for kill and L or R is the type of forwarding and 5432 is the actual port. Press ~C? to get the full list of options that are/aren't available. Regards, /Lars [1] https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/519cd3f2.7000...@gmail.com
Re: ssh tunnel help
On Wed, 22 May 2013, Lars Noodén wrote: One way you could try is like this[1]: ssh -L 5432:localhost:5432 \ -o 'ProxyCommand=ssh -W %h:%p pub1.example.org' \ devel.example.org As a follow up here is a method that should work for older versions of ssh: ssh -L 5432:localhost:5432 -o HostKeyAlias=devel.example.org \ -o ProxyCommand=ssh %h nc devel.example.org 22 \ pub1.example.org The netcat mode (-W) was added fairly recently. [1] https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts Regards, /Lars
[solved] Re: VNC not connecting over SSH tunnel
On 10/07/12 01:10 PM, Chris Davies wrote: Gary Dalegaryd...@rogers.com wrote: Thanks again Chris. If I understand your model correctly, the remote_router is the ssh server and not the actual router that merely forwards port 22 to the ssh server. Yes. It's only now clear to me that the router isn't the ssh server. But for the purposes of the description consider remote_router to be your internal ssh server. remote_router is 192.168.1.18 remote_workstation is 192.168.1.20 The office router (192.168.1.1) confirms the assignments (I connect to another remote workstation then log into the office router) as did opening a command prompt and running ipconfig on the remote_workstation the last time I was there. In that case I'm out of ideas without running something like wireshark on your ssh server to try and see what's going across the wire. Sorry. Chris Went back out to the remote site to check on things. I noticed that the antivirus on the one computer was set to not respond to pings, which resolved the question of the server not being able to ping it. Once I set it to respond to pings, the vnc connection also started working. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50019085.6050...@rogers.com
Re: VNC not connecting over SSH tunnel
Gary Dalegaryd...@rogers.com wrote: I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900remote router's public IP xtightvncviewer -encodings tight localhost:5902 However, there is one workstation [...] The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. The ssh server is on the local subnet (a 192.168.x.x non-routable network) as are the workstation I'm trying to connect to and the laptop (when I plugged it into their network). The local forwarding would be handled on the subnet so that if it worked for one station, shouldn't it work for all? We have four devices to consider: homepc Your own system, outside the office workpc Your own system, inside the office remote_router The end-point for the primary ssh transport remote_workstation The target machine for the VNC session Homepc and workpc might be the same, but as they have different IP addresses I'll name them differently. At the risk of stating the obvious, I'm going to do it anyway: * There has to be a route between homepc and remote_workstation for the ssh transport to succeed. This works. * There has to be a route between workpc and remote_workstation for the native VNC session to succeed. This works. * There has to be a route between remote_router and remote_workstation for the VNC session to succeed. This doesn't work. The error No route to host is often triggered when the source has a route to the target but the target is not responding to the arp request. I initially suggested that there is a routing issue between remote_router and remote_workstation, and this was further evidenced by you not being able to ping remote_workstation from remote_router. You've then explained that the network topology is flat and that the remote_router and remote_workstation are on the same subnet. I can only suggest at this stage that you go back and re-check the IP address assigned to the non-working remote_workstation. Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e6tc9xmgs@news.roaima.co.uk
Re: VNC not connecting over SSH tunnel
On 07/10/2012 01:41 AM, Chris Davies wrote: Gary Dalegaryd...@rogers.com wrote: I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900remote router's public IP xtightvncviewer -encodings tight localhost:5902 However, there is one workstation [...] The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. The ssh server is on the local subnet (a 192.168.x.x non-routable network) as are the workstation I'm trying to connect to and the laptop (when I plugged it into their network). The local forwarding would be handled on the subnet so that if it worked for one station, shouldn't it work for all? We have four devices to consider: homepc Your own system, outside the office workpc Your own system, inside the office remote_router The end-point for the primary ssh transport remote_workstation The target machine for the VNC session Homepc and workpc might be the same, but as they have different IP addresses I'll name them differently. At the risk of stating the obvious, I'm going to do it anyway: * There has to be a route between homepc and remote_workstation for the ssh transport to succeed. This works. * There has to be a route between workpc and remote_workstation for the native VNC session to succeed. This works. * There has to be a route between remote_router and remote_workstation for the VNC session to succeed. This doesn't work. The error No route to host is often triggered when the source has a route to the target but the target is not responding to the arp request. I initially suggested that there is a routing issue between remote_router and remote_workstation, and this was further evidenced by you not being able to ping remote_workstation from remote_router. You've then explained that the network topology is flat and that the remote_router and remote_workstation are on the same subnet. I can only suggest at this stage that you go back and re-check the IP address assigned to the non-working remote_workstation. Chris While you are at it, why don't you list the ip addresses and the net mask for each item. ifconfig will tell you what each machine has. -- Joseph Loo j...@acm.org
Re: VNC not connecting over SSH tunnel
On 10/07/12 04:41 AM, Chris Davies wrote: Gary Dalegaryd...@rogers.com wrote: I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900remote router's public IP xtightvncviewer -encodings tight localhost:5902 However, there is one workstation [...] The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. The ssh server is on the local subnet (a 192.168.x.x non-routable network) as are the workstation I'm trying to connect to and the laptop (when I plugged it into their network). The local forwarding would be handled on the subnet so that if it worked for one station, shouldn't it work for all? We have four devices to consider: homepc Your own system, outside the office workpc Your own system, inside the office remote_router The end-point for the primary ssh transport remote_workstation The target machine for the VNC session Homepc and workpc might be the same, but as they have different IP addresses I'll name them differently. At the risk of stating the obvious, I'm going to do it anyway: * There has to be a route between homepc and remote_workstation for the ssh transport to succeed. This works * There has to be a route between workpc and remote_workstation for the native VNC session to succeed. This works. * There has to be a route between remote_router and remote_workstation for the VNC session to succeed. This doesn't work. The error No route to host is often triggered when the source has a route to the target but the target is not responding to the arp request. I initially suggested that there is a routing issue between remote_router and remote_workstation, and this was further evidenced by you not being able to ping remote_workstation from remote_router. You've then explained that the network topology is flat and that the remote_router and remote_workstation are on the same subnet. I can only suggest at this stage that you go back and re-check the IP address assigned to the non-working remote_workstation. Chris Thanks again Chris. If I understand your model correctly, the remote_router is the ssh server and not the actual router that merely forwards port 22 to the ssh server. To put some numbers to the issue, as Joseph Loo requested: homepc is 192.168.1.12 workpc (my laptop) is unknown - I'd have to revisit the office which not a short trip. It would be in the 192.168.1.x range. remote_router is 192.168.1.18 remote_workstation is 192.168.1.20 The office router (192.168.1.1) confirms the assignments (I connect to another remote workstation then log into the office router) as did opening a command prompt and running ipconfig on the remote_workstation the last time I was there. I set up Windows 7 on 6 of the remote workstations and am not aware of doing anything differently on the non-accessible one. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffc2fe9.1010...@rogers.com
Re: VNC not connecting over SSH tunnel
Gary Dale garyd...@rogers.com wrote: Thanks again Chris. If I understand your model correctly, the remote_router is the ssh server and not the actual router that merely forwards port 22 to the ssh server. Yes. It's only now clear to me that the router isn't the ssh server. But for the purposes of the description consider remote_router to be your internal ssh server. remote_router is 192.168.1.18 remote_workstation is 192.168.1.20 The office router (192.168.1.1) confirms the assignments (I connect to another remote workstation then log into the office router) as did opening a command prompt and running ipconfig on the remote_workstation the last time I was there. In that case I'm out of ideas without running something like wireshark on your ssh server to try and see what's going across the wire. Sorry. Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/o84uc9xsr6@news.roaima.co.uk
Re: VNC not connecting over SSH tunnel
Gary Dale garyd...@rogers.com wrote: I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900 remote router's public IP xtightvncviewer -encodings tight localhost:5902 However, there is one workstation [...] The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. There's your answer in the ssh channel message: there is no route to there from here. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. The routing for the target workstation is different between the two systems (router and laptop). The fault - if that's what it is - will be either on the router or on the workstation, and it will either be a fault of omission (you've lost a route in your routing table) or superimposition (you've added an incorrect route to the routing table). Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/iuuqc9xsuo@news.roaima.co.uk
Re: VNC not connecting over SSH tunnel
On 09/07/12 08:21 AM, Chris Davies wrote: Gary Dalegaryd...@rogers.com wrote: I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900remote router's public IP xtightvncviewer -encodings tight localhost:5902 However, there is one workstation [...] The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. There's your answer in the ssh channel message: there is no route to there from here. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. The routing for the target workstation is different between the two systems (router and laptop). The fault - if that's what it is - will be either on the router or on the workstation, and it will either be a fault of omission (you've lost a route in your routing table) or superimposition (you've added an incorrect route to the routing table). Chris Thanks Chris, but I don't quite follow your direction. The ssh server is on the local subnet (a 192.168.x.x non-routable network) as are the workstation I'm trying to connect to and the laptop (when I plugged it into their network). The local forwarding would be handled on the subnet so that if it worked for one station, shouldn't it work for all? I don't see how the router would enter into it. It just passes the ssh tunnel to the ssh server, although it does also hand out the dhcp addresses for the local network. There are no rules on the router regarding the one workstation. The other piece of network gear is a 16-port D-Link switch which I haven't done anything to. I just plugged it in. So I'm back where I started - why isn't the ssh server seeing the one particular workstation? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffaf342.4070...@rogers.com
VNC not connecting over SSH tunnel
I'm not having this problem on all machines. I can connect to every workstation in a remote office using: ssh -L 5902:remote workstation's local IP:5900 remote router's public IP then in another terminal: xtightvncviewer -encodings tight localhost:5902 However, there is one workstation that I get xtightvncviewer: VNC server closed connection when I try to connect. The ssh session also shows this message: channel 3: open failed: connect failed: No route to host Indeed, I can't even ping it from the remote ssh server. However, when I went to the office and tried to connect using my laptop, connected into the local network, I was able to connect normally. Moreover, I can logout and log back in from the workstation so the VNC server is running as a service It's not a machine suspend mode thing either. I can't connect even when the computer is being used. The remote workstations are running Windows 7. Any ideas? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff99570.9000...@rogers.com
Re: how to open ssh tunnel port ?
On Wed, 27 Jun 2012 15:56:01 +0100 Laurence Hurst l.a.hu...@lboro.ac.uk wrote: [...] ssh -L 192.168.0.1:3360:localhost:3306 A where '192.168.0.1' is the ip address you want to bind to (i.e. the ip address of eth0, or whichever interface you want to use). The same method applies if you are using -R to create the tunnel the other way - again read the manual page, it's there to help you! [.] Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120628140921.4b3ff...@shiva.selfip.org
how to open ssh tunnel port ?
Dear list, I have made a successful ssh tunnel between two pcs A and B. A is running mysql and B have the tunnel with A , so that B can access that remote mysql with its local port 3360. Everything is fine.. But B is bind the port with localhost only, hence no one can access B's 3360 port. How can B open the port so that others can also use the 3360 port on B which is actually tunneled with A ? A running mysql --tunnel-B localhost:3360 but c can't see 3360 on B Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120627200730.7892e...@shiva.selfip.org
Re: how to open ssh tunnel port ?
On Wed, Jun 27, 2012 at 03:37:30PM +0100, J. Bakshi wrote: Dear list, I have made a successful ssh tunnel between two pcs A and B. A is running mysql and B have the tunnel with A , so that B can access that remote mysql with its local port 3360. Everything is fine.. But B is bind the port with localhost only, hence no one can access B's 3360 port. How can B open the port so that others can also use the 3360 port on B which is actually tunneled with A ? A running mysql --tunnel-B localhost:3360 but c can't see 3360 on B From the ssh man page: -L [bind_address:]port:host:hostport or alternatively: use the -g option.. But... It sounds like you're using this to bypass a firewall somewhere? If so, beware: MySQL traffic is NOT encrypted so any usernames/passwords sent to mysql are easily exposed. And there's bound to be security vulnerabilities in the MySQL protocol too - it is not designed to be hardened. Also: As far as MySQL is concerned, the connection will appear to come from B - mysql will never see the true source of connections. Hope this helps -- Karl E. Jorgensen -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120627145115.GB20713@hawking
Re: how to open ssh tunnel port ?
On 27/06/2012 15:37, J. Bakshi wrote: Dear list, I have made a successful ssh tunnel between two pcs A and B. A is running mysql and B have the tunnel with A , so that B can access that remote mysql with its local port 3360. Everything is fine.. But B is bind the port with localhost only, hence no one can access B's 3360 port. How can B open the port so that others can also use the 3360 port on B which is actually tunneled with A ? A running mysql --tunnel-B localhost:3360 butc can't see 3360 onB Thanks Hi, Your current ssh command (assuming you are connection from B to A) presumably looks something like: ssh -L 3360:localhost:3306 A According to the ssh man page (try running man ssh and read the bit about the '-L' argument), you can specify the bind address as part of that argument. Basically you should end up with something like this: ssh -L 192.168.0.1:3360:localhost:3306 A where '192.168.0.1' is the ip address you want to bind to (i.e. the ip address of eth0, or whichever interface you want to use). The same method applies if you are using -R to create the tunnel the other way - again read the manual page, it's there to help you! I would think carefully about whether you really want to do this, as you will be exposing the mysql server to anyone who can connect to machine B on port 3360. Security is one of the main motivators for binding only to localhost by default (by both mysql and ssh). Regards, Laurence -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4feb1f01.5090...@lboro.ac.uk
Re: ssh tunnel
On Wed, 2012-03-21 at 18:29 -0700, vicky mhe wrote: ssh -l vicky -L :192.168.21.2:22 118.97.247.242 18.97.xx.xx password: Segmentation fault ssh without forwarding is working on both hosts? in my syslog/messeges ernel: [ 112.994103] ssh[2487]: segfault at b7e62000 ip b75d20cd sp bfbf5b3c error 4 in libcrypto.so.1.0.0[b7569000+1a3000] The libcrypto package is up2date and is the right version for your distribution? Make sure that all related packages are installed correctly. Frank -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1332399913.25368.13.ca...@nero.internal.friendscout24.de
Re: ssh tunnel
On Wed, 21 Mar 2012 18:29:01 -0700, vicky mhe wrote: (please, avoid using html) Dear debian i use ssh for tunnel this is my command ssh -l vicky -L :192.168.21.2:22 118.97.247.242 18.97.xx.xx password: Segmentation fault in my syslog/messeges ernel: [ 112.994103] ssh[2487]: segfault at b7e62000 ip b75d20cd sp bfbf5b3c error 4 in libcrypto.so.1.0.0[b7569000+1a3000] Bug? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664732 Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jkfk27$qin$1...@dough.gmane.org
ssh tunnel
Dear debian i use ssh for tunnel this is my command ssh -l vicky -L :192.168.21.2:22 118.97.247.242 18.97.xx.xx password: Segmentation fault in my syslog/messeges ernel: [ 112.994103] ssh[2487]: segfault at b7e62000 ip b75d20cd sp bfbf5b3c error 4 in libcrypto.so.1.0.0[b7569000+1a3000] Best regard vicky
Re: ssh tunnel
2012/3/22 vicky mhe ghie...@yahoo.com: Dear debian i use ssh for tunnel this is my command ssh -l vicky -L :192.168.21.2:22 118.97.247.242 18.97.xx.xx password: Segmentation fault in my syslog/messeges ernel: [ 112.994103] ssh[2487]: segfault at b7e62000 ip b75d20cd sp bfbf5b3c error 4 in libcrypto.so.1.0.0[b7569000+1a3000] Best regard vicky Hi, Can you run the same command but in verbose mode? ssh -l vicky -L :192.168.21.2:22 118.97.247.242 18.97.xx.xx -vv Pay attention to the -vv option -^ Best regards -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CABS=y9uhw32sVLNa7SYNC=-5u3kxjbsn98kesyn4tybdu1l...@mail.gmail.com
Re: How to apt-get over ssh tunnel through a firewall?
Mitchell Laks wrote: On 14:38 Fri 03 Oct , Celejar wrote: On Fri, 3 Oct 2008 12:02:22 -0400 There are several apt proxies available: apt-cacher apt-cacher-ng apt-proxy approx [I use approx; various readers of this list have their own preferences.] Set up one of them on A, configure B-D's sources file appropriately, and your ssh procedure should work. thank you. I am familiar with apt-cacher, but not with approx which I can try. However, I think that does not solve my problem. For instance what if the A computer is running etch and B-D are running sid? How can I get B-D to get software that has not been installed on A? This is not a problem with apt-proxy as to it's clients it looks like a full mirror, however it only actually downloads the packages you use, so the first time you download a package it comes in at whatever speed it would if you downloaded it directly, but the second time it comes in at LAN speed. For testing I lust used ssh tunnels to access my proxy and it works fine. Is there some smart way to set up a direct tunnel through A and tell apt-get to go through the tunnel itself, instead of using these caching methods which better serve other purposes. (For instance since B-D run sid, I can cache on one of them for the others. Easer then that I have a pinhole in my firewall rules allowing access to port (the default apt-proxy port) but only to the IP of my apt-proxy from my 192.168.50.xx subnet to my 192.168.24.xx one, this allows wireless clients, my web server, and other less trusted clients to use the apt-proxy. what software-backbone/port is apt-get using to get the software? Are you familiar with setting up tunnels like ssh -ND 8080 [EMAIL PROTECTED] ? Mitchell To quote a previous post on the subject: It's pretty cool to be able to perform net installs in a few minutes and updates are equally fast, after the first time. The only downside is it's a bit picky about it's internet connection, I know that sounds weird but when I have it connected directly to the internet with no http proxy it stalls and doesn't work properly, when I have it behind a squid proxy it's happy as a sand boy. A slightly nonstandard thing I've done is I've created a different section for each release, so instead of having deb http://192.168.24.99:/debian/ etch main deb http://192.168.24.99:/debian-security/ etch/updates main or deb http://192.168.24.99:/debian/ lenny main deb http://192.168.24.99:/debian-security/ lenny/updates main in my apt sources files I have deb http://192.168.24.99:/etch/ etch main deb http://192.168.24.99:/etch-security/ etch/updates main or deb http://192.168.24.99:/lenny/ lenny main deb http://192.168.24.99:/lenny-security/ lenny/updates main This is because apt-proxy will only hold a certain number of versions of any given package, although this number is configurable I found that sometimes stable packages were being pushed out by those from sid and testing, this way I've still got most of sarge in cache . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
On Sun, Oct 05, 2008 at 04:02:21PM -0700, Steve Lamb wrote: Osamu Aoki wrote: Run squid on A and let others access it. You need to set http_proxy environment variable or use apt.conf setting for all A,B,C. Then you save bandwidth. Or use apt-cache. You must have meant apt-cacher. (I like squid approach though ... because it handles Debian archive design change more smoothly.) Osamu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
On Fri, Oct 03, 2008 at 12:02:22PM -0400, Mitchell Laks wrote: Now I know how to browse the internet on B-D by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a local Socks proxy. This is untested, but if you change your sources.list to include something like: # /etc/apt/sources.list deb http://localhost:1080/debian/ stable main contrib non-free and then open a tunnel: # from the command line ssh -fND 1080 machine_A it should just work. If not, you can try something more complicated, like: # /etc/apt/sources.list deb http://localhost:32315/debian/ stable main contrib non-free # from the command line ssh -fN -L32315:localhost:32315 machineA 'ssh -fN -L32315:ftp.us.debian.org:80' There's probably a better way to do this, but you asked specifically about ssh tunneling. Good luck! -- Oh, look: rocks! -- Doctor Who, Destiny of the Daleks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
Osamu Aoki wrote: Run squid on A and let others access it. You need to set http_proxy environment variable or use apt.conf setting for all A,B,C. Then you save bandwidth. Or use apt-cache. -- Steve C. Lamb | But who can decide what they dream PGP Key: 1FC01004 | and dream I do ---+- signature.asc Description: OpenPGP digital signature
Re: How to apt-get over ssh tunnel through a firewall?
On Fri, Oct 03, 2008 at 12:02:22 -0400, Mitchell Laks wrote: Hi, I have a number of debian machines that live behind a firewall. Debian Machine A is granted internet access and can browse the internet. However machines B-D were not granted internet access and live on the general internal network, and were originally installed with Debian by utilizing a private network with machine A 192.168.4.x, and getting internet access via NAT through A. Now machines B-D no longer live on the private network but can ssh into machine A. Now I know how to browse the internet on B-D by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a local Socks proxy. Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade over ssh without physically moving the machines B-D to the private network 192.168.4.x with machine A? Can you run a proxy on machine A? You can secure it very tightly, both via its own configuration and via your firewall, so that it only accepts local connections on machine A. Then you can do this on machines B-D: ssh -N -L 31280:localhost:3128 $HOSTNAME_OR_IP_OF_MACHINE_A This will tunnel port 31280 on B-D to machine A, from where it will be forwarded to localhost (i.e. machine A itself) port 3128. This assumes that your proxy on A listens for local connections on port 3128 (the standard squid port). Then it will be as if the proxy was running on B-D listening on port 31280, so you can set http://localhost:31280; as the http_proxy variable on these machines. If you cannot run a proxy on machine A then you can try to use tsocks on machines B-D: http://tsocks.sourceforge.net/ (Debian packages are available in main.) -- Regards,| http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
You can use ssh but ... On Fri, Oct 03, 2008 at 12:02:22PM -0400, Mitchell Laks wrote: Hi, I have a number of debian machines that live behind a firewall. Debian Machine A is granted internet access and can browse the internet. However machines B-D were not granted internet access and live on the general internal network, and were originally installed with Debian by utilizing a private network with machine A 192.168.4.x, and getting internet access via NAT through A. Now machines B-D no longer live on the private network but can ssh into machine A. Now I know how to browse the internet on B-D by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a local Socks proxy. Yes. Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade over ssh without physically moving the machines B-D to the private network 192.168.4.x with machine A? Yes. But doing without ssh may be simpler and saves BW. Run squid on A and let others access it. You need to set http_proxy environment variable or use apt.conf setting for all A,B,C. Then you save bandwidth. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
On Fri, 3 Oct 2008 18:01:55 -0400 Mitchell Laks [EMAIL PROTECTED] wrote: On 14:38 Fri 03 Oct , Celejar wrote: On Fri, 3 Oct 2008 12:02:22 -0400 There are several apt proxies available: apt-cacher apt-cacher-ng apt-proxy approx [I use approx; various readers of this list have their own preferences.] Set up one of them on A, configure B-D's sources file appropriately, and your ssh procedure should work. thank you. I am familiar with apt-cacher, but not with approx which I can try. However, I think that does not solve my problem. For instance what if the A computer is running etch and B-D are running sid? How can I get B-D to get software that has not been installed on A? I'm pretty sure that it makes no difference what flavor A is running - I assume that A need not even run Debian! The apt sources lists of B-D will contain (with approx - I assume you can do similarly with the others) references to the flavor desired, and A will fetch any packages that are needed. My sources contain (on the machine that runs approx): deb http://localhost:/debian/ sid main non-free contrib deb http://localhost:/debian-multimedia sid main Is there some smart way to set up a direct tunnel through A and tell apt-get to go through the tunnel itself, instead of using these caching methods which better serve other purposes. (For instance since B-D run sid, I can cache on one of them for the others. what software-backbone/port is apt-get using to get the software? apt can use an http proxy; see 'man apt.conf' for details. So you could set up one on A and configure B-D to tunnel in to it over ssh, but I think that you are misunderestimating the flexibility of the dedicated apt caching programs, as above. Mitchell Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
How to apt-get over ssh tunnel through a firewall?
Hi, I have a number of debian machines that live behind a firewall. Debian Machine A is granted internet access and can browse the internet. However machines B-D were not granted internet access and live on the general internal network, and were originally installed with Debian by utilizing a private network with machine A 192.168.4.x, and getting internet access via NAT through A. Now machines B-D no longer live on the private network but can ssh into machine A. Now I know how to browse the internet on B-D by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a local Socks proxy. Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade over ssh without physically moving the machines B-D to the private network 192.168.4.x with machine A? thanks, mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
On Fri, 3 Oct 2008 12:02:22 -0400 Mitchell Laks [EMAIL PROTECTED] wrote: Hi, I have a number of debian machines that live behind a firewall. Debian Machine A is granted internet access and can browse the internet. However machines B-D were not granted internet access and live on the general internal network, and were originally installed with Debian by utilizing a private network with machine A 192.168.4.x, and getting internet access via NAT through A. Now machines B-D no longer live on the private network but can ssh into machine A. Now I know how to browse the internet on B-D by creating a ssh tunnel to A and utilizing the Iceweasel Browser settings to use a local Socks proxy. Can I do something similar with apt-get so that I can apt-get update and apt-get upgrade over ssh without physically moving the machines B-D to the private network 192.168.4.x with machine A? There are several apt proxies available: apt-cacher apt-cacher-ng apt-proxy approx [I use approx; various readers of this list have their own preferences.] Set up one of them on A, configure B-D's sources file appropriately, and your ssh procedure should work. thanks, mitchell Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to apt-get over ssh tunnel through a firewall?
On 14:38 Fri 03 Oct , Celejar wrote: On Fri, 3 Oct 2008 12:02:22 -0400 There are several apt proxies available: apt-cacher apt-cacher-ng apt-proxy approx [I use approx; various readers of this list have their own preferences.] Set up one of them on A, configure B-D's sources file appropriately, and your ssh procedure should work. thank you. I am familiar with apt-cacher, but not with approx which I can try. However, I think that does not solve my problem. For instance what if the A computer is running etch and B-D are running sid? How can I get B-D to get software that has not been installed on A? Is there some smart way to set up a direct tunnel through A and tell apt-get to go through the tunnel itself, instead of using these caching methods which better serve other purposes. (For instance since B-D run sid, I can cache on one of them for the others. what software-backbone/port is apt-get using to get the software? Are you familiar with setting up tunnels like ssh -ND 8080 [EMAIL PROTECTED] ? Mitchell thanks, mitchell Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: smtp through a ssh tunnel to exim4 or other MTA
On Sun, Mar 11, 2007 at 10:29:28 -0700, [EMAIL PROTECTED] wrote: Wed, 28 Feb 2007 17:21:33 -0500, Roberto C. Sanchez said, Do you have ssh access to P[machine belonging to ISP]? Were you planning on tunneling? This is my configuration for sending mail from home. SSH is not needed on my LAN. This works with no problem. Oberon MUA at home ==LAN== exim4 at home ==WAN== ISP This is the trial configuration for sending mail from a remote location, most commonly from work. Remote Oberon MUA ==ssh tunnel== exim4 at home ==WAN== ISP It fails. exim4 appears to reject the ssh connection for relaying. Someone please tell me how to coerce exim4 into relaying a message submitted through a ssh tunnel. Where is the exim4 configuration stored? I have /etc/exim4/exim4.conf.template but no /etc/exim4/exim4.conf . I cannot help you with exim4 configuration details, but I think that maybe you just need to set up the ssh tunnel correctly. To do this for mailhost.tld I have been successful with smtp-forward='ssh -N -L 2525:localhost:25 mailhost.tld' to forward my local port 2525 to port 25 of the mail host. Then I set up my local MUA to use the smtp server at localhost:2525 and everything worked. On the other hand, if I used smtp-forward='ssh -N -L 2525:mailhost.tld:25 mailhost.tld' it would be treated as an external connection by the mail host and the mail was rejected. Could this be the problem with your setup? Another possible solution is to run the sendmail command on the mailhost via ssh and to feed your mail to it. I can tell you how to do that if this is an option for you. (It depends on whether your local MUA can be set up to use a redefined the sendmail command.) This approach can also help if your local machine is on a dynamic IP that is in some spam blacklists, because the ssh approach makes sure that this bad IP address does not show up in the email header. -- Regards, Florian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
smtp through a ssh tunnel to exim4 or other MTA
Wed, 28 Feb 2007 17:21:33 -0500, Roberto C. Sanchez said, Do you have ssh access to P[machine belonging to ISP]? Were you planning on tunneling? This is my configuration for sending mail from home. SSH is not needed on my LAN. This works with no problem. Oberon MUA at home ==LAN== exim4 at home ==WAN== ISP This is the trial configuration for sending mail from a remote location, most commonly from work. Remote Oberon MUA ==ssh tunnel== exim4 at home ==WAN== ISP It fails. exim4 appears to reject the ssh connection for relaying. Someone please tell me how to coerce exim4 into relaying a message submitted through a ssh tunnel. Where is the exim4 configuration stored? I have /etc/exim4/exim4.conf.template but no /etc/exim4/exim4.conf . Thanks, ... Peter E. Desktops.OpenDoc http://carnot.pathology.ubc.ca/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh-tunnel
Moin Ich versuche mich gerade an ssh-Tunneln. Ausgangspunkt: - host1 hat ssh-Verbindung zu host2 - host2 hat ssh-Verbindung zu host3 - host2 fungiert nicht als Router. Nin versuche ich, mir auf einen ssh-Tunnel von host2 nach host3 zu bauen, um mir das Leben, speziell mit scp etwas zu erleichtern: host1 $ ssh -g -L 2061:host3:22 host2 Von hosts bekomme ich dann die Meldung: bind: Address already in use Danach bin ich auf host2 in der shell. Kann mir jemand sagen, was ich hier falsch mache. Im Endeffekt soll mein Tunnel noch etwas länger werden und andere Protokolle (http, https) durchleiten. Danke und Gruß Rüdiger -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh-tunnel
On Mon, Oct 09, 2006 at 10:44:45AM +0200, Rüdiger Noack wrote: Ich versuche mich gerade an ssh-Tunneln. Ausgangspunkt: - host1 hat ssh-Verbindung zu host2 - host2 hat ssh-Verbindung zu host3 - host2 fungiert nicht als Router. Nin versuche ich, mir auf einen ssh-Tunnel von host2 nach host3 zu bauen, um mir das Leben, speziell mit scp etwas zu erleichtern: host1 $ ssh -g -L 2061:host3:22 host2 Von hosts bekomme ich dann die Meldung: bind: Address already in use Diese Meldung habe ich noch nicht verstenden. Danach bin ich auf host2 in der shell. Klar Kann mir jemand sagen, was ich hier falsch mache. Im Endeffekt soll mein Tunnel noch etwas länger werden und andere Protokolle (http, https) durchleiten. Es ist doch alles richtig. Wenn du nun auf host1 einen ssh-client startest, der sich zu host1 port 2061 verbindet, wird die Verbindung zu host2 durchgetunnelt, der dann eine ssh Verbindung zu host3 aufbaut, die zu dem ssh auf host1 gehört. Die Syntax für ssh Optionen weiß ich jetzt nimmer auswendig. Ich überlege gerade, wie du das oben wohl meinst. Nin versuche ich, mir auf einen ssh-Tunnel von host2 nach host3 zu bauen, um mir das Leben, speziell mit scp etwas zu erleichtern: Wenn Daten von host2 nach host3 getunnelt werden sollen, mußt du auf host2 ssh starten mit Ziel host3 und dabei angeben, welcher Port getunnelt werden soll und wohin host3 die Daten weiterleiten soll. also z.B., wenn die Syntax oben stimmt, host2 $ ssh -g -L 2062:zielhost:22 host3 Damit tunneln Daten von host2:2062 zum sshd auf host3, welcher dann eine Verbindung zu zielhost:22 aufbaut und die Daten dorthin weitergibt. Also kannst du dann, wenn der Tunnel steht, von einem beliebigen Rechner in dem Netz von host2, d.h. von einem Rechner, der host2 erreichen kann, eine ssh Verbindung zu zielhost in einem beliebigen Netz aufbauen mit dem Kommando [EMAIL PROTECTED] ssh host2:2062 falls die Syntax für die Portangabe stimmt, denn die habe ich nicht nachgeschaut. Alles Gute Helmut H. Franke -- Avatar Chat Systeme: http://www.amiculi.net http://pgm.amoris.org -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh-tunnel
Helmut Franke schrieb: On Mon, Oct 09, 2006 at 10:44:45AM +0200, Rüdiger Noack wrote: Ausgangspunkt: - host1 hat ssh-Verbindung zu host2 - host2 hat ssh-Verbindung zu host3 - host2 fungiert nicht als Router. host1 $ ssh -g -L 2061:host3:22 host2 Es ist doch alles richtig. Fast, danke für deine Erklärung. Ich hatte gedacht, ich könnte den Tunnel im Hintergrund aufbauen. Noch meine Korrektur zum Tunnel-Aufbau: host2 $ ssh -g -L 2061:host3:22 host3 Rüdiger -- -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh-tunnel
Rüdiger Noack: Fast, danke für deine Erklärung. Ich hatte gedacht, ich könnte den Tunnel im Hintergrund aufbauen. Geht doch: ssh -N -f -L ... J. -- Driving behind lorries carrying hazardous chemicals makes me wish for a simpler life. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
gnome cups through ssh tunnel
Hi all, I wish to be able to print to printers on a remote cups server from gnome applications. I figured I could just create an ssh tunnel like this: $ ssh -L 1631:localhost:631 [EMAIL PROTECTED] then set the cups server to localhost:1631 in /etc/cups/client.conf But no printers appear in the gnome printer admin app. It does work work if I create the tunnel as root and bind to the privileged port 631. Does anybody have any suggestions? cheers dc -- David Purton [EMAIL PROTECTED] For the eyes of the LORD range throughout the earth to strengthen those whose hearts are fully committed to him. 2 Chronicles 16:9a signature.asc Description: Digital signature
Re: Relay over SSH tunnel with Postfix?
On Sat, 2006-04-22 at 20:55 +0100, Magnus Therning wrote: On Fri, Apr 21, 2006 at 01:58:45PM -0400, Roberto C. Sanchez wrote: You could try `ssh -L 25:localhost:25 [EMAIL PROTECTED] Of course, that requires that you be root. If that will not work, use port 2525 on the first part of the tunnel specification and then configure your MUA to use port 2525 on localhost. Yes, I've tried that and it works fine, now I want to automate it. Ideally the tunnel would be created on demand, when postfix needs to flush its spool. Can I do that? I'm not familiar with Postfix, but in Exim, you can create a simple router that does this. You'll need to set up public-key authentication for password-less logins to the remote box. This needs to be somewhere before the primary router configuration in the exim config: # ssh_remote: debug_print = R: ssh_remote for [EMAIL PROTECTED] driver = redirect domains = ! +local_domains senders = [EMAIL PROTECTED] pipe_transport = address_pipe user = local_user data = | ssh -C -l remote_user /usr/sbin/sendmail -bm [EMAIL PROTECTED] no_more #- The following values need to be replaced with their appropriate values: mydomain : the real domain (example.com) local_user : the user on the local machine that will be running the ssh machine (this is the user whose public key will need to be on the remote account's ~/.ssh/authorized_keys) remote_user : the user on the remote machine The line senders = [EMAIL PROTECTED] is optional. It qualifies this router is used only if the sender address has the domain mydomain. If you wish to relay for all senders, then you can comment it out. Casey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Relay over SSH tunnel with Postfix?
On Fri, Apr 21, 2006 at 01:58:45PM -0400, Roberto C. Sanchez wrote: Magnus Therning wrote: Currently I'm experiencing some problems with sending emails from work. The mail server seems to let through some emails, but not all. Most irritating of all emails to this list don't seem to reach the list :-( This has given me enough incentive to look into solutions that would let me send emails without going through they flakey mail servers at work. What I was considering was a setup with a local postfix relaying email over an SSH tunnel to a server. Does anyone any good resource for this (besides Google, please :-)? /M You could try `ssh -L 25:localhost:25 [EMAIL PROTECTED] Of course, that requires that you be root. If that will not work, use port 2525 on the first part of the tunnel specification and then configure your MUA to use port 2525 on localhost. Yes, I've tried that and it works fine, now I want to automate it. Ideally the tunnel would be created on demand, when postfix needs to flush its spool. Can I do that? /M -- Magnus Therning(OpenPGP: 0xAB4DFBA4) [EMAIL PROTECTED] http://therning.org/magnus Software is not manufactured, it is something you write and publish. Keep Europe free from software patents, we do not want censorship by patent law on written works. Beauty is more important in computing than anywhere else in technology because software is so complicated. Beauty is the ultimate defence against complexity. -- David Gelernter pgpfIAKJAOKXw.pgp Description: PGP signature
Relay over SSH tunnel with Postfix?
Currently I'm experiencing some problems with sending emails from work. The mail server seems to let through some emails, but not all. Most irritating of all emails to this list don't seem to reach the list :-( This has given me enough incentive to look into solutions that would let me send emails without going through they flakey mail servers at work. What I was considering was a setup with a local postfix relaying email over an SSH tunnel to a server. Does anyone any good resource for this (besides Google, please :-)? /M -- Magnus Therning(OpenPGP: 0xAB4DFBA4) [EMAIL PROTECTED] http://therning.org/magnus Software is not manufactured, it is something you write and publish. Keep Europe free from software patents, we do not want censorship by patent law on written works. And a government of the people, by the people and for the people will not enact laws that support DRM in any way. -- Richard M. Stallman on DCMA and DRM, ANU talk pgphVUsvoXg6t.pgp Description: PGP signature
Re: Relay over SSH tunnel with Postfix?
Magnus Therning wrote: Currently I'm experiencing some problems with sending emails from work. The mail server seems to let through some emails, but not all. Most irritating of all emails to this list don't seem to reach the list :-( This has given me enough incentive to look into solutions that would let me send emails without going through they flakey mail servers at work. What I was considering was a setup with a local postfix relaying email over an SSH tunnel to a server. Does anyone any good resource for this (besides Google, please :-)? /M You could try `ssh -L 25:localhost:25 [EMAIL PROTECTED] Of course, that requires that you be root. If that will not work, use port 2525 on the first part of the tunnel specification and then configure your MUA to use port 2525 on localhost. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
On 5/23/05, Josh Rehman [EMAIL PROTECTED] wrote: On 5/23/05, André Carezia [EMAIL PROTECTED] wrote: No. Look for AllowTcpForwarding in /etc/ssh/sshd_config. I don't have permission to read that file - I'll contact the sysadmin. Thanks. Turns out that my hosting service has dissallowed usage of TCP forwarding for security concerns. Not sure what those concerns are. I may still be able to get them to turn it on though. André, your help was great - I wouldn't have known what to ask without you. Thanks again. -- It seemed to them that they did little but eat and drink and rest, and walk among the trees; and it was enough.- J.R.R. Tolkien, The Lord of the Rings, The Mirror of Galadriel
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
Josh Rehman wrote: On 5/22/05, *André Carezia* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: ssh -R 8080:localhost:80 [EMAIL PROTECTED] My apologies, I should have mentioned that that was what I tried. Here is the result: external$ telnet localhost 8080 You can't connect directly from external address. You have to connect to web server (on another port) and use ProxyPass to port 8080. -- André Carezia Eng. de Telecomunicações Carezia Consultoria - www.carezia.eng.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
Josh Rehman a écrit : On 5/22/05, *André Carezia* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: ssh -R 8080:localhost:80 [EMAIL PROTECTED] My apologies, I should have mentioned that that was what I tried. Here is the result: external$ telnet localhost 8080 Trying 127.0.0.1... telnet: connect to address 127.0.0.1 http://127.0.0.1/: Connection refused try telnet host 8080 not localhost -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
Josh Rehman wrote: [...] Does mod_proxy have some sort of priveledged access to ssh tunnels? Are you saying that my simple telnet test cannot work ever? Please send your replies to the list. internal[start server on 8080] internal[make sure server is listening] internalssh -R 8080:localhost:8080 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] externaltelnet localhost 8080 Connection Refused... It should work. Must be some non-default configuration in your provider. -- André Carezia Eng. de Telecomunicações Carezia Consultoria - www.carezia.eng.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
On 5/23/05, André Carezia [EMAIL PROTECTED] wrote: Josh Rehman wrote: [...] Does mod_proxy have some sort of priveledged access to ssh tunnels? Are you saying that my simple telnet test cannot work ever?Please send your replies to the list. Of course. Gmail Reply does not work correctly with this list, apparently. I should have checked it. internal[start server on 8080] internal[make sure server is listening] internalssh -R 8080:localhost:8080 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] externaltelnet localhost 8080 Connection Refused...It should work. Must be some non-default configuration in your provider. I agree. However I'm not sure how to look deeper into my providers configuration. I'm thinking that some usage of either ps or netstat could tell me what's going on. Thanks for your kind help.
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
Josh Rehman wrote: [...] I agree. However I'm not sure how to look deeper into my providers configuration. I'm thinking that some usage of either ps or netstat could tell me what's going on. No. Look for AllowTcpForwarding in /etc/ssh/sshd_config. -- André Carezia Eng. de Telecomunicações Carezia Consultoria - www.carezia.eng.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
On 5/23/05, André Carezia [EMAIL PROTECTED] wrote: No. Look for AllowTcpForwarding in /etc/ssh/sshd_config. I don't have permission to read that file - I'll contact the sysadmin. Thanks.
HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
I would like to expose a web server running on a personal laptop elegantly and securely. This laptop is not always connected at the same point, so a static IP will not do. I am also familiar with dynamic dns however my laptop will sometimes be behind firewalls over which I have no control. A solution which I believe is quite elegant involves ssh'ing from the laptop to my external, statically IP'd host. I would then need to notify the externally running httpd that a tunnel is now available, and then use something like the ProxyPass directive to seemlessly forward client requests to the laptop. So far I have been unsuccessful in getting this to work - using wget on the external server I get a connection refused. I have found a variety of web sites on mod_proxy, ssh tunneling. I have even found some sites that describe (sort of) how to proxy over a tunnel initiated by the external host. It would be handy to know how to do some low-level network troubleshooting. I am familiar with netstat but I'm not sure what I'm looking for. The external host should have local port 8080 open. Somehow, sshd causes this to happen when ssh connects with certain command line parms. I'm not sure how to check this apart from connecting and running wget http://localhost:8080 and hoping it hits my laptop. If this works, I think the method would be very useful for many debian users wanting to expose their own services behind an inexpensive web hosting provider. The benefits over DDNS are several. Kind regards, Josh -- It seemed to them that they did little but eat and drink and rest, and walk among the trees; and it was enough. - J.R.R. Tolkien, The Lord of the Rings, The Mirror of Galadriel
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
Josh Rehman wrote: A solution which I believe is quite elegant involves ssh'ing from the laptop to my external, statically IP'd host. I would then need to notify the externally running httpd that a tunnel is now available, and then use something like the ProxyPass directive to seemlessly forward client requests to the laptop. ssh -R 8080:localhost:80 [EMAIL PROTECTED] -- André Carezia Eng. de Telecomunicações Carezia Consultoria - www.carezia.eng.br -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
On 5/22/05, André Carezia [EMAIL PROTECTED] wrote: ssh -R 8080:localhost:80 [EMAIL PROTECTED] My apologies, I should have mentioned that that was what I tried. Here is the result: external$ telnet localhost 8080 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused I tried with and without compression and trying some other options. I'm not sure how to troubleshoot past this. I suspect I could gleen some information from either sshd or stunnel or perhaps the netstat output but I am at a loss.
Re: HOWTO reverse proxy through an internal-server-initiated ssh tunnel?
I also tried other ports but without success.-- It seemed to them that they did little but eat and drink and rest, and walk among the trees; and it was enough.- J.R.R. Tolkien, The Lord of the Rings, The Mirror of Galadriel
ssh und X11 Forwarding über ssh-Tunnel
Hallo, ich versuche vergeblich über einen SSH-Tunnel eine ssh-Connection mit X11Forwarding zu einem anderen Rechner aufzumachen, der nur ssh zuläßt: Auf dem Zielrechner sieht die ssh-Config so aus: ~:1 grep -v '#' /etc/ssh/sshd_config | sort -u HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key HostbasedAuthentication no IgnoreRhosts yes KeepAlive yes KeyRegenerationInterval 3600 LogLevel INFO LoginGraceTime 600 PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin yes Port 22 PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes RSAAuthentication yes RhostsRSAAuthentication no ServerKeyBits 768 StrictModes yes Subsystem sftp/usr/lib/sftp-server SyslogFacility AUTH UsePAM yes UsePrivilegeSeparation yes X11DisplayOffset 10 X11Forwarding yes ssh ohne -X geht auf diesen Rechner. Es kann auch nicht am Tunnel liegen, weil ich über den gleichen Tunnel eine Verbindung mit X11Forwarding zu einer anderen Linux-Büchse (kein Debian) hinbekomme. Mein Eintrag in $HOME/.ssh/config: Host gate User weiss HostName gate.tunnel.de LocalForward 8025 mail.tunnel.de:25 LocalForward 8119 news.tunnel.de:119 LocalForward 8143 imap.tunnel.de:143 LocalForward 8022 italy.tunnel.de:22 ForwardX11 yes Host italy User weiss HostName tunnel.client.de ForwardX11 yes port 8022 Wenn ich die ssh-Session gate aktiviere und dann einen ssh -p 8022 tunnel.client.de mache wird die Connection aufgesetzt, aber kein X11 Forwarding gesetzt. Der entsprechende ssh -vvv Auschschnitt schaut so aus: [...] debug3: tty_make_modes: 93 0 debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-5e7YacUOWz/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2/dev/null debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-5e7YacUOWz/xauthfile list :0.0 . 2/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Linux italy 2.6.7-1-386 #1 Thu Jul 8 05:08:04 EDT 2004 i686 GNU/Linux The programs included with the Debian GNU/Linux system are free software; [...] Das xauthfile in /tmp wird nicht angelegt. Hat wer 'ne Idee? TIA -- Peter -- [EMAIL PROTECTED] ConSol* Software GmbH Phone +49 89 45841-100 Consulting Solutions Mobile +49 177 6040121Franziskanerstr. 38 http://www.consol.de D-81669 München -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
rsync-auth und ssh-tunnel will nicht
Backup eines Windows-Rechners mit RSYNC und SSH und ein Problem mit der Authentifizierung Für das Backup verwenden wir cwRsync und copssh von Itefix für Windows und auf dem Backup-Server wird Linux mit Rsync und OpenSSH eingesetzt. Alles die aktuellsten stabilen Versionen. Vorab sei bemerkt: zwischen den Rechnern kann mit Rsync kopiert werden, mit Rsync-Serverdienst (daemon) auf dem Windows-Rechner. Es funktioniert auch die SSH-Kommunikation. Aber aufgrund eines Bugs in der Windows-Version von SSH, die von cygwin und von copssh (itefix) eingesetzt wird, müssen wir eine Variante über einen SSH-Tunnel wählen, wenn über das Internet kopiert wird (und kein VPN da ist). Wichtig ist auch, dass der Betrieb automatisiert verläuft. Also fallen alle Lösungen weg, die einen Benutzereingriff erfordern. Außerdem ist eine Bedingung, dass der Backup-Server die *Daten vom Windows-Rechner holt* und nicht umgekehrt Daten gesendet bekommt. Wir öffnen einen SSH-Tunnel mit: ssh -L 4711:localhost:873 -i sshPrivKey [EMAIL PROTECTED] sshPrivKey ist ein gültiger Private-Key für den Benutzer backup. Der Public-Key ist auf 192.168.100.19 installiert und der SSH- Tunnel wird auch korrekt aufgebaut (man erhält eine Shell auf dem Zielsystem). Wenn die ssh-Parameter -f -N hinzugefügt werden, läuft der Tunnel auch schön im Hintergrund. Ich hatte das System erfolgreich getestet. Mit rsync -r -t rsync://localhost:4711/testshare /tmp/ws19/ wurden die Daten der Rsync-Freigabe testshare nach /tmp/ws19/ kopiert. Erforderlich ist hierzu der Betrieb eines Rsync-Serverdienstes auf dem Windows-Rechner. Um diesen einigermaßen abzusichern, wird dort auth users und secrets file in der rsyncd.conf eingesetzt: auth users = backup secrets file = rsyncsecrets (in rsyncsecrets stehen benutzer:passwort in Klarschrift). Das rsync-Commando erhält noch die Option: --password-file=winRsyncPW (aber es geht zum testen auch mit Passwort-Eingabe auf der Kommandozeile) und schon geht es nicht mehr. Es erscheint die Meldung @ERROR: auth failed on module testshare rsync: connection unexpectedly closed (92 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(342) auf dem Linuxserver und die Meldung: 127.0.0.1 is not a known address for pcname: spoofed address? auth failed on module testshare from unknown (127.0.0.1) Die erstere Zeile erscheint bei mir nur auf dem Windows-2000-Server der eine FAT32-Partition hat. Auf dem Windows-XP-Prof. Rechner kommt nur die untere Fehlermeldung. Auf dem FAT-System sind die Dateien immer world-readable, deshalb habe ich hier strict modes auf false gestellt. Und wieder zurück: sobald ich den Eintrag auth users = backup entferne, funktioniert alles. Kennt sich jemand damit aus? Manfred -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh-tunnel och brandväggsregler
Hej, externa maskinen heter extern med ip nummer 1.2.3.4 webservern heter server och har två nätverkskort dels 192.168.10.1 och dels 5.6.7.8 den senare (5.6.7.8) är ett fast ip ut mot internet. brandväggen på server tillåter omvärlden att ansluta till port 80 för www anslutningar och till port 21 för ssh men inget annat. webservern har en virtual alias som apache lyssnar till på port 3000. när extern upprättar en tunnel så är det inget problem..men när webläsaren på extern försöker ansluta till localhost:4000 och tunnlas till port 3000 på servern kommer brandväggen att sätta stop för det. Man kan visserligen lösa problemet genom att göra en accept regel för just ip nr 1.2.3.4 men då måste man göra det för varje nytt ip nummer. Jag skulle vilja ha en lösning där det spelar ingen roll vad mitt ipnr utan avgörande för om trafiken tillåts är om jag kan identifiera mig genom ssh tunneln. Hur har du kommit fram till att en sådan extraregel behövs? Trafiken till webbservern borde komma antingen från 5.6.7.8, 127.0.0.1 eller 192.168.10.1 (lite beroende på slumpen och hur du sätter upp din ssh-tunnel, dvs vad du anger för namn/adress med -L). /Pontus -- Pontus Freyhult, see URL:http://soua.net/ for more information.
Re: ssh-tunnel och brandväggsregler
Thomas Nyman [EMAIL PROTECTED] writes: Jag kom fram till genom följande; sitter jag bakom brandväggen går det utmärkt att accessa sidan via ssh tunnel, men sitter jag utanför brandväggen så går det inte. Om jag däremot i mitt iptables script uttryckligen tillåter t.ex 1.2.3.4 att accessa port x dvs dport x ja då går det bra utanför brandväggen. Det låter ju verkligen inte som att du använder tunneln isåfall. Om du kör tcpdump, ser du paket på de portarna ut från 1.2.3.4? In på 5.6.7.8? (det vore förmodligen också bra om du kunde visa din kommandorad, sen är det alltid bra att inte obfuskera om man inte verkligen behöver det). /Pontus -- Pontus Freyhult, see URL:http://soua.net/ for more information.
Re: ssh-tunnel och brandväggsregler
Hej kommandoraden är ssh -i identititet -L 8080:webserver.com:4 [EMAIL PROTECTED] Jag har ingen tcpdump att skicka just nu, men jag har kontrollerat det hela och tunneln är etablerad. Om jag t.ex befinner mig på en plats som använder masquerading där alla lokala maskiner har ip inom intervallet 192.168.10.11-192.168.10.15 och jag läger till dessa ip i min hosts fil samt i mitt brandväggs skript så fungerar tunneln från externt håll. Av detta kan jag dra slutsatsen att tunneln är etablerad och fungerar som den skall, dvs paket från localhost tunnlas till webservern. Jag tänker mig dock att man kanske kan lösa frågan genom att ange macadress istället för ipadress i brandväggsskriptet, men jag vet inte riktigt hur man anger macadresser..men det kanske du vet? Således skulle man ha en regel som tillåter t.ex all trafik från en viss given macadress...fast ännu bättre vore om jag kunde ordna så att när jag etablerar en tunnel anges sourceip som det ipnummer jag skulle ha haft om jag satt bakom brandväggen men vad jag kan förstå är det en teknisk omöjlighet då alla responser hamnar fel..dvs inte når min maskin. Rörigt det här eller hur :) Det där med att obfuskera...det är inte så mycket frågan om det som att ha ett intranet som är åtkomligt via internet men endast genom ssh public-key förbindelse. Finns det lika säkra metoder så är jag inte emot att använda dom bara jag vet hur. 2004-11-02 kl. 12.24 skrev Pontus Freyhult: Thomas Nyman [EMAIL PROTECTED] writes: Jag kom fram till genom följande; sitter jag bakom brandväggen går det utmärkt att accessa sidan via ssh tunnel, men sitter jag utanför brandväggen så går det inte. Om jag däremot i mitt iptables script uttryckligen tillåter t.ex 1.2.3.4 att accessa port x dvs dport x ja då går det bra utanför brandväggen. Det låter ju verkligen inte som att du använder tunneln isåfall. Om du kör tcpdump, ser du paket på de portarna ut från 1.2.3.4? In på 5.6.7.8? (det vore förmodligen också bra om du kunde visa din kommandorad, sen är det alltid bra att inte obfuskera om man inte verkligen behöver det). /Pontus -- Pontus Freyhult, see URL:http://soua.net/ for more information.
Re: ssh-tunnel och brandväggsregler
Thomas Nyman [EMAIL PROTECTED] writes: kommandoraden är ssh -i identititet -L 8080:webserver.com:4 [EMAIL PROTECTED] Ser ju okej ut. Jag har ingen tcpdump att skicka just nu, men jag har kontrollerat det hela och tunneln är etablerad. Om jag t.ex befinner mig på en plats som använder masquerading där alla lokala maskiner har ip inom intervallet 192.168.10.11-192.168.10.15 och jag läger till dessa ip i min hosts fil samt i mitt brandväggs skript så fungerar tunneln från externt håll. Av detta kan jag dra slutsatsen att tunneln är etablerad och fungerar som den skall, dvs paket från localhost tunnlas till webservern. Va? Var står webbservern i det här fallet? Hur gör du förresten för att ansluta? Använder du telnet eller en webbläsare eller vad? Kan du visa kommandoraden/URLen? Sen kan du gärna beskriva fungerar inte lite tydligare - hänger den och ger upp efter ett tag eller gör den något annat? Jag tänker mig dock att man kanske kan lösa frågan genom att ange macadress istället för ipadress i brandväggsskriptet, men jag vet inte riktigt hur man anger macadresser..men det kanske du vet? Således skulle man ha en regel som tillåter t.ex all trafik från en viss given macadress... Det går nog inte, det vill säga filtrera på MAC går, men inte i ditt fall (sök på mac i man iptables). (För webbservern kördes väl på samma burk som ändpunkten terminerade i?) fast ännu bättre vore om jag kunde ordna så att när jag etablerar en tunnel anges sourceip som det ipnummer jag skulle ha haft om jag satt bakom brandväggen men vad jag kan förstå är det en teknisk omöjlighet då alla responser hamnar fel..dvs inte når min maskin. ? Anslutningen kommer från någon adress hos den dator som ssh-anslutningen termineras i. Det där med att obfuskera...det är inte så mycket frågan om det som att ha ett intranet som är åtkomligt via internet men endast genom ssh public-key förbindelse. Finns det lika säkra metoder så är jag inte emot att använda dom bara jag vet hur. Obfuskering syftar snarare på de IP-adresser och namn du använder, eftersom jag tvivlar på att du verkligen har adresserna 1.2.3.4 (eller domänen webserver.com). Det bygger ju på att du har förmåga att avgöra vad som är viktig information och inte, vilket ofta är samma förmåga som behövs för att kunna lösa problemet utan hjälp från början. /Pontus -- Pontus Freyhult, see URL:http://soua.net/ for more information.
Re: Re: ssh-tunnel och brandväggsregler
Hej Skall se om jag forstar dig korrekt, men ar inte problemet just webserver.com? Ar det inte ssh -L 8080:localhost:5000 [EMAIL PROTECTED] allternativt ssh -L 8080:192.168.10.15:5000 [EMAIL PROTECTED] Du behover nog ocksa tillata localhost alternativt webserver.com att komma at den interna adressen i iptables ssh -L 8080:webserver.com:5000 [EMAIL PROTECTED] ger dig en tunnel mellan port 8080:extern ip 5000:extern ip / Patrik On Tue, 2 Nov 2004, Thomas Nyman wrote: Hej kommandoraden ?r ssh -i identititet -L 8080:webserver.com:4 [EMAIL PROTECTED] Jag har ingen tcpdump att skicka just nu, men jag har kontrollerat det hela och tunneln ?r etablerad. Om jag t.ex befinner mig p? en plats som anv?nder masquerading d?r alla lokala maskiner har ip inom intervallet 192.168.10.11-192.168.10.15 och jag l?ger till dessa ip i min hosts fil samt i mitt brandv?ggs skript s? fungerar tunneln fr?n externt h?ll. Av detta kan jag dra slutsatsen att tunneln ?r etablerad och fungerar som den skall, dvs paket fr?n localhost tunnlas till webservern. Jag t?nker mig dock att man kanske kan l?sa fr?gan genom att ange macadress ist?llet f?r ipadress i brandv?ggsskriptet, men jag vet inte riktigt hur man anger macadresser..men det kanske du vet? S?ledes skulle man ha en regel som till?ter t.ex all trafik fr?n en viss given macadress...fast ?nnu b?ttre vore om jag kunde ordna s? att n?r jag etablerar en tunnel anges sourceip som det ipnummer jag skulle ha haft om jag satt bakom brandv?ggen men vad jag kan f?rst? ?r det en teknisk om?jlighet d? alla responser hamnar fel..dvs inte n?r min maskin. R?rigt det h?r eller hur :) Det d?r med att obfuskera...det ?r inte s? mycket fr?gan om det som att ha ett intranet som ?r ?tkomligt via internet men endast genom ssh public-key f?rbindelse. Finns det lika s?kra metoder s? ?r jag inte emot att anv?nda dom bara jag vet hur. 2004-11-02 kl. 12.24 skrev Pontus Freyhult: Thomas Nyman [EMAIL PROTECTED] writes: Jag kom fram till genom f?ljande; sitter jag bakom brandv?ggen g?r det utm?rkt att accessa sidan via ssh tunnel, men sitter jag utanf?r brandv?ggen s? g?r det inte. Om jag d?remot i mitt iptables script uttryckligen till?ter t.ex 1.2.3.4 att accessa port x dvs dport x ja d? g?r det bra utanf?r brandv?ggen. Det l?ter ju verkligen inte som att du anv?nder tunneln is?fall. Om du k?r tcpdump, ser du paket p? de portarna ut fr?n 1.2.3.4? In p? 5.6.7.8? (det vore f?rmodligen ocks? bra om du kunde visa din kommandorad, sen ?r det alltid bra att inte obfuskera om man inte verkligen beh?ver det). /Pontus -- Pontus Freyhult, see URL:http://soua.net/ for more information.
Re: ssh-tunnel och brandväggsregler
Thomas Nyman skrev: Jag skall kolla lite mer och även testa dina förslag...men -g växeln har väl ingen inverkan på problemet. Det stämmer. Det enda som -g tillför är att andra också kan komma in i tunneln och inte bara din egen laptop. En fråga bara - varför tycker du 127.0.0.1 är bättre än 192.168.1.1..vad är fördelen med 127.0.0.1 jämfört med annan adress? 1) Det framgår tydligt i din webserverkonfiguration att denna virtual host är ett specialfall. 2) Eventuellt behöver du inga extra brandväggsregler. Du tillåter förmodligen redan kommunikation från localhost till localhost. 3) Om du nån gång skulle byta ipadress på servern behöver är det en grej mindre att tänka på. Trevlig kväll! /Martin Leben, loggar av. -- Remove dashes and numbers (if any) to get my real email address. I subscribe to the mailing lists i write to. Please don't CC me on replies.
Re: ssh-tunnel och brandväggsregler
Thomas Nyman skrev: Genom valfri extern maskin ssh:a till min webserver/brandvägg (debian sarge) och där komma till en viss bestämd port på det lokala interfacet, dvs komma till t.ex. 192.168.1.1:5000 där då werbservern lyssnar för ett speciellt virtual host avsnitt. Det låter krångligt. Varför inte localhost:5000 istället? Då behöver du bara tillåta anslutningar till denna port från localhost. Själv använder jag Shorewall som brandvägg, så jag kan inte ge dig någon vägledning på hur du ska göra. [...] Mitt problem är (såvitt jag kan lista ut) att när man skickar en http förfrågan via en ssh tunnel så anges sourceport fortfarande men det externa ipnumret. Först trodde jag att när man gick via en ssh tunnel så blev den vidarebefordrat förfrågan en lokal förfrågan dvs att det skedde en omvandling på sshd men där misstog jag mig. Jag förstår inte riktigt vad du menar, men jag tycker att det verkar som om förfrågan inte alls går genom tunneln. Du kan förmoligen bekräfta det genom att sniffa lite med tethereal eller tcpdump på din brandvägg. /Martin Leben -- Remove dashes and numbers (if any) to get my real email address. I subscribe to the mailing lists i write to. Please don't CC me on replies.
ssh-tunnel och brandväggsregler
Hej Jag skulle vilja åstadkomma följande. Genom valfri extern maskin ssh:a till min webserver/brandvägg (debian sarge) och där komma till en viss bestämd port på det lokala interfacet, dvs komma till t.ex. 192.168.1.1:5000 där då werbservern lyssnar för ett speciellt virtual host avsnitt. Brandväggen tillåter dock inte att externa ipnummer kopplar upp sig mot vare sig den aktuella porten eller mot 192.168.1.1. Det är också de som är hela poängen..min tanke är att man bara ska kunna komma åt den här sidan genom en krypterad ssh tunnel. Mitt problem är (såvitt jag kan lista ut) att när man skickar en http förfrågan via en ssh tunnel så anges sourceport fortfarande men det externa ipnumret. Först trodde jag att när man gick via en ssh tunnel så blev den vidarebefordrat förfrågan en lokal förfrågan dvs att det skedde en omvandling på sshd men där misstog jag mig. Frågan är således om hur jag löser detta i iptables? Kan tänka mig att man kanske kan tillåta trafik från en viss mac adress eller om man kan på något sätt omvandla trafik via ssh port 21 till tillåten trafik i övrigt. Lite rörigt det här kanske, men hoppas någon har en bra ide. Thomas
Exim4 synchronization error over ssh tunnel
Hi all, I'm using a ssh tunnel between my local smtp server and the one running on my mail server to receive my mail. This setup has worked relly well for me in the past months and has the advantage that I do not have to periodically check for new mail, but get it delivered directly to me. I have been running exim4 on the server and the old exim 3 on my local machine, without any problems. Today I upgraded the local machine to exim4. Now I get synchronization errors on every incoming smtp connection from my server. Although exim says the message has been rejected because of a synchronization error, but receives the message without an error just after the error, probably in another connection attempt. Exim's mainlog shows the following: 2004-02-07 22:26:09 SMTP protocol violation: synchronization error (input sent without waiting for greeting): rejected connection from H=localhost [127.0.0.1] 2004-02-07 22:26:10 1ApZxq-0001PY-GW = [EMAIL PROTECTED] H=localhost (arthur.pweis.com) [127.0.0.1] P=esmtp X=TLS-1.0:RSA_ARCFOUR_SHA:16 S=1134 [EMAIL PROTECTED] 2004-02-07 22:26:10 1ApZxq-0001PY-GW = pweis [EMAIL PROTECTED] R=procmail T=procmail_pipe 2004-02-07 22:26:10 1ApZxq-0001PY-GW Completed My servers transport configuration used for streaming over the ssh tunnel: stream_smtp: driver = smtp interface = 127.0.0.1 allow_localhost = true port = my-smtp tls_certificate = /etc/exim4/certs/arthur-exim.crt tls_privatekey = /mnt/crypto/arthur-exim.key tls_verify_certificates = /etc/exim4/certs/CA.pem hosts_require_tls = * The ssh tunnel basically connects arthur:my-smtp to my local machine's (zaphod) port 25. If I add 'smtp_enforce_sync = false' to my configuration, exim does not complain any longer. So I suspect that either the synchronization check is somewhat broken or something is going wrong over the tunnel. Any ideas? Regards, Philipp -- Philipp Weis [EMAIL PROTECTED] Freiburg, Germany http://pweis.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh tunnel
Dirk Lipinski [EMAIL PROTECTED] writes: ssh -L 6668:irc.irgendwo.de:6668 [EMAIL PROTECTED] IRC-Server im IRC-Client ist dann localhost:6668 Alternativ kann man auf $server_mit_ssh-zugang auch direkt einen IRC-Client (irssi) laufen lassen. Damit verstösst man dann wahrscheinlich nichtmal gegen die Netzwerk-Richtlinien. -- UNIX is like a wigwam, no windows, no gates and an apache inside. -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
On Friday 21 November 2003 12:01, Serge Gebhardt wrote: On Fri, 21 Nov 2003 09:33:17 +0100 Frank Habermann [EMAIL PROTECTED] wrote: Moin Frank, Moin rundum, [...] Wenn du ssh Zugang zu einer externen Maschine hast, kann du einfach durch diese Tunneln. Folgendes Szenario: irc.server.tld:6667 -- der Hostname des IRC-Servers, auf Port 6667 lauschend. ssh.extkiste.tld -- die externe Kiste, auf die du SSH Zugriff hast. lport -- irgendein Port (1024 lport 65536). login -- dein Login-Name auf der SSH Kiste. Dann machst du folgendes: `ssh -L lport:irc.server.tld:6667 [EMAIL PROTECTED] und loggst dich ein. Danach connectest du ganz einfach mit deinem IRC Client auf localhost:lport (also deinem lokalen Rechner, auf den Port, den du festgelegt hast). Die externe Kiste verbindet sich zum IRC-Server und reicht alle Daten einfach weiter. sehr komfortabel lässt sich das mit dem Script 'tunnel' von ftp://hyaden.dyndns.org/pub/unix erreichen. In einer Konfigurationsdatei werden beliebig viele zu tunnelnde Ports und Zielrechner konfiguriert, anschliesssend 'tunnel' gestartet. Neben dem lokalen und den remote Portforward beherrscht 'tunnel' auch die Kombination aus beiden Modi falls zwei Firewalls zu überwinden sind. CU -- |Michael Renner E-mail: [EMAIL PROTECTED] | |D-72072 Tuebingen GermanyICQ: #112280325 | |Germany Don't drink as root! ESC:wq -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
ssh tunnel
hallo liste! ich hänge hier hinter ner firewall mit meinem rechner. alle ports bis auf ein paar wie http oder ssh sind frei. der rest ist gesperrt. ich würde aber gerne ins irc kommen. lässt sich das mit einem sshtunnel hinbekommen so das ich über den port 22 ins netz komme? oder gibts da keine chance? vielen dank frank habermann -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
RE: ssh tunnel
hallo liste! Hi :) ich hänge hier hinter ner firewall mit meinem rechner. alle ports bis auf ein paar wie http oder ssh sind frei. der rest ist gesperrt. ich würde aber gerne ins irc kommen. lässt sich das mit einem sshtunnel hinbekommen so das ich über den port 22 ins netz komme? oder gibts da keine chance? Meine Idee wäre eine BNC (psybnc) oder ähnliches auf einen freien port aufzusetzen und dadurch in den IRC zu connecten. Eine andere Möglichkeit wäre ein OpenSocksHost Im Normalfall sollte der Port 1080 (Socks) auf allen Proxy/Routern zu sein, manche haben den aber noch auf und man kann dadurch auch ins IRC connecten. Mirc hat zB eine direkte Einstellung dazu. Sind nur ein paar Ideen. vielen dank frank habermann np mfg pm -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
am 21.11.2003, um 9:33:17 +0100 mailte Frank Habermann folgendes: hallo liste! ich hänge hier hinter ner firewall mit meinem rechner. alle ports bis auf ein paar wie http oder ssh sind frei. der rest ist gesperrt. ich würde aber gerne ins irc kommen. lässt sich das mit einem sshtunnel hinbekommen so das ich über den port 22 ins netz komme? oder gibts da keine chance? http://www.jors.net/tunneln.html Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
On Fri, 21 Nov 2003 09:33:17 +0100 Frank Habermann [EMAIL PROTECTED] wrote: Moin Frank, ich hänge hier hinter ner firewall mit meinem rechner. alle ports bis auf ein paar wie http oder ssh sind frei. der rest ist gesperrt. ich würde aber gerne ins irc kommen. lässt sich das mit einem sshtunnel hinbekommen so das ich über den port 22 ins netz komme? oder gibts da keine chance? Wenn du ssh Zugang zu einer externen Maschine hast, kann du einfach durch diese Tunneln. Folgendes Szenario: irc.server.tld:6667 -- der Hostname des IRC-Servers, auf Port 6667 lauschend. ssh.extkiste.tld -- die externe Kiste, auf die du SSH Zugriff hast. lport -- irgendein Port (1024 lport 65536). login -- dein Login-Name auf der SSH Kiste. Dann machst du folgendes: `ssh -L lport:irc.server.tld:6667 [EMAIL PROTECTED] und loggst dich ein. Danach connectest du ganz einfach mit deinem IRC Client auf localhost:lport (also deinem lokalen Rechner, auf den Port, den du festgelegt hast). Die externe Kiste verbindet sich zum IRC-Server und reicht alle Daten einfach weiter. Gruss, Serge -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
hallo das problem ist ich habe leider keinen externen server. kann ich das nicht irgendwie einfach von lokal machen? cui -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
RE: ssh tunnel
hallo Hi. das problem ist ich habe leider keinen externen server. kann ich das nicht irgendwie einfach von lokal machen? Du kannst das NICHT lokal mache. Der Tunnelendpunkt muss ja irgendwo hinzeigen/enden. Ein IRC Server wird sich dir selten als TunnelEndPoint anbieten (Was im übrigen dann auch wieder einem externen SSH Login entspricht). Die einzige möglichkeit die dir dann noch übrig bleibt ist ein socks proxy (zu finen über Google) Problem dabei ist nur, das die meisten (90-95%) der IRC Server darauf scannen und dich sofort wieder vom Server schmeissen, falls du so etwas benutzt. mfg Patrik Mayer --- Intedo GmbH Heinrich-Neeb-Str. 17 35423 Lich fon: 06404 6590 0 -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
Am Freitag, 21. November 2003 12:51 schrieb Frank Habermann: hallo das problem ist ich habe leider keinen externen server. kann ich das nicht irgendwie einfach von lokal machen? ssh -L 6668:irc.irgendwo.de:6668 [EMAIL PROTECTED] IRC-Server im IRC-Client ist dann localhost:6668 mfg Dirk -- -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh tunnel
Hallo Frank, Frank Habermann, 21.11.2003 (d.m.y): ich hänge hier hinter ner firewall mit meinem rechner. alle ports bis auf ein paar wie http oder ssh sind frei. der rest ist gesperrt. ich würde aber gerne ins irc kommen. lässt sich das mit einem sshtunnel hinbekommen so das ich über den port 22 ins netz komme? oder gibts da keine chance? Nun, ich wuerde mir an Deiner Stelle auch mal ein paar Gedanken darueber machen, warum in der Firewall nur ein paar bestimmte Ports freigeschaltet sind... Wenn Du durch irgendwelche Aktionen vorgegebene IT-Richtlinien umgehst, kannst Du Dir u.U. recht viel Aerger einhandeln... Gruss, Christian -- Christian Schmidt | Germany PGP Key ID: 0x28266F2C No HTML Mails, please! pgp0.pgp Description: PGP signature
Re: How to use ssh tunnel to reach a machine on a private network?
On Sun, 2003-11-16 at 01:30, Roberto Sanchez wrote: Oliver Elphick wrote: ... What I am trying to do is to use ssh tunnelling to go direct to one of the machines on the remote private network, because I need to be able to run X programs from that machine on my own display. ... I do this all the time. [EMAIL PROTECTED] ssh -L 10001:localhost:10001 ted.domain.com [EMAIL PROTECTED] ssh -L 10001:localhost:5901 rufus.domain.com [EMAIL PROTECTED] Thank you; that is what I needed. Adjust port numbers and options as necessary. Are the port numbers just arbitrary selections? -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C Therefore being justified by faith, we have peace with God through our Lord Jesus Christ.Romans 5:1 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to use ssh tunnel to reach a machine on a private network?
Oliver Elphick wrote: On Sun, 2003-11-16 at 01:30, Roberto Sanchez wrote: Oliver Elphick wrote: ... What I am trying to do is to use ssh tunnelling to go direct to one of the machines on the remote private network, because I need to be able to run X programs from that machine on my own display. ... I do this all the time. [EMAIL PROTECTED] ssh -L 10001:localhost:10001 ted.domain.com [EMAIL PROTECTED] ssh -L 10001:localhost:5901 rufus.domain.com [EMAIL PROTECTED] Thank you; that is what I needed. Adjust port numbers and options as necessary. Are the port numbers just arbitrary selections? Except for the last port on the destination machine--which needs to be the port your service is listening on (vnc or X), yes. In my case, to get a vnc desktop, I setup the tunnel and then run $ vncviewer localhost:10001 I choose 10001 because the machine I vnc into runs webmin (which is port 1). -Roberto pgp0.pgp Description: PGP signature
How to use ssh tunnel to reach a machine on a private network?
I wonder if anyone can help me work out how to do this, please: I have two private networks (192.168.1.0/24) each with a firewall machine connecting through ADSL to the Internet. Each private network can reach the Internet through the firewall (using NAT); therefore no machine except the firewall is visible from outside (at static IP addresses allocated by the ISP). I can, from any machine on either private network, do ssh -X remote.firewall.address and connect to the remote firewall. What I am trying to do is to use ssh tunnelling to go direct to one of the machines on the remote private network, because I need to be able to run X programs from that machine on my own display. However, I can't work out how to do it. So far, I tried ssh -X -L 8877:remote.private.machine:22 remote.firewall.address (using 8877 as an arbitrary unassigned port) but all that gives me is a connection to the remote firewall itself. -- Oliver Elphick[EMAIL PROTECTED] Isle of Wight, UK http://www.lfix.co.uk/oliver GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C It is better to trust in the LORD than to put confidence in man.Psalms 118:8 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]