Package: sslh
Version: 1.16-2
Severity: normal
Dear Maintainer,
Issue: sslh fails to create an SSH tunnel if the option "forceCommand
internal-sftp" is used in OpenSSH's config file.
The tunnel is successfully created with an OpenSSH client and Linux Putty v0.67
or in all cases when internal-sftp isn't in the config.
Expectation: sslh sucessfully creates a tunnel to use as a proxy.
Attatched: Logfiles from openSSH client & puTTY connecting to port 22 and 443
--
Host: OpenSSH_6.7p1 Debian-5+deb8u3
Client: OpenSSH_7.3p1
Client: puTTY: 0.67
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sslh depends on:
ii adduser 3.113+nmu3
ii debconf 1.5.56
ii init-system-helpers 1.22
ii libc62.19-18+deb8u6
ii libcap2 1:2.24-8
ii libconfig9 1.4.9-2
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii update-inetd 4.43
Versions of packages sslh recommends:
ii nginx-full [httpd] 1.6.2-5+deb8u2+b1
ii openssh-server [ssh-server] 1:6.7p1-5+deb8u3
Versions of packages sslh suggests:
pn openbsd-inetd | inet-superserver
-- Configuration Files:
/etc/default/sslh changed:
RUN=yes
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="--user sslh \
--listen 192.168.1.111:443 \
--tls localhost:443 \
--ssh localhost:22 \
--http localhost:80 \
--anyprot localhost:22 \
--pidfile /var/run/sslh/sslh.pid"
-- Configuration Files:
/etc/ssh/sshd_config:
#PERMISSIONS#
ChallengeResponseAuthentication no
PasswordAuthentication no
#SFTP#
Subsystem sftp internal-sftp
ChrootDirectory %h
ForceCommand internal-sftp
-- debconf information:
* sslh/inetd_or_standalone: standalone
*** ssh-22.log
ssh -TND 8080 tunnel@69.131.7.195 -p 22 -i key -vvv
--SNIP--
debug1: Local connections to LOCALHOST:8080 forwarded to remote address socks:0
debug3: channel_setup_fwd_listener_tcpip: type 2 wildcard 0 addr NULL
debug1: Local forwarding listening on 127.0.0.1 port 8080.
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
socket: Address family not supported by protocol
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug1: Requesting no-more-sessi...@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: Connection to port 8080 forwarding to socks port 0 requested.
debug2: fd 5 setting TCP_NODELAY
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [dynamic-tcpip]
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 3
debug2: channel 1: decode socks5
debug2: channel 1: socks5 auth done
debug2: channel 1: pre_dynamic: need more
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 21
debug2: channel 1: decode socks5
debug2: channel 1: socks5 post auth
debug2: channel 1: dynamic request: socks5 host www.debian.org port 443 command
1
debug3: send packet: type 90
debug3: receive packet: type 91
debug2: channel 1: open confirm rwindow 2097152 rmax 32768
*** ssh-443.log
$ ssh -TND 8080 tunnel@69.131.7.195 -p 443 -i key -vvv
--SNIP--
debug1: Local connections to LOCALHOST:8080 forwarded to remote address socks:0
debug3: channel_setup_fwd_listener_tcpip: type 2 wildcard 0 addr NULL
debug1: Local forwarding listening on 127.0.0.1 port 8080.
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
socket: Address family not supported by protocol
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug1: Requesting no-more-sessi...@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: Connection to port 8080 forwarding to socks port 0 requested.
debug2: fd 5 setting TCP_NODELAY
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [dynamic-tcpip]
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 3
debug2: channel 1: decode socks5
debug2: channel 1: socks5 auth done
debug2: channel 1: pre_dynamic: need more
debug2: channel 1: pre_dynamic: have 0
debug2: channel 1: pre_dynamic: have 21
debug2: channel 1: decode socks5
debug2: channel 1: socks5 post auth
debug2: channel 1: dynamic request: socks5 host www.debian.org port 443 command
1
debug3: send packet: type 90
debug3: receive packet: type 92
channel 1: open failed: administratively prohibited: open failed
debug2: channel 1: zombie
debug2: channel 1: garbage collecting
debug1: channel 1: free: direct-tcpip: listening port 8080 for