why is tunnel blocked for privileged ports?

From: Carlos Carvalho (carlos_at_fisica.ufpr.br)
Date: 01/08/04

  • Next message: Marius Huse Jacobsen: "Re: SFTP Issue" 
    Date: Thu, 8 Jan 2004 02:43:46 -0200
To: secureshell@securityfocus.com

    Hi folks,

    I'm trying to allow users have access to pop and smtp services via a
    ssh tunnel in ssh.com 3.2.3. I have this in sshd2_config:

    # AllowX11Forwarding yes
            AllowTcpForwarding yes
            ForwardACL deny remote .* .*
            ForwardACL allow local .* localhost%110
            ForwardACL allow local .* localhost%25

    Users usually connect via ssh.com's window client with the tunnel
    created with the following:

    Menu Edit -> Settings -> Profile Settings -> Tunneling -> Outgoing.

    Click Add. In "Display Name" put smtp. In "ListenPort" put 25. In
    "Destination Host" use fisica.ufpr.br, and for "Destination Port" use
    25

    There's an analogous setting for pop3.

    However tunneling is being denied by sshd on the server because normal
    users are trying to tunnel to a privileged port. This restriction
    isn't mentioned in the manual but looking at the source we have this
    in sshchtcpfwd.c around line 1288:

      /* If user is not logged in as a privileged user, don't allow
         forwarding of privileged ports. */
      if (port < 1024)
        {
          if (ssh_user_uid(common->user_data))
            {
              ssh_warning("User \"%s\" not root, tried to forward privileged "
                          "port %ld.", ssh_user_name(common->user_data),
                          (unsigned long) port);
              SEND_FAILURE;
            }

    I don't understand the reason for this restriction. I thought a
    tunnel is equivalent to being logged in locally; if users have access
    to these ports why cannot they do it coming through ssh? In fact the
    only reason for configuring this on the system server is exactly to be
    able to reach these ports, otherwise users could install their own
    forwarders in other ports without administrator intervention.

    I'm probably missing something obvious... How can I do it?

  • Next message: Marius Huse Jacobsen: "Re: SFTP Issue"

    Relevant Pages

    • Re: Is there an SSH client which will tunnel ALL ports (TCP & UDP)?
      ... will actually tunnel ANY traffic bound out of the client ... I guessed that ports in use could not be forwarded. ... >it's time for you to move beyond ssh, ... >>and route it through an SSH tunnel. ...
      (comp.security.firewalls)
    • Re: why is tunnel blocked for privileged ports?
      ... > I'm trying to allow users have access to pop and smtp services via a ... > ssh tunnel in ssh.com 3.2.3. ... > users are trying to tunnel to a privileged port. ... and set mail client to use localhost but at high numbered ports. ...
      (SSH)
    • Re: VPN (after Tunnel) connection impossible
      ... > and I asked to my ISP to create a rule to forward some ports (500 UDP, ... The tunnel works and for example if I ... execute ssh and other but doesn't works. ... > DEACTIVATED my Firewall in these tests and traffic from Wan to DMZ ...
      (comp.security.misc)
    • Re: VPN (after Tunnel) connection impossible
      ... > and I asked to my ISP to create a rule to forward some ports (500 UDP, ... The tunnel works and for example if I ... execute ssh and other but doesn't works. ... > DEACTIVATED my Firewall in these tests and traffic from Wan to DMZ ...
      (comp.security.firewalls)
    • SSH from Windows to Linux w/port forwarding.
      ... I have a Linux Server behind a firewall that I need to ... tunnel into and forward ports from. ... Below are the contents of the above mentioned ssh config file: ...
      (comp.security.ssh)