Re: why is tunnel blocked for privileged ports?

From: Joe Smith (jms_at_instantis.com)
Date: 01/10/04

  • Next message: Marius Huse Jacobsen: "Re: understanding ssh" 
    Date: Fri, 9 Jan 2004 19:21:38 -0800
To: Carlos Carvalho <carlos@fisica.ufpr.br>

    On Thu, Jan 08, 2004 at 02:43:46AM -0200, Carlos Carvalho wrote:
    > I'm trying to allow users have access to pop and smtp services via a
    > ssh tunnel in ssh.com 3.2.3.
    >
    > However tunneling is being denied by sshd on the server because normal
    > users are trying to tunnel to a privileged port.
    >
    > This restriction isn't mentioned in the manual but looking at the source
    > we have this in sshchtcpfwd.c around line 1288:

    That's in ssh_channel_remote_tcp_forward_request().
    It's doing the right thing. It's saying that the daemon is
    refusing to listen on port 25 and send incoming SMTP connections
    to your client. You're supposed to be requesting the reverse.
    You want a local port on your client to be forwarded to
    a specific port on a specific host at the remote end.
    Sending, not listening.

    We use OpenSSH here. For Linux users, I tell them to use
      ssh -L 2025:mailhost:25 -L 2110:mailhost:110 -L 2143:mailhost:143
    and set mail client to use localhost but at high numbered ports.

    > I don't understand the reason for this restriction. I thought a
    > tunnel is equivalent to being logged in locally; if users have access
    > to these ports why cannot they do it coming through ssh? In fact the
    > only reason for configuring this on the system server is exactly to be
    > able to reach these ports, otherwise users could install their own
    > forwarders in other ports without administrator intervention.

    Being logged in locally does not allow unprivileged users to set up
    their own servers at low numbered ports. They can send to those ports,
    but not listen on low numbered ports. Use -L not -R.
            -Joe 

    -- 
Joe Smith <jms@instantis.com>  408-732-8800 x231 (fax: 408-732-8100)
Instantis, Inc.  913 Hermosa Court, Sunnyvale, CA 94085
  • Next message: Marius Huse Jacobsen: "Re: understanding ssh"

    Relevant Pages

    • Re: Is there an SSH client which will tunnel ALL ports (TCP & UDP)?
      ... will actually tunnel ANY traffic bound out of the client ... I guessed that ports in use could not be forwarded. ... >it's time for you to move beyond ssh, ... >>and route it through an SSH tunnel. ...
      (comp.security.firewalls)
    • Re: VPN (after Tunnel) connection impossible
      ... > and I asked to my ISP to create a rule to forward some ports (500 UDP, ... The tunnel works and for example if I ... execute ssh and other but doesn't works. ... > DEACTIVATED my Firewall in these tests and traffic from Wan to DMZ ...
      (comp.security.misc)
    • Re: VPN (after Tunnel) connection impossible
      ... > and I asked to my ISP to create a rule to forward some ports (500 UDP, ... The tunnel works and for example if I ... execute ssh and other but doesn't works. ... > DEACTIVATED my Firewall in these tests and traffic from Wan to DMZ ...
      (comp.security.firewalls)
    • why is tunnel blocked for privileged ports?
      ... ssh tunnel in ssh.com 3.2.3. ... Users usually connect via ssh.com's window client with the tunnel ... I don't understand the reason for this restriction. ... able to reach these ports, otherwise users could install their own ...
      (SSH)
    • SSH from Windows to Linux w/port forwarding.
      ... I have a Linux Server behind a firewall that I need to ... tunnel into and forward ports from. ... Below are the contents of the above mentioned ssh config file: ...
      (comp.security.ssh)