Re: ssh -R -g

From: Ryan (Kiley@yahoo.com)
Date: 03/14/02 

From: "Ryan" <Kiley@yahoo.com>
Date: Thu, 14 Mar 2002 06:56:51 GMT

Hmmm... curious.. Thank you very much for the reply, but it's still binding
solely to localhost.

I've added "GatewayPorts yes" to /etc/ssh/ssh_config (and incorrectly to
sshd_config (it complained)) on the server-side, the host I'm ssh'ing to,
hoping to establish a remote forwarding port accessible from other machines.
I've also placed all three hosts in the /etc/hosts.allow with the
sshfwd-{port} notation as specified in the tech note linked to below. My
command line from the remote host is still

ssh -g -R5555:localhost:22 user@sshd-server

I'm now running sshd with a loglevel of DEBUG and it clearly reports:

Mar 14 01:44:58 localhost sshd[300]: debug: Local forwarding listening on
127.0.0.1 port 5555.

..and alas, connections are denied from remote hosts to port 5555.

good grief.

Ryan

Find below by config files on the ssh-server:

ssh_config:

GatewayPorts yes
#######
### ForwardX11 & ForwardAgent
### For security reasons, Debian's ssh defaults to ``no'' for these
settings

### You should only enable them for hosts where you specifically trust the
### administrators of the remote machine, otherwise you are leaving
### yourself open to X11 based attacks, or to allowing your keys to be
used
### by others from the remote machine. See also: ssh -X -x -A & -a
options
# we might as well switch them back on for localhost though
Host localhost
    ForwardAgent yes
    ForwardX11 yes
GatewayPorts yes

# Site-wide defaults for various options

Host *
   ForwardAgent yes
   ForwardX11 yes
GatewayPorts yes
# RhostsAuthentication yes
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking no
# IdentityFile ~/.ssh/identity
# Port 22
# Cipher blowfish
# EscapeChar ~

sshd_config:

# This is ssh server systemwide configuration file.

Port 22
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
KeepAlive yes
# Bad option sshd complained on restart
#GatewayPorts yes

# Logging
SyslogFacility AUTH
LogLevel DEBUG
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#SkeyAuthentication no

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

UseLogin no

# since these are likely to be being handled by PAM, switch them off here
PrintMotd no
PrintLastLog no
CheckMail no

----- Original Message -----
From: "Richard E. Silverman" <slade@shore.net>
Newsgroups: comp.security.ssh
Sent: Wednesday, March 13, 2002 10:38 PM
Subject: Re: ssh -R -g

>
> >>>>> "Ryan" == Ryan <kiley@yahoo.com> writes:
>
> Ryan> Is it a problem with the 1.5 protocol version on the linux box?
>
> Yes. Read:
>
> http://www.snailbook.com/faq/gatewayports.auto.html
>
> In short: this options for remote forwarding is global to your SSH server;
> you have to set "GatewayPorts yes" on the server side.
>
> --
> Richard Silverman
> slade@shore.net

"Richard E. Silverman" <slade@shore.net> wrote in message
news:m1l4rjjg6oh.fsf@syrinx.oankali.net...
>
> >>>>> "Ryan" == Ryan <kiley@yahoo.com> writes:
>
> Ryan> Is it a problem with the 1.5 protocol version on the linux box?
>
> Yes. Read:
>
> http://www.snailbook.com/faq/gatewayports.auto.html
>
> In short: this options for remote forwarding is global to your SSH server;
> you have to set "GatewayPorts yes" on the server side.
>
> --
> Richard Silverman
> slade@shore.net

Relevant Pages

  • Re: frequncy of email send / receive
    ... because the communication is initiated on the SBS server side, ... via SMTP. ... Forwarding is not an option for me as far as I know so I never considered ... > I agree that I wouldn't host my own website... ...
    (microsoft.public.windows.server.sbs)
  • Re: Clarifications sought on Kerberos SA: TGS_REQ and Server Auth??
    ... Could you please explain how can user enjoy the Server Authentication ... correct principal in TGS_REQ and send that to KDC. ... That means, Host ... then you could get Kerberos to work without host names. ...
    (comp.protocols.kerberos)
  • DNS Server on xDSL
    ... address and we use port forwarding at the firewall to route traffic to the ... this we need to maintain our own DNS server. ... accessible by name from the Internet (port 80 is also forwarded). ... host is pingable from the 'net. ...
    (microsoft.public.win2000.dns)
  • Re: Need help Find a local Virtual Machine thats sending packets?
    ... guessing its because its using the local host NIC's 10.1.x.x address. ... Another reason your server may be forwarding it out is the broadcast ...
    (comp.dcom.sys.cisco)
  • Re: Kerberos and SSH ?
    ... You can check if it is by running host against the IP of the hostname. ... Installed kerberos and configured realms in /etc/krb5.conf: ... PC2 (the kerberos server) ...
    (comp.protocols.kerberos)