Re: SSH tunneling/port forwarding and stateful packet inspection

From: Jeffrey J. Kosowsky (kosowsky_at_consult.pretender)
Date: 03/07/04


Date: Sun, 07 Mar 2004 05:04:31 GMT

dtucker@dodgy.net.au (Darren Tucker) writes:
> In article <m2vflk5g6c.fsf@consult.pretender>,
> Jeffrey J. Kosowsky <kosowsky@consult.pretender> wrote:
> [snip]
> > Also, is there any way to continue to use straight SSH most of the
> > time, but only use the additional 'stunnel' wrapper when it is
> > absolutely necessary?
>
> ProxyCommand can be a script which behaves differently in different
> environments, see:
> http://www.taiyo.co.jp/~gotoh/ssh/connect.html#sec13

Do you know how much extra "overhead" is introduced by running ssh
over ssl instead of just running ssh directly?

> Note that if you're running an SSL-wrapped sshd, it will have to be
> on a different port to the non-wrapped one.

Now this could be a challenge since the only "guaranteed" open port is
446.

Could I instead use something like dyndns so that port 446 gets
forwarded to a different open port on my router (but appears as 446 to
the outgoing firewall)?

So for example when using ssh directly:
     ssh -> Port 446 (out) -> myname.dyndns -> Port 22 (in) on my router
While when using ssh over ssl:
     ssh -> Port 446 (out) -> Port 446 on my router

> I set stunnel up here to see if it was possible. It is, but it's
> compilicated. The following applies to OpenSSH (it might be possible
> with other SSH software, but I don't know.)

> In this example the client and server are on the same Redhat 9 box, but
> the theory appears sound, so it could also work across systems (and
> proxies!) too. The tools are OpenSSH's ssh/sshd (3.8p1), xinetd (2.3.11),
> stunnel (4.04) and connect (v1.64).
>
I am assuming that I can get this to work both on my linux Fedora Core
server and my laptop running cygwin (since both use openssh and
openssl).

However, how would I make this work for putty which I also run on my
laptop?

> The objective of the exercise looks something like this:
>
> ssh -(SSHv2)-> stunnel -(SSL)-> connect -(SSL)-> stunnel -(SSHv2)-> sshd.
>
> In my example, the 2nd stunnel is started by xinetd although it could
> listen itself, and the "connect" process can optionally use a HTTP
> CONNECT or SOCKS proxy too. The target sshd is run in inetd mode, and
> thus talks to stdin/stdout provided by stunnel.



Relevant Pages

  • Re: open ports question (nmap scan)
    ... I understand ssh and ipp, but I have no idea what sunrpc, ... > that or any other open port? ... There are a number of ways to secure open ports without disabling the ... This severely restricts ...
    (comp.os.linux.security)
  • Re: Any newsreader front-end to Google Groups?
    ... Open port 22 at home and ssh into the home box from anywhere and run ... interface is fairly ubiquitous. ... I should say that had I recently been used to using a local newsreader ...
    (news.software.readers)
  • Re: Postfix: can send but cant receive
    ... blocked by a firewall - did you open port 25 in the Mac firewall?? ... I can connect on 127.0.0.1 and I did open port 25 in the ... open ports on the 10.4.7 iMac G5, it shows only afp, ssh, http, ... can't look at my office Mac's Sharing System Pref any other way ...
    (comp.sys.mac.system)
  • Re: SSH question
    ... another system with ssh. ... If you see "No route to host" on an ssh connection it would indicate the port is closed. ... When you see "connection refused" it means there is no process bound to the open port. ...
    (Fedora)
  • Re: SSH question
    ... another system with ssh. ... If you see "No route to host" on an ssh connection it would indicate the port is closed. ... When you see "connection refused" it means there is no process bound to the open port. ...
    (Fedora)