Re: port forwading problem

From: Richard E. Silverman (res_at_qoxp.net)
Date: 09/24/04

  • Next message: Richard E. Silverman: "Re: Confusing! ssh, ssh1, ssh2, etc." 
    Date: 23 Sep 2004 18:32:47 -0400

    >>>>> "MS" == Michael Surette <msurette@laframboise.net> writes:

        MS> OK, that works. Now I'm really confused. The way I understand
        MS> privilege separation is that as soon as a user gets authenticated,
        MS> you drop to that user's privilege level. I can do an address
        MS> lookup as that user on all these machines. What's happening to
        MS> stop that under port forwarding?

    I don't know exactly what's wrong; I just made a guess when you noted that
    it worked properly when you logged in as root on the remote. Without
    privilege separation all sshd's run as root; with it, they don't (but a
    login as root still would of course).

    So, something about sshd privilege-dropping process is affecting name
    lookups. I can't think of a likely reason, so I would turn privsep back
    on and trace the non-root sshd to get a clue. This is easy since it won't
    do the lookup until you actually connect to the locally forwarded port.
    So:

    * create SSH connection with forwarding
    * find the corresponding non-root sshd process on the server
    * attach to it with a tracer (e.g. strace -p)
    * connect to the locally forwarded port and see what the trace reveals

        MS> Shouldn't privilege seperation be turned on as one of those "good
        MS> old-fashioned paranoia" security things?

    Sure, as long as it isn't breaking other things... :) 

    -- 
  Richard Silverman
  res@qoxp.net
  • Next message: Richard E. Silverman: "Re: Confusing! ssh, ssh1, ssh2, etc."