| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
Trouble with port forwarding w/ OpenSSH 3.9
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 3:01:50 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Well, this was working on OpenSSH 3.8, but now is not. The server is Windows Server 2003. I have another Windows Server 2003 box running OpenSSH 9 where this is working.
I can't figure out the problem.
[breiter@johngalt]# ssh -L 3389:localhost:3389 myhost
breiter@myhost's password:
- run from START
cmd /c start mstsc -v:localhost
Win32 BONK: RDP could not establish connection
- back on my Interix console, I get this message
[breiter@myhost]# channel 2: open failed: administratively prohibited: open failed
[breiter@myhost]# cat /usr/local/etc/sshd_config
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
# restrict access to members of the AuthSSH group
AllowGroups AuthSSH
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /usr/local/etc/ssh_known_host
s
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-server
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 3:05:03 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Also netstat on my local machine reports that the TCP port is there:
[breiter@johngalt]# netstat -a | grep 3389
TCP johngalt:3389 johngalt.wolfereiter.priv:0 LISTENING
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 5:08:09 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
ARGH!!!
I've tried deleteing the OpenSSH, OpenSSL, libcrypt and zlib packages completely and then reinstalling OpenSSH again. No luck fixing the problem.
Oy. I've fixed it by copying sshd-0 (3.8) to replace sshd (3.9). And I've confirmed that the 3.9 version never works right with port forwarding for me but the 3.8 version does.
The real kicker is that both versions work on my testbed. The only difference between the testbed and production servers aside from the hardware is that the testbed is on the same subnet with me and the production one is in a datacenter several hops away from me. Both are Windows Server 2003 Standard, fully patched with SFU 3.5 installed in a fairly minimal configuration that doesn't include the Interix SDK.
The sshd_config files are identical. The package versions are the same on both platorms. I even diffed sshd and they are the same. The sshd 3.9 just doesn't do port forwarding for me on the server in the NOC.
The binaries are very different in size.
[root@ra]# ls -l /usr/local/sbin | grep ssh
-rwxrwxr-x 1 root +Administrators 899072 May 7 13:06 sshd
-rwxrwxr-x 1 root +Administrators 535040 Oct 14 15:11 sshd-39
It looks like a major difference is that 3.9 is dynamically linked and 3.8 was statically linked.
[breiter@johngalt]# objdump -p ~/Desktop/sshd38 | egrep "NEEDED|PATH"
NEEDED libcrypto.so
NEEDED libcrypt.so
NEEDED libz.so
NEEDED libc.so.3.5
RPATH /usr/local/lib:/usr/local/ssl/lib
[breiter@johngalt]# objdump -p ~/Desktop/sshd39 | egrep "NEEDED|PATH"
[breiter@johngalt]#
Adding to my misfortune, all of the packages in the warehouse point to 3.9, currently, even the ones that are labeled 3.8.xxx.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 5:39:14 PM
|
|
|
cortez_
Posts: 330
Joined: Mar. 27, '04,
From: Poland
Status: offline
|
a workaround to prevent 3.8 from beeing overwritten is to make a fake package of 3.8 to let's say 9.9 but that will not solve the issue but will give you some more time to track the bug
|
|
|
|
 RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 10:49:28 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
I'm having trouble with scp to the afflicted server, too. Again it works fine to the server on my subnet.
I wish I had a copy of the ssh 3.8 binaries...
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 11:14:43 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Wait! There is one other difference with my testbed...
Aha! The culprit with scp was the way I had !#$^@#$ fortune running in my my @#!#$^ .cshrc.
Actually it wasn't fortune per se. But I also set up a bunch of variables with ANSI color codes and then formatted the fortune purple:
[code]
# Set up ASNSI escape codes
set esc="^["
set blackf="${esc}[30m"; set redf="${esc}[31m"; set greenf="${esc}[32m"
set yellowf="${esc}[33m" set bluef="${esc}[34m"; set purplef="${esc}[35m"
set cyanf="${esc}[36m"; set whitef="${esc}[37m"
set blackb="${esc}[40m"; set redb="${esc}[41m"; set greenb="${esc}[42m"
set yellowb="${esc}[43m" set blueb="${esc}[44m"; set purpleb="${esc}[45m"
set cyanb="${esc}[46m"; set whiteb="${esc}[47m"
set boldon="${esc}[1m"; set boldoff="${esc}[22m"
set italicson="${esc}[3m"; set italicsoff="${esc}[23m"
set ulon="${esc}[4m"; set uloff="${esc}[24m"
set invon="${esc}[7m"; set invoff="${esc}[27m"
set reset="${esc}[0m"
#time for a fortune
cat << EOF
${purplef}`/usr/games/fortune -a`
${reset}
EOF
[code]
Too cute, by half.
So getting rid of all that garbage and just going with plain old fortune -a fixes scp. After these files get done copying, I'll try switching the sshd binary back and see if my purple prose was the problem there, too.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 11:22:08 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
quote:
So getting rid of all that garbage and just going with plain old fortune -a fixes scp. After these files get done copying, I'll try switching the sshd binary back and see if my purple prose was the problem there, too.
Unfortunately, that wasn't the magical fix. SSHD 3.8 will forward ports SSHD 3.9 still refuses to forward.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 28, '04, 11:49:37 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> I wish I had a copy of the ssh 3.8 binaries...
... you do. Or at least everyone has access to them.
Old versions are not rm'd, they are mv'd to 3.5-prev on the ftp site.
Old versions sit there for several months. If you want to "rollback"
do pkg_delete then do a pkg_add of old version.
ftp://ftp.interopsystems.com/pkgs/3.5-prev
Do understand that some packages in the 3.5-prev directory may be there
because their descendant fixed a (potential) security bug.
< Message edited by Rodney -- Oct. 29, '04, 12:07:24 AM >
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 1:33:28 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
I'm assuming that on the client machine that you are running syslog.
In a number of locations within the code for port forwarding the client
side will report more information to syslog about the error.
I've narrowed down to four spots where the error might start.
Is there any info in your syslog for this?
It would help in determining which it is (if any).
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 7:19:25 AM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
> I'm assuming that on the client machine that you are running syslog.
I dind't have it running, but do now. You want me to replicate the problem and then which log should I look in?
/var/adm/log/<which-one>?
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 9:18:15 AM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
Incidentally, anything in ~/.cshrc (on the remote host) that writes to stdout will break scp. But that same stuff in /etc/csh.lcl or /etc/profile.lcl does not get executed. I'm surprised that scp executes ~/.cshrc at all.
Executing ~/.cshrc seems to just be overhead and a potential problem. Why does it need to do that in order to copy files?
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 11:12:05 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> /var/adm/log/<which-one>?
/var/adm/messages
When you normally do ssh you get a login shell (regardless of which
shell you use). That the "-l" option; so the system and user login scripts
get run.
When you do scp an ssh is run at the client end that then starts
a non-login shell at the remote side. Then the remote side is sent the command
to run scp in remote mode. Then the communication happens for scp.
This a very general explanation of course.
Whatever is your shell will do all of it's regular things that it does in
non-login mode.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 2:56:17 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
> Is there any info in your syslog for this?
> It would help in determining which it is (if any).
Nope. Nothing in /var/adm/log/messages (well there's something, but it's just startup of daemon info and a message that I used the wrong pwd with SU.)
> When you do scp an ssh is run at the client end that then starts
> a non-login shell at the remote side. Then the remote side is sent the command
> to run scp in remote mode.
OK. So I could move anything that is echoing to ~/.login and it would not run in a non-login shell, but everything in ~/.cshrc always, always runs.
/etc/csh.lcl doesn't seem to be mentioned in the man pages, but it is clear to me that it is a global login script that only runs when csh/tcsh is a login shell, just like ~/.login only for all users, right?
< Message edited by breiter -- Oct. 29, '04, 3:14:49 PM >
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 3:33:03 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> OK. So I could move anything that is echoing to ~/.login and
>it would not run in a non-login shell, but everything in ~/.cshrc always, always runs.
That would clear things up for your scp use.
> /etc/csh.lcl doesn't seem to be mentioned in the man pages, ...
It's a file that gets sourced by the traditional system files. You see it gets sourced
from csh.login around line 266. The idea of this (and similar for sh/ksh)
is for organization and standardizing when certain things are run (order).
> Nope. Nothing in /var/adm/log/messages
Nuts. I'll see if I can work it out this way then.
BTW there were changes to the code for port forwarding, but nothing is posted as a bug
against it at OpenSSH.
So just to double check with you:
Port forwarding is working on a local network. Going several hops to a non-local network
it's not working for 3.9 but is working for 3.8.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 5:06:00 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
> So just to double check with you:
> Port forwarding is working on a local network. Going several hops to a non-local network
> it's not working for 3.9 but is working for 3.8.
Yes. That is correct. I guess one possible wrinkle is that I have a Cisco 2621 router performing NAT at the first hop. I have IOS 12.3.
Cerberus>sho ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-J1S3-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 06-Jun-03 22:08 by dchih
Image text-base: 0x80008098, data-base: 0x819BDAE0
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Cerberus uptime is 1 year, 7 weeks, 1 day, 23 hours, 45 minutes
System returned to ROM by reload
System image file is "flash:c2600-j1s3-mz.123-1a.bin"
cisco 2621 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
.
Processor board ID JAD05100JS1 (2992394975)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
TN3270 Emulation software.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 5:13:55 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
I'm trying some configuration things with OpenSSH and I'm adding
some additional syslog output. Once I get that done I'm going to
drop it into beta for you to try. This won't happen until later
tonight though.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 29, '04, 5:16:41 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
> I'm trying some configuration things with OpenSSH and I'm adding
> some additional syslog output. Once I get that done I'm going to
> drop it into beta for you to try. This won't happen until later
> tonight though.
Don't kill yourself. I have a workaround that is OK for a few days.
When you get the beta in place, I will need to run it on both my
workstation and the remote server?
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 31, '04, 1:39:50 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
I've placed the following up for you to try:
pkg_add ftp://ftp.interopsystems.com/pkgs/beta/openssh-3.9.0.1.1-bin.tgz
Try running you ssh with debug at level 1 (ssh -d -L ...).
That should have more info go to the syslog.
> When you get the beta in place, I will need to run it on both my workstation and the remote server?
Try it with it just on your workstation first (that should give you a 3.9/3.8 combo).
Then try adding it to the server. That should either have things working or clear up
which side (client or server) is really giving the error; both can give the same error message.
Though I'm leaning to the client-side at the moment.
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 31, '04, 5:55:37 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
At the moment, the working configuration is 3.9 on the client (ssh) and 3.8 on the server (sshd).
|
|
|
|
|
RE: Trouble with port forwarding w/ OpenSSH 3.9 - Oct. 31, '04, 9:40:51 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
OK. Here is sshd 3.8 on the server and sshd 3.9.0.1.1 (BETA) on the workstation. Works fine.
[breiter@johngalt]# ssh -v -L 3389:localhost:3389 remotehost.wolfereiter.com
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to remotehost.wolfereiter.com [XXX.XXX.XXX.XXX] port 8912918.
debug1: Connection established.
debug1: identity file /dev/fs/C/Documents and Settings/breiter/.ssh/identity typ
e -1
debug1: identity file /dev/fs/C/Documents and Settings/breiter/.ssh/id_rsa type
1
debug1: identity file /dev/fs/C/Documents and Settings/breiter/.ssh/id_dsa type
2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remotehost.wolfereiter.com' is known and matches the RSA host key.
debug1: Found key in /dev/fs/C/Documents and Settings/breiter/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /dev/fs/C/Documents and Settings/breiter/.ssh/identi
ty
debug1: Offering public key: /dev/fs/C/Documents and Settings/breiter/.ssh/id_rs
a
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Offering public key: /dev/fs/C/Documents and Settings/breiter/.ssh/id_ds
a
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: Connections to local port 3389 forwarded to remote address localhost:338
9
debug1: Local forwarding listening on 127.0.0.1 port 8916285.
debug1: channel 0: new [port listener]
debug1: channel 1: new [client-session]
debug1: Entering interactive session.
ww ww ww rrrrrr
ww wwww ww rr rr
ww ww ww ww rr
ww ww rr
w w rr
Welcome to remotehost.wolfereiter.com, Brian.
If a team is in a positive frame of mind, it will have a good
attitude. If it has a good attitude, it will make a commitment to
playing the game right. If it plays the game right, it will win --
unless, of course, it doesn't have enough talent to win, and no manager
can make goose-liver pate out of goose feathers, so why worry?
-- Sparky Anderson
[breiter@remotehost]# debug1: Connection to port 3389 forwarding to localhost port 3389
requested.
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 3389 for localhost port 33
89, connect from 127.0.0.1 port 6303, nchannels 3
debug1: channel 0: free: port listener, nchannels 2
debug1: channel 1: free: client-session, nchannels 1
Connection to remotehost.wolfereiter.com closed.
< Message edited by breiter -- Oct. 31, '04, 9:54:38 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
