Using ssh forwarding for ssh itself.
Adam Funk
into the department's main (Unix) computer, then ssh into my own, but
I thought I'd try out port forwarding. So in one xterm I do this:
$ ssh -L 9999:my_computer:22 main_computer
[main_computer prints login message then the following]
channel 3: open failed: administratively prohibited: open failed
channel 3: open failed: administratively prohibited: open failed
In another xterm, I try this:
$ netstat -tl
[shows my computer is listening on 9999]
$ ssh -p 9999 -v localhost
debug1: Reading configuration data /home/adam/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 9999.
debug1: Connection established.
debug1: identity file /home/adam/.ssh/identity type -1
debug1: identity file /home/adam/.ssh/id_rsa type -1
debug1: identity file /home/adam/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
Does the "administratively prohibited" message mean that main_computer
is configured not to allow this? Or am I doing something wrong?
If I can get this working, will I also be able to use scp directly
from my home computer to my desktop (instead of copying to my account
on main_computer first)?
Thanks,
Adam
Michael Heiming
> I'm trying to ssh into my (Linux) computer at work. Normally I ssh
> into the department's main (Unix) computer, then ssh into my own, but
> I thought I'd try out port forwarding. So in one xterm I do this:
> If I can get this working, will I also be able to use scp directly
> from my home computer to my desktop (instead of copying to my account
> on main_computer first)?
Why not just stick some alias like this in .bashrc?
alias scpd='tar -czf - . |ssh remhost1 "cat -" |ssh remhost2 "cd ~/boz; tar -xzf -"'
Good luck
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvp...@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 10: hardware stress fractures
Mat
> I'm trying to ssh into my (Linux) computer at work. Normally I ssh
> into the department's main (Unix) computer, then ssh into my own, but
> I thought I'd try out port forwarding. So in one xterm I do this:
>
>
> $ ssh -L 9999:my_computer:22 main_computer
> [main_computer prints login message then the following]
>
> channel 3: open failed: administratively prohibited: open failed
> channel 3: open failed: administratively prohibited: open failed
Hi,
This message is printed when you try to use TCP forwarding and sshd
doesn't authorize it. You need to ask your administrator to put
"AllowTcpForwarding yes" in sshd_config on the gateway.
According to "man sshd_config", if you can log into a host, disabling
TCP forwarding doesn't realy improve security ( quote : '...Note that
disabling TCP forwarding does not improve security unless users are also
denied shell access, as they can always install their own forwarders' )
Mat
Mat
Sorry I forgot one part of the response. If your administrator authorize
TCP forwarding as I mentioned earlier, then you could use scp directly
after tunnel establishment using :
scp -oport=9999 localhost:/tmp/myfile /tmp/
(pull)
or
scp -oport=9999 /tmp/my2file localhost:/tmp/
(push)
Mat
>>
>>
>> Thanks,
>> Adam
>>
Martin Gagnon
(or "nc") installed in "main_computer". (the main_computer from your port
forwarding example)
You just have to edit your ~/.ssh/config file and add something like the
following:
======================================================================
Host my_computer # you can do an alias in /etc/hosts if
# this intra-net IP exist in your intra-net at
# home..
ProxyCommand ssh main_computer "netcat %h %p" # you need
# netcat in
# main_computer (replace
# netcat by "nc" in
# some OS)
======================================================================
with that, you can access "my_computer" just by typing: ssh my_computer.
You can do "scp", sftp, tunnels etc.. like if you have directly access
to my_computer..
It's very convenient to use ssh-agent in such configuration, too don't
have to type password many times.
Good luck
--
Martin
Adam Funk
> This message is printed when you try to use TCP forwarding and sshd
> doesn't authorize it. You need to ask your administrator to put
> "AllowTcpForwarding yes" in sshd_config on the gateway.
Aha, the server's sshd_config file (which is world-readable) does
contain "AllowTcpForwarding no".
> According to "man sshd_config", if you can log into a host, disabling
> TCP forwarding doesn't realy improve security ( quote : '...Note that
> disabling TCP forwarding does not improve security unless users are also
> denied shell access, as they can always install their own forwarders' )
I'll ask the admin if he's willing to change it. Thanks for the
supportive citation!
Adam Funk
> You may want to use ssh trampoline. For this, you need to have netcat
> (or "nc") installed in "main_computer". (the main_computer from your port
> forwarding example)
>
> You just have to edit your ~/.ssh/config file and add something like the
> following:
I've found another server that allows tcp forwarding to others in the
department, so I'm just using the straight ssh tunnelling technique.
But I'll try the trampoline later on --- thanks!
Adam Funk
> You may want to use ssh trampoline. For this, you need to have netcat
> (or "nc") installed in "main_computer". (the main_computer from your port
> forwarding example)
>
> You just have to edit your ~/.ssh/config file and add something like the
> following:
>
>======================================================================
> Host my_computer # you can do an alias in /etc/hosts if
> # this intra-net IP exist in your intra-net at
> # home..
> ProxyCommand ssh main_computer "netcat %h %p" # you need
> # netcat in
> # main_computer (replace
> # netcat by "nc" in
> # some OS)
>======================================================================
>
> with that, you can access "my_computer" just by typing: ssh my_computer.
> You can do "scp", sftp, tunnels etc.. like if you have directly access
> to my_computer..
That works brilliantly, thanks!
(BTW, I already use ssh-agent.)
Adam Funk
> You may want to use ssh trampoline. For this, you need to have netcat
> (or "nc") installed in "main_computer". (the main_computer from your port
> forwarding example)
>
> You just have to edit your ~/.ssh/config file and add something like the
> following:
>
>======================================================================
> Host my_computer # you can do an alias in /etc/hosts if
> # this intra-net IP exist in your intra-net at
> # home..
> ProxyCommand ssh main_computer "netcat %h %p" # you need
> # netcat in
> # main_computer (replace
> # netcat by "nc" in
> # some OS)
>======================================================================
>
> with that, you can access "my_computer" just by typing: ssh my_computer.
> You can do "scp", sftp, tunnels etc.. like if you have directly access
> to my_computer..
>
> It's very convenient to use ssh-agent in such configuration, too don't
> have to type password many times.
Thanks very much for this very useful tip!
I've noticed, however, that the related processes don't terminate, so
every now and then I notice that `ps ux` includes several old ones
with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
can kill them without any problem and AFAIK they don't cause trouble,
but is this a normal result of ssh trampoline?
Darren Tucker
[...]
> Thanks very much for this very useful tip!
>
> I've noticed, however, that the related processes don't terminate, so
> every now and then I notice that `ps ux` includes several old ones
> with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
> can kill them without any problem and AFAIK they don't cause trouble,
> but is this a normal result of ssh trampoline?
Some versions of netcat don't check if their input has closed so they
don't shut down cleanly in that case. I used to use this, which worked
fine:
http://www.meadowy.org/~gotoh/projects/connect
but I believe that there are some versions of netcat that also work.
There's also a patch to sshd that will send a SIGHUP to processes when
trying to close them down.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Adam Funk
> On 2007-08-19, Adam Funk <a24...@ducksburg.com> wrote:
> [...]
>> Thanks very much for this very useful tip!
>>
>> I've noticed, however, that the related processes don't terminate, so
>> every now and then I notice that `ps ux` includes several old ones
>> with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
>> can kill them without any problem and AFAIK they don't cause trouble,
>> but is this a normal result of ssh trampoline?
>
> Some versions of netcat don't check if their input has closed so they
> don't shut down cleanly in that case.
In my case, that's the version of netcat installed on the gateway
machine, right?
> I used to use this, which worked
> fine:
>
> http://www.meadowy.org/~gotoh/projects/connect
>
> but I believe that there are some versions of netcat that also work.
>
> There's also a patch to sshd that will send a SIGHUP to processes when
> trying to close them down.
I'll look into putting connect in ~/bin/ on my account on the gateway
machine. Thanks for the advice.