Errors on the Mac OS
Chetan Kunte
I seem to get the following error(s) when I try running sshuttle on my
Mac. Could the following errors have something to do with my server?
Appreciate your advise.
--x--
ckunte:sshuttle ckunte$ ./sshuttle -r ckunte@serverip 0.0.0.0/0 -vv
Starting sshuttle proxy.
Binding: 12300
Listening on ('0.0.0.0', 12300).
firewall manager ready.
c : connecting to server...
c : executing: ['ssh', 'ckunte@serverip', '--', '\'python\' -c
\'import sys; skip_imports=1; verbosity=2; exec
compile(sys.stdin.read(764), "assembler.py", "exec")\'']
ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
Permission denied, please try again.
ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
Permission denied, please try again.
ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
Permission denied (publickey,password,keyboard-interactive).
Traceback (most recent call last):
File "./sshuttle", line 107, in <module>
parse_subnets(excludes)))
File "/Users/ckunte/sshuttle/client.py", line 223, in main
python, seed_hosts, auto_nets)
File "/Users/ckunte/sshuttle/client.py", line 103, in _main
(serverproc, serversock) = ssh.connect(remotename, python)
File "/Users/ckunte/sshuttle/ssh.py", line 67, in connect
s2.sendall(content2)
socket.error: [Errno 32] Broken pipe
--x--
Avery Pennarun
> I seem to get the following error(s) when I try running sshuttle on my
> Mac. Could the following errors have something to do with my server?
> Appreciate your advise.
This sounds kind of like your ssh setup is mangled. On the client
side, I think:
> ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
> Permission denied, please try again.
> ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
> Permission denied, please try again.
> ssh_askpass: exec(/usr/libexec/ssh-askpass): No such file or directory
> Permission denied (publickey,password,keyboard-interactive).
I don't have a /usr/libexec/ssh-askpass either (on either MacOS or
Linux). I think you have to install one if you want ssh to use it, my
my copy of ssh has been more than happy without it. Have you somehow
configured your ssh to look for one?
if you do "ssh servername" or "ssh servername ls /etc", do they both work?
> File "/Users/ckunte/sshuttle/client.py", line 103, in _main
> (serverproc, serversock) = ssh.connect(remotename, python)
> File "/Users/ckunte/sshuttle/ssh.py", line 67, in connect
> s2.sendall(content2)
> socket.error: [Errno 32] Broken pipe
This isn't the most elegant way for sshuttle to respond to the
problem, though, so maybe I can patch that so you won't see an
exception :)
Have fun,
Avery
Avery Pennarun
>> if you do "ssh servername" or "ssh servername ls /etc", do they both work?
>
>
>> my copy of ssh has been more than happy without it. Have you somehow
>> configured your ssh to look for one?
>
> and id_rsa* files. Would be grateful if you could advise a novice user
> like me on what / how I could change it to suit.
>
> Greatly appreciate your help on this.
Aha; the "problem" is that you didn't have ssh configured for
passwordless login. That's supposed to work, but I've never tested it
because all my ssh servers are set up in that way :)
I've just pushed a fix for sshuttle that should make it work again.
Sorry about that. Please try git pulling my latest master and see
what happens.
Nevertheless, you might want to try out a script called "ssh-copy-id"
(google it!) that knows how to auto-configure a remote ssh server to
work with your id_rsa. Not typing passwords is pretty great :)
Have fun,
Avery
dkf
in my ~/.ssh/known_hosts. Once I save the host there, it works great.
Avery, sshuttle is working great for me on 10.6. Thanks for the quick
turnaround on this, deleting cisco vpn made me quite happy.
When I have some time, I think reading through:
http://www.opensource.apple.com/source/xnu/xnu-1228.15.4/bsd/net/route.c
will help explain the difference between scoped and non-scoped
routing.
This comment seems interesting:
/*
* Common routine to lookup/match a route. It invokes the lookup/
matchaddr
* callback which could be address family-specific. The main
difference
* between the two (at least for AF_INET/AF_INET6) is that a lookup
does
* not alter the expiring state of a route, whereas a match would
unexpire
* or revalidate the route.
*
* The optional scope or interface index property of a route allows
for a
* per-interface route instance. This permits multiple route entries
having
* the same destination (but not necessarily the same gateway) to
exist in
* the routing table; each of these entries is specific to the
corresponding
* interface. This is made possible by embedding the scope value into
the
* radix key, thus making each route entry unique. These scoped
entries
* exist along with the regular, non-scoped entries in the same radix
tree
* for a given address family (currently AF_INET only); the scope
logically
* partitions it into multiple per-interface sub-trees.
*
* When a scoped route lookup is performed, the routing table is
searched for
* the best match that would result in a route using the same
interface as the
* one associated with the scope (the exception to this are routes
that point
* to the loopback interface). The search rule follows the longest
matching
* prefix with the additional interface constraint.
*/
Avery Pennarun
> * The optional scope or interface index property of a route allows for a
> * per-interface route instance. This permits multiple route entries having
> * the same destination (but not necessarily the same gateway) to exist in
> * the routing table; each of these entries is specific to the corresponding
> * interface. This is made possible by embedding the scope value into the
> * radix key, thus making each route entry unique. These scoped entries
> * exist along with the regular, non-scoped entries in the same radix tree
> * for a given address family (currently AF_INET only); the scope logically
> * partitions it into multiple per-interface sub-trees.
Aha. So when we use ipfw to redirect a connection from, say, en0 to
what ends up being localhost, it changes interfaces and the scoped
routing stuff starts looking up the wrong thing.
So yes, I suppose this counts as a MacOS bug and a workaround, not
really a security feature :)
The really bad news is that if Apple ever fixes it, I guess for
sshuttle to be a good citizen we'll have to make it auto-detect the
version of MacOS and only apply the workaround in affected versions :)
Have fun,
Avery
Avery Pennarun
> The really bad news is that if Apple ever fixes it, I guess for
> sshuttle to be a good citizen we'll have to make it auto-detect the
> version of MacOS and only apply the workaround in affected versions :)
Actually maybe we have to do that anyway: has anybody tried sshuttle
on MacOS 10.4 or 10.5 yet? Maybe it doesn't have this sysctl at all,
which I guess could cause sshuttle to abort with an error.
Thanks,
Avery
Chetan Kunte
> This happens to me if the host I'm connecting to with sshuttle isn't
> in my ~/.ssh/known_hosts. Once I save the host there, it works great.
This is a very good tip indeed; grateful for this.
Kind regards,
--
Chetan
Chetan Kunte
> Sorry about that. Please try git pulling my latest master and see
> what happens.
Thanks again, Avery. Will give it a go whenever it's possible for me.
[I'm as you know still stuck with the older version of py. =( ]
--
Chetan
Chetan Kunte
have vanished; and it works just as good as it does on ubuntu linux.
Grateful for this.