Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Forwarding rlogin/rsh/rexec

0 views

Skip to first unread message

Greyson Fischer

unread,

Aug 7, 2003, 2:16:56 PM8/7/03

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm trying to forward rlogin, rsh, or rexec ports on second.work, using
client first.work to a machine outside the firewall third.home.

As far as I can tell, this should work:
first > ssh -R 20513:second.work:513 third.home

But I'm getting the following error on the home side:
third > sudo rlogin -p 20513 localhost
rlogind: Permission denied.

This is executed with root permissions since it complains about root
being the only one allowed to use the '-p' option.

Any suggestions?

Server and client versions (same):
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f

- --
Greyson Fischer
- --
PGP Fingerprint: 0A8F A986 F95C 82F4 1581 9995 2BB6 B4FE E01D 6F10
PGP Key Location: http://www.catseyestudio.com/~greyson/gfischer.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/MpeQK7a0/uAdbxARAkOWAJ4t/VbTcN5QsN86PMy0bRspEjJy0QCg0+ik
0aoomQHEwGQpxoYxCY3X9A8=
=Ufcv
-----END PGP SIGNATURE-----

Richard E. Silverman

unread,

Aug 7, 2003, 11:23:19 PM8/7/03

>>>>> "GF" == Greyson Fischer <gfische...@mrdoc.cc> writes:

GF> I'm trying to forward rlogin, rsh, or rexec ports on second.work,
GF> using client first.work to a machine outside the firewall
GF> third.home.

GF> As far as I can tell, this should work: first > ssh -R
GF> 20513:second.work:513 third.home

No, it won't. The r-commands use host-based authentication. They
determine the client host using the source address of the connection,
which will be wrong because of the forwarding. And they use a
"privileged" source port (port < 1024) as a sign that the client program
is privileged and therefore trustworthy, since they then just take that
program's word for the user's identity. This will also fail, since
the source port of the forwarded connection will be ephemeral, and OpenSSH
does not have an option to change that.

--
Richard Silverman
r...@qoxp.net

Darren Tucker

unread,

Aug 8, 2003, 12:44:32 AM8/8/03

In article <m2fzkcy...@darwin.oankali.net>,

Richard E. Silverman <r...@qoxp.net> wrote:
>No, it won't. The r-commands use host-based authentication. They
>determine the client host using the source address of the connection,

[snip]

Also, r-commands can use a back-channel (a connection from server to
client) to return stderr. This won't work over a port forward.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

0 new messages