Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

rdp ONLY through ssh

3 views
Skip to first unread message

iguc...@gmail.com

unread,
Apr 1, 2007, 4:13:25 AM4/1/07
to
Hi,

I have got enough information to configure Windows Desktop RDP over
ssh using the help of this group.

But i am wondering if it is possible to connect RDP ONLY through the
SSH. Please note the word ONLY. I don't want any user to connect
without using the SSH. Is it possible to configure or code it.

Regards,
Y Iguchi

Todd H.

unread,
Apr 1, 2007, 12:06:04 PM4/1/07
to
iguc...@gmail.com writes:

Conceptually you want a port filter to deny all requests from external
hosts, but to allow connections to the RDP port (3389 by default) from
either 127.0.0.1 (localhost of the windows server if that's where the
ssh server is running, or the IP of the ssh server if it's on another
box on your LAN).

Now, how to do that on windows... I'm not certain if the built in
firewall is flexible enough to do what you want, and you would need to
specify which version of windows you are dealing with.


--
Todd H.
http://www.toddh.net/

ch...@bluestream.org

unread,
Apr 1, 2007, 6:20:02 PM4/1/07
to
On Apr 1, 10:06 am, comph...@toddh.net (Todd H.) wrote:

> iguch...@gmail.com writes:
> > Hi,
>
> > I have got enough information to configure Windows Desktop RDP over
> >sshusing the help of this group.

>
> > But i am wondering if it is possible to connect RDP ONLY through the
> >SSH. Please note the word ONLY. I don't want any user to connect
> > without using theSSH. Is it possible to configure or code it.

>
> Conceptually you want a port filter to deny all requests from external
> hosts, but to allow connections to the RDP port (3389 by default) from
> either 127.0.0.1 (localhost of the windows server if that's where thesshserver is running, or the IP of thesshserver if it's on another

> box on your LAN).
>
> Now, how to do that on windows... I'm not certain if the built in
> firewall is flexible enough to do what you want, and you would need to
> specify which version of windows you are dealing with.
>
> --
> Todd H.http://www.toddh.net/

I don't think that the built in Windows firewall will work with that
configuration. Too great a level of detail. But numerous 3rd party
ones will work.

Btw, have you see WiSSH? http://www.wissh.com
Should make your connections easier.

iguc...@gmail.com

unread,
Apr 2, 2007, 12:43:34 PM4/2/07
to
Hi ,

According to my understanding the ssh server does not change the
packets. Since there is no change in the packets ,To the firewall it
will still appear as it packet is coming from the original address. If
it appear as if it is coming from the original the firewall solution
will not work.


I am little new to networking , please let me know if i m wrong.

Regards,
Y Iguchi

Darren Dunham

unread,
Apr 2, 2007, 12:52:12 PM4/2/07
to
iguc...@gmail.com wrote:
> Hi ,

> According to my understanding the ssh server does not change the
> packets. Since there is no change in the packets ,To the firewall it
> will still appear as it packet is coming from the original address. If
> it appear as if it is coming from the original the firewall solution
> will not work.

Not true. SSH port forwarding is not implementing a VPN, so it's not
passing any sort of untranslated packet in and out. It's just moving
the data across and establishing another TCP connection locally.

In addition, even if it did do a more full VPN, most firewalls will work
on the network cards/traffic layer. At that point, only the normal
SSH:tcp/22 traffic will be seen. Any translation would take place
later. How much this is true would depend on the specifics of the
firewall in use, I suppose.

--
Darren Dunham ddu...@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

iguc...@gmail.com

unread,
Apr 2, 2007, 1:13:07 PM4/2/07
to
On Apr 2, 9:52 pm, Darren Dunham <ddun...@redwood.taos.com> wrote:
> iguch...@gmail.com wrote:
> > Hi ,
> > According to my understanding thesshserver does not change the

> > packets. Since there is no change in the packets ,To the firewall it
> > will still appear as it packet is coming from the original address. If
> > it appear as if it is coming from the original the firewall solution
> > will not work.
>
> Not true. SSHport forwarding is not implementing a VPN, so it's not

> passing any sort of untranslated packet in and out. It's just moving
> the data across and establishing another TCP connection locally.
>
> In addition, even if it did do a more full VPN, most firewalls will work
> on the network cards/traffic layer. At that point, only the normalSSH:tcp/22 traffic will be seen. Any translation would take place

> later. How much this is true would depend on the specifics of the
> firewall in use, I suppose.
>
> --
> Darren Dunham ddun...@taos.com

> Senior Technical Consultant TAOS http://www.taos.com/
> Got some Dr Pepper? San Francisco, CA bay area
> < This line left intentionally blank to confuse you. >

Hi,
Ok, that means the packets are translated before hand and are carried
as data on TCP/SSH port. Further the ssh will forward this data to RDP
Server.

If we are using standard windows firewall will see at RDP port > data
is coming from the localhost only.

Please correct me if my understanding is wrong.

Regards,
Y Iguchi

Todd H.

unread,
Apr 2, 2007, 3:09:53 PM4/2/07
to
iguc...@gmail.com writes:

> Hi ,
>
> According to my understanding the ssh server does not change the
> packets. Since there is no change in the packets ,To the firewall it
> will still appear as it packet is coming from the original address.

Your understanding is inaccurate I'm afraid. The traffic will
appear to come from the ssh server's address (127.0.0.1 if RDP and
sshd live on the same box).


As another example, in X11 forwarding wth SSH, when I fire up the X
server on the machine I'm sitting in front of, the address I need to
tell it to add to th exhost list is 127.0.0.1, not the address of the
remote server.

Best Regards,

Per Hedeland

unread,
Apr 5, 2007, 1:25:47 PM4/5/07
to
In article <1175533987....@n59g2000hsh.googlegroups.com>

iguc...@gmail.com writes:
>On Apr 2, 9:52 pm, Darren Dunham <ddun...@redwood.taos.com> wrote:
>> iguch...@gmail.com wrote:
>> > Hi ,
>> > According to my understanding thesshserver does not change the
>> > packets. Since there is no change in the packets ,To the firewall it
>> > will still appear as it packet is coming from the original address. If
>> > it appear as if it is coming from the original the firewall solution
>> > will not work.
>>
>> Not true. SSHport forwarding is not implementing a VPN, so it's not
>> passing any sort of untranslated packet in and out. It's just moving
>> the data across and establishing another TCP connection locally.

[snip]

>Ok, that means the packets are translated before hand and are carried
>as data on TCP/SSH port.

No it doesn't - the packets are neither translated nor carried, but
effectively discarded before ssh even sees them. The *data payload* from
the packets is carried across the ssh connection, in standard
SOCK_STREAM byte-stream fashion. And as Darren wrote, at the other end a
*new* TCP connection is established, with no relation whatsoever to the
original one, and the transported data bytes are fed into it.

>If we are using standard windows firewall will see at RDP port > data
>is coming from the localhost only.

This is correct. Though the IP address seen as the source will at least
on Unix depend on how you did the forwarding: -L<port>:localhost:<port>
or -L<port>:127.0.0.1:<port> => the server will see 127.0.0.1 (or
possibly IPv6 :1) as source address, while -L<port>:hostname:<port> or
-L<port>:host.ip.ad.dr:<port> => the server will see host.ip.ad.dr as
source. With some firewall setups, this is a significant difference.

--Per Hedeland
p...@hedeland.org

0 new messages