Determine forwarded ports?

Hi. Can you determine the ports that are forwarded during an SSH connection? I'd like to create a script using the randomly  forwarded ports in our application, but don't know how to determine that. I can grep and diff nestat -lant | grep -i list, but I'd like just get a clean list of the currently forwarded  ports. I'm using  OpenSSH_4.3p2.

Thoughts?
Thanks!

Why this error comiing, can any one help me?

SSH Agent PID =  3496
Adding Pass phrease to the agent
Identity added: /opt/app/pmart8/.ssh/infp_mw_dsa (/opt/app/pmart8/.ssh/infp_mw_dsa)
Connecting to sftp.moore.com...
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /opt/app/pmart8/.ssh/ssh_config.bala
debug1: Applying options for sftp.moore.com
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/local/bin/connect -d -H http-proxy-ssh.amer.consind.ge.com:8080 sftp.moore.com 22
DEBUG: No direct address are specified.
DEBUG: relay_method = HTTP (3)
DEBUG: relay_host=http-proxy-ssh.amer.consind.ge.com
DEBUG: relay_port=8080
DEBUG: relay_user=pmart8
DEBUG: local_type=stdio
DEBUG: dest_host=sftp.moore.com
DEBUG: dest_port=22
DEBUG: Program is $Revision: 1.96 $
DEBUG: resolving host by name: debug3: Not a RSA1 key file /opt/app/pmart8/.ssh/infp_mw_dsa.
sftp.moore.com
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type '----'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Comment:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '----'
debug3: key_read: missing keytype
debug1: identity file /opt/app/pmart8/.ssh/infp_mw_dsa type -1
DEBUG: failed to resolve locally.
DEBUG: resolving host by name: http-proxy-ssh.amer.consind.ge.com
DEBUG: resolved: http-proxy-ssh.amer.consind.ge.com (3.130.230.100)
DEBUG: connecting to 3.130.230.100:8080
DEBUG: begin_http_relay()
DEBUG: >>> "CONNECT sftp.moore.com:22 HTTP/1.0\r\n"
DEBUG: >>> "\r\n"
DEBUG: <<< "HTTP/1.0 200 Connection established\r\n"
DEBUG: connected, start user session.
DEBUG: <<< "\r\n"
DEBUG: connected
DEBUG: start relaying.
DEBUG: recv 50 bytes
debug1: Remote protocol version 2.0, remote software version 3.2.9 SSH Secure Shell Windows NT Server
debug1: no match: 3.2.9 SSH Secure Shell Windows NT Server
debug1: Enabling compatibility mode for protocol 2.0
DEBUG: send 20 bytes
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
DEBUG: send 712 bytes
DEBUG: recv 488 bytes
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@...,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@...,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@...,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@...,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@...,zlib
debug2: kex_parse_kexinit: none,zlib@...,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 532/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
DEBUG: send 144 bytes
DEBUG: recv 1024 bytes
DEBUG: recv 48 bytes
debug3: check_host_in_hostfile: filename /opt/app/pmart8/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'sftp.moore.com' is known and matches the DSA host key.
debug1: Found key in /opt/app/pmart8/.ssh/known_hosts:5
debug2: bits set: 516/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
DEBUG: send 16 bytes
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
DEBUG: send 48 bytes
DEBUG: recv 80 bytes
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /opt/app/pmart8/.ssh/infp_mw_dsa (8ddd8)
debug2: key: /opt/app/pmart8/.ssh/infp_mw_dsa (0)
DEBUG: send 64 bytes
DEBUG: recv 1024 bytes
DEBUG: recv 80 bytes
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /opt/app/pmart8/.ssh/infp_mw_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
DEBUG: send 528 bytes
DEBUG: recv 1024 bytes
DEBUG: recv 80 bytes
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /opt/app/pmart8/.ssh/infp_mw_dsa
debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
DEBUG: send 576 bytes
DEBUG: recv 1024 bytes
DEBUG: recv 80 bytes
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
DEBUG: local input is EOF
Connection closed
(pmart8@infprodcrasge:infp9) /export/home/tipmigr/interfaces/as400_to_MW/scripts $DEBUG: connection closed by peer
DEBUG: relaying done.
DEBUG: that's all, bye.

Thanks & Regards,
Balaji Mariyappan
GE Equipment services
Desk: 312.853.5056
Mobile: 312.213.7112




-----Original Message-----
From: listbounce@...
[mailto:listbounce@...]On Behalf Of joeull
Sent: Thursday, March 22, 2007 2:42 PM
To: secureshell@...
Subject: Determine forwarded ports?



Hi. Can you determine the ports that are forwarded during an SSH connection?
I'd like to create a script using the randomly  forwarded ports in our
application, but don't know how to determine that. I can grep and diff
nestat -lant | grep -i list, but I'd like just get a clean list of the
currently forwarded  ports. I'm using  OpenSSH_4.3p2.

Thoughts?
Thanks!
--
View this message in context: http://www.nabble.com/Determine--forwarded-ports--tf3449873.html#a9622562
Sent from the SSH (Secure Shell) mailing list archive at Nabble.com.

On Thu, 22 Mar 2007, joeull wrote:
> Can you determine the ports that are forwarded during an SSH
> connection? I'd like to create a script using the randomly forwarded
> ports in our application, but don't know how to determine that. I
> can grep and diff nestat -lant | grep -i list, but I'd like just get
> a clean list of the currently forwarded ports. I'm using
> OpenSSH_4.3p2.

It is not clear what you mean: AFAIK, there is no way to instruct
[Open]SSH to forward random ports. That is you always says what ports
you want to forward. If you have a script that generates that random
numbers you should extend the script to store the numbers somewhere
(maybe environment variables) and read the stored list once you need
it.

--
Regards,
ASK

Mariyappan, Balaji (GE Indust, ES RAIL, consultant) wrote:
[...]
> debug1: Authentications that can continue: publickey,password

The server allows password and public key authentication.

> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey
> debug3: authmethod_lookup publickey
> debug3: remaining preferred:
> debug3: authmethod_is_enabled publickey

Your client is configured to try publickey only.

[...]
> debug1: Trying private key: /opt/app/pmart8/.ssh/infp_mw_dsa
> debug1: read PEM private key done: type DSA
> debug3: sign_and_send_pubkey
> debug2: we sent a publickey packet, wait for reply
[...]
> debug1: Authentications that can continue: publickey,password
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.

The server did not accept the public key that your client sent.  The
client was configured to not try any other methods so it gave up.

You should investigate the server to find out why it did not accept the
publickey authentication.

BTW it's polite to start a new thread for a new topic rather than
hijacking an existing one with a different topic.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

My apologies for hijecking the topic...

What is the changes i have to make in the ssh_config file?

my ssh_config file:

#       $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options
# Host *
Host sftp.moore.com
Compression no
#ProxyCommand /usr/local/bin/corkscrew http-proxy-ssh.amer.consind.ge.com 8080 %h %p
#ProxyCommand /usr/local/bin/corkscrew ctplvsquidext.edc.ge.com 3128 %h %p
ProxyCommand /usr/local/bin/connect -d -H http-proxy-ssh.amer.consind.ge.com:8080 %h %p
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
    BatchMode yes
#    BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/infp_mw_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~

Actually the same set of public and private are working when i user the pinhole (without proxy command)
I don't know why this public and private key is not working through a ssh proxy.

You help will be really appreciated. Thanks in advance.

Thanks & Regards,
Balaji Mariyappan
GE Equipment services
Desk: 312.853.5056
Mobile: 312.213.7112




-----Original Message-----
From: Darren Tucker [mailto:dtucker@...]
Sent: Tuesday, March 27, 2007 6:44 PM
To: Mariyappan, Balaji (GE Indust, ES RAIL, consultant)
Cc: secureshell@...
Subject: pubkey authentication problem (was: Re: Determine forwarded
ports?)


Mariyappan, Balaji (GE Indust, ES RAIL, consultant) wrote:
[...]
> debug1: Authentications that can continue: publickey,password

The server allows password and public key authentication.

> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey
> debug3: authmethod_lookup publickey
> debug3: remaining preferred:
> debug3: authmethod_is_enabled publickey

Your client is configured to try publickey only.

[...]
> debug1: Trying private key: /opt/app/pmart8/.ssh/infp_mw_dsa
> debug1: read PEM private key done: type DSA
> debug3: sign_and_send_pubkey
> debug2: we sent a publickey packet, wait for reply
[...]
> debug1: Authentications that can continue: publickey,password
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.

The server did not accept the public key that your client sent.  The
client was configured to not try any other methods so it gave up.

You should investigate the server to find out why it did not accept the
publickey authentication.

BTW it's polite to start a new thread for a new topic rather than
hijacking an existing one with a different topic.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Alexander Klimov wrote:

On Thu, 22 Mar 2007, joeull wrote:
> Can you determine the ports that are forwarded during an SSH
> connection? I'd like to create a script using the randomly forwarded
> ports in our application, but don't know how to determine that. I
> can grep and diff nestat -lant | grep -i list, but I'd like just get
> a clean list of the currently forwarded ports. I'm using
> OpenSSH_4.3p2.

It is not clear what you mean: AFAIK, there is no way to instruct
[Open]SSH to forward random ports. That is you always says what ports
you want to forward. If you have a script that generates that random
numbers you should extend the script to store the numbers somewhere
(maybe environment variables) and read the stored list once you need
it.

--
Regards,
ASK

Thanks for the reply. Ill consider that.
Though for me since I'm using -g, Ill just grep using netstat, that will fix the problem, but I was curious to see if this could be done.

Mariyappan, Balaji (GE Indust, ES RAIL, consultant) wrote:
> My apologies for hijecking the topic...
>
> What is the changes i have to make in the ssh_config file?
[...]

I don't think there's anything you can do on the client side other than
unsetting BatchMode and logging on with a password.

> Actually the same set of public and private are working when i user
> the pinhole (without proxy command)
> I don't know why this public and private key is not working through a
> ssh proxy.

I don't know either.

When you use the proxy, the source address of the connection is
different, right?  The server could have some restrictions on where it
will accept particular keys from.  (On an OpenSSH server this would be a
"from=" key restriction, but your server is another implementation and I
don't know how it works.)

The only thing I can suggest is to check the server's log to see why the
key was not accepted.

> You help will be really appreciated. Thanks in advance.

You're welcome.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

If password auth set on, it is prompting for password.
I'm doing thorugh public and private key authendication.

Thanks & Regards,
Balaji Mariyappan
GE Equipment services
Desk: 312.853.5056
Mobile: 312.213.7112




-----Original Message-----
From: Darren Tucker [mailto:dtucker@...]
Sent: Tuesday, March 27, 2007 7:24 PM
To: Mariyappan, Balaji (GE Indust, ES RAIL, consultant)
Cc: secureshell@...
Subject: Re: pubkey authentication problem


Mariyappan, Balaji (GE Indust, ES RAIL, consultant) wrote:
> My apologies for hijecking the topic...
>
> What is the changes i have to make in the ssh_config file?
[...]

I don't think there's anything you can do on the client side other than
unsetting BatchMode and logging on with a password.

> Actually the same set of public and private are working when i user
> the pinhole (without proxy command)
> I don't know why this public and private key is not working through a
> ssh proxy.

I don't know either.

When you use the proxy, the source address of the connection is
different, right?  The server could have some restrictions on where it
will accept particular keys from.  (On an OpenSSH server this would be a
"from=" key restriction, but your server is another implementation and I
don't know how it works.)

The only thing I can suggest is to check the server's log to see why the
key was not accepted.

> You help will be really appreciated. Thanks in advance.

You're welcome.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Mariyappan, Balaji (GE Indust, ES RAIL, consultant) wrote:
> If password auth set on, it is prompting for password.
> I'm doing thorugh public and private key authendication.

You're trying public key authentication but the server is not accepting
your key.

The server accepts only publickey and password auth methods, so your
options are:

a) find out why your key was not accepted, or
b) use password authentication.

It sound like you don't want to do b) so that leaves a).  As I suggested
in my previous mail:

> The only thing I can suggest is to check the server's log to see why the
> key was not accepted.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.