|

Computer Security

»

SSH (Secure Shell)

Reverse port forwarding (-R) seems not working

View: New views

7 Messages — Rating Filter: Alert me

	Reverse port forwarding (-R) seems not working by Vincenzo Romano :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Hi all. I need to create a number of different reverse port forwarding (RPF) with the -R option. On the remote system I have set up a number of different dummy local interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10). A single RPF should look like this: ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... (it's actually for SAMBA printers reachability). What happens instead is that, upon ssh connection on the remotehost I see a listening socket on the interface 127.0.0.1! That's the lo (loopback) and not the dummy0. In an attempt to troubleshoot this problem I've changed the sshd configuration in order to have it listening on every single interface (as poosed to the default "one catches them all" setup). No luck. Now I see two options: either I'm missing something important or this is a bug. I hope for the first option so I can hope in a simple solution. Any hint on this? -- Vincenzo Romano NON QVIETIS MARIBVS NAVTA PERITVS
	Re: Reverse port forwarding (-R) seems not working by Joseph Spenner :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message --- On Tue, 11/10/09, Vincenzo Romano <Vincenzo.Romano@...> wrote: > On the remote system I have set up a number of different > dummy local > interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10). > A single RPF should look like this: > > ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... > > (it's actually for SAMBA printers reachability). > What happens instead is that, upon ssh connection on the > remotehost I > see a listening socket on the interface 127.0.0.1! I'm not very clear on what your goal is, but anything beginning with 127 (127.x.y.z) is going to be treated the same-- localhost. You can address all 16 million possibilities any way you want, but they all will appear the same localhost to the system. What is your specific goal? Also, your -R needs 1 argument: RemotePort:Ip-relative-to-Target:Port-on-relative-Target IP-of-Target
	Re: Reverse port forwarding (-R) seems not working by Darren Tucker :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Vincenzo Romano wrote: > Hi all. > I need to create a number of different reverse port forwarding (RPF) > with the -R option. > On the remote system I have set up a number of different dummy local > interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10). > A single RPF should look like this: > > ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... > > (it's actually for SAMBA printers reachability). > What happens instead is that, upon ssh connection on the remotehost I > see a listening socket on the interface 127.0.0.1! > That's the lo (loopback) and not the dummy0. > In an attempt to troubleshoot this problem I've changed the sshd > configuration in order to have it listening on every single interface > (as poosed to the default "one catches them all" setup). No luck. If you're using OpenSSH then you need to set "GatewayPorts clientspecified" in sshd_config and restart sshd. If your sshd doesn't understand "clientspecified" then it also doesn't have the code to handle this case and you'll need a newer version. quoth ssh_config(5): GatewayPorts Specifies whether remote hosts are allowed to con- nect to ports forwarded for the client. By default, sshd(8) binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be "no" to force remote port forwardings to be available to the local host only, "yes" to force remote port for- wardings to bind to the wildcard address, or "clientspecified" to allow the client to select the address to which the forwarding is bound. The default is "no". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
	Re: Reverse port forwarding (-R) seems not working by Vincenzo Romano :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Great! Isn't mine a FAQ? Thanks. 2009/11/11 Darren Tucker <dtucker@...>: > Vincenzo Romano wrote: >> >> Hi all. >> I need to create a number of different reverse port forwarding (RPF) >> with the -R option. >> On the remote system I have set up a number of different dummy local >> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10). >> A single RPF should look like this: >> >> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... >> >> (it's actually for SAMBA printers reachability). >> What happens instead is that, upon ssh connection on the remotehost I >> see a listening socket on the interface 127.0.0.1! >> That's the lo (loopback) and not the dummy0. >> In an attempt to troubleshoot this problem I've changed the sshd >> configuration in order to have it listening on every single interface >> (as poosed to the default "one catches them all" setup). No luck. > > If you're using OpenSSH then you need to set "GatewayPorts clientspecified" > in sshd_config and restart sshd. If your sshd doesn't understand > "clientspecified" then it also doesn't have the code to handle this case and > you'll need a newer version. > > quoth ssh_config(5): > > GatewayPorts > Specifies whether remote hosts are allowed to con- > nect to ports forwarded for the client. By > default, sshd(8) binds remote port forwardings to > the loopback address. This prevents other remote > hosts from connecting to forwarded ports. > GatewayPorts can be used to specify that sshd > should allow remote port forwardings to bind to > non-loopback addresses, thus allowing other hosts > to connect. The argument may be "no" to force > remote port forwardings to be available to the > local host only, "yes" to force remote port for- > wardings to bind to the wildcard address, or > "clientspecified" to allow the client to select the > address to which the forwarding is bound. The > default is "no". > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -- Vincenzo Romano NotOrAnd Information Technologies cel. +39 339 8083886 \| gtalk. vr@... fix. +39 0823 454163 \| skype. notorand.it fax. +39 02 700506964 \| msn. notorand.it -- NON QVIETIS MARIBVS NAVTA PERITVS
	Re: Reverse port forwarding (-R) seems not working by Vincenzo Romano :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message It's not yet working though. If I enable the GatewayPorts on the sshd_config (not ssh_config), then no RPF works anymore on the dummy interfaces or the loopback. They all fail with: Warning: remote port forwarding failed for listen port 139, despite there's no process listening on that interface and that port. The client is: OpenSSH_4.4p1, OpenSSL 0.9.8d 28 Sep 2006 The server is: OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005 and I won't be able to update them. What could be the next hint? Thanks. 2009/11/11 Darren Tucker <dtucker@...>: > Vincenzo Romano wrote: >> >> Hi all. >> I need to create a number of different reverse port forwarding (RPF) >> with the -R option. >> On the remote system I have set up a number of different dummy local >> interfaces (dummy0=127.0.1.1 to dummy9=127.0.1.10). >> A single RPF should look like this: >> >> ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... >> >> (it's actually for SAMBA printers reachability). >> What happens instead is that, upon ssh connection on the remotehost I >> see a listening socket on the interface 127.0.0.1! >> That's the lo (loopback) and not the dummy0. >> In an attempt to troubleshoot this problem I've changed the sshd >> configuration in order to have it listening on every single interface >> (as poosed to the default "one catches them all" setup). No luck. > > If you're using OpenSSH then you need to set "GatewayPorts clientspecified" > in sshd_config and restart sshd. If your sshd doesn't understand > "clientspecified" then it also doesn't have the code to handle this case and > you'll need a newer version. > > quoth ssh_config(5): > > GatewayPorts > Specifies whether remote hosts are allowed to con- > nect to ports forwarded for the client. By > default, sshd(8) binds remote port forwardings to > the loopback address. This prevents other remote > hosts from connecting to forwarded ports. > GatewayPorts can be used to specify that sshd > should allow remote port forwardings to bind to > non-loopback addresses, thus allowing other hosts > to connect. The argument may be "no" to force > remote port forwardings to be available to the > local host only, "yes" to force remote port for- > wardings to bind to the wildcard address, or > "clientspecified" to allow the client to select the > address to which the forwarding is bound. The > default is "no". > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -- Vincenzo Romano NotOrAnd Information Technologies cel. +39 339 8083886 \| gtalk. vr@... fix. +39 0823 454163 \| skype. notorand.it fax. +39 02 700506964 \| msn. notorand.it -- NON QVIETIS MARIBVS NAVTA PERITVS
	Re: Reverse port forwarding (-R) seems not working by Greg Wooledge :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message On Tue, Nov 10, 2009 at 11:17:58PM +0100, Vincenzo Romano wrote: > ssh -N -n -R 127.0.1.1:139:somelocalhost:139 user@... > What happens instead is that, upon ssh connection on the remotehost I > see a listening socket on the interface 127.0.0.1! -R [bind_address:]port:host:hostport ... By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specify- ing a bind_address. An empty bind_address, or the address `*', indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the serv- er's GatewayPorts option is enabled (see sshd_config(5)).
	Re: Reverse port forwarding (-R) seems not working by Darren Tucker :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message On Wed, Nov 11, 2009 at 11:01:28AM +0100, Vincenzo Romano wrote: > It's not yet working though. > > If I enable the GatewayPorts on the sshd_config (not ssh_config), then > no RPF works anymore on the dummy interfaces or the loopback. > They all fail with: > Warning: remote port forwarding failed for listen port 139, despite > there's no process listening on that interface and that port. In your original example you had "user@...". If "user" is not root then you probably don't have permissions to bind to low-numbered ports (with or without sshd). If that's not it, I suggest running the server in debug mode (eg /path/to/sshd -ddde -p222 to run it on port 222), point your client at it and see what the reason given for the bind failure is. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.