l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2008 Mar 14 14:17

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] Fwd: Reverse SSH Tunneling
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] Fwd: Reverse SSH Tunneling



Chris posted this from a non-subscibred address, so it was rejected
by mailman.  I'm fwd'ing on his behalf.

----- Forwarded message from vox-tech-bounces@lists.lugod.org -----

The attached message has been automatically discarded.
Date: Fri, 14 Mar 2008 12:30:12 -0700 (PDT)
From: Chris Jenks <cwjenks@yahoo.com>
Subject: Reverse SSH Tunneling
To: lugod's technical discussion forum <vox-tech@lists.lugod.org>


  I am trying to manage a video recording server that is a hassle to gain 
physical access to, and is behind a firewall. Until a few weeks ago I was 
able to have it download and execute a script containing this command:

ssh -p 443 -N -o StrictHostKeyChecking=no -R2222:localhost:22 
root@75.206.132.66 -2

which would connect it to my Dad's Linksys router running OpenWRT. The 
reason I used port 443 is that outgoing port 22 is blocked by the 
firewall. Then I would shell into the router and connect to the video 
server with:

ssh -p 2222 chris@localhost

which gave me access. After some problems with kernel versions on the 
debian-based video server, I replaced the OS with ubuntu 7.10, to match my 
workstations, but I haven't been able to get the reverse SSH working. It 
seems that the video server is able to SSH out, but the reverse tunneling 
is broken. To make testing easier I set up my server at home to receive 
the SSH connection from the video server, with my router translating port 
443 to port 22 on the home server. Before the video server connects, I get 
Connection Refused when I try to reverse SSH from the home server, and 
after the video server connects I get:

ssh_exchange_identification: Connection closed by remote host

showing that there is an active connection from the video server that 
lasts for an hour or two. What is especially odd about this situation is 
that I can connect from my ubuntu workstation at work, which is also 
behind a firewall, and reverse SSH back to it successfully. The most 
frequent reason for the above error is a problem with the hosts.allow or 
hosts.deny files, but these files are unaltered (and fully commented out) 
on both the video server and the workstation. The other reason I've read 
is that there are too many SSH connections, and that the error goes away 
if the connections are allowed to time out. I've tried kpill ssh on the 
video server and waiting overnight to no avail.

Here is the debug output for the reverse SSH command, when trying to 
connect to the video server from my home server:
ssh -vvv -p 2226 chris@localhost:

OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2226.
debug1: Connection established.
debug1: identity file /home/chris/.ssh/identity type -1
debug3: Not a RSA1 key file /home/chris/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace (25 times)
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/chris/.ssh/id_rsa type 1
debug1: identity file /home/chris/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

When I try to connect to my workstation from my home server with an 
equivalent command, only the last line above changes:

[...]
debug1: identity file /home/chris/.ssh/id_dsa type -1 (as before)
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6p1 
Debian-5ubuntu0.1
debug1: match: OpenSSH_4.6p1 Debian-5ubuntu0.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-2
[...]

I searched auth.log on the video server for sshd entries, but there 
weren't any. However, I was able to obtain the debug output from the 
command:

ssh -vvv -p 443 -N -o StrictHostKeyChecking=no -R2226:localhost:22 
chris@mydomain.tld

[...]
debug1: Entering interactive session.
debug1: remote forward success for: listen 2226, connect localhost:22
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 
2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 2226, 
originator 127.0.0.1 port 39823
debug2: fd 4 setting O_NONBLOCK
debug2: fd 4 setting TCP_NODELAY
debug3: fd 4 is O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug3: channel 0: waiting for connection
debug1: channel 0: not connected: Connection refused
debug2: channel 0: zombie
debug2: channel 0: garbage collecting
debug1: channel 0: free: 127.0.0.1, nchannels 1
debug3: channel 0: status: The following connections are open:

debug3: channel 0: close_fds r 4 w 4 e -1 c -1
debug3: fd 0 is not O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
debug3: fd 2 is not O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 228.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0

The same command from the workstation gives:

[...]
debug1: confirm forwarded-tcpip (as before)
debug3: channel 0: waiting for connection (as before)
debug1: channel 0: connected
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: read<=0 rfd 4 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: 127.0.0.1, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 127.0.0.1 (t4 r2 i3/0 o3/0 fd 4/4 cfd -1)

debug3: channel 0: close_fds r 4 w 4 e -1 c -1
debug1: Killed by signal 2.

I realized that scp should work if ssh does, and indeed I can copy files 
both to and from the video server with scp run on the video server. Any 
guesses why the reverse SSH is getting stuck?

  Thanks,

    Chris


----- End forwarded message -----

-- 
-bill!
bill@newbreedsoftware.com
http://www.newbreedsoftware.com/
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.