[vox-tech] Fwd: Reverse SSH Tunneling
Bill Kendrick
nbs at sonic.net
Fri Mar 14 14:09:03 PDT 2008
Chris posted this from a non-subscibred address, so it was rejected
by mailman. I'm fwd'ing on his behalf.
----- Forwarded message from vox-tech-bounces at lists.lugod.org -----
The attached message has been automatically discarded.
Date: Fri, 14 Mar 2008 12:30:12 -0700 (PDT)
From: Chris Jenks <cwjenks at yahoo.com>
Subject: Reverse SSH Tunneling
To: lugod's technical discussion forum <vox-tech at lists.lugod.org>
I am trying to manage a video recording server that is a hassle to gain
physical access to, and is behind a firewall. Until a few weeks ago I was
able to have it download and execute a script containing this command:
ssh -p 443 -N -o StrictHostKeyChecking=no -R2222:localhost:22
root at 75.206.132.66 -2
which would connect it to my Dad's Linksys router running OpenWRT. The
reason I used port 443 is that outgoing port 22 is blocked by the
firewall. Then I would shell into the router and connect to the video
server with:
ssh -p 2222 chris at localhost
which gave me access. After some problems with kernel versions on the
debian-based video server, I replaced the OS with ubuntu 7.10, to match my
workstations, but I haven't been able to get the reverse SSH working. It
seems that the video server is able to SSH out, but the reverse tunneling
is broken. To make testing easier I set up my server at home to receive
the SSH connection from the video server, with my router translating port
443 to port 22 on the home server. Before the video server connects, I get
Connection Refused when I try to reverse SSH from the home server, and
after the video server connects I get:
ssh_exchange_identification: Connection closed by remote host
showing that there is an active connection from the video server that
lasts for an hour or two. What is especially odd about this situation is
that I can connect from my ubuntu workstation at work, which is also
behind a firewall, and reverse SSH back to it successfully. The most
frequent reason for the above error is a problem with the hosts.allow or
hosts.deny files, but these files are unaltered (and fully commented out)
on both the video server and the workstation. The other reason I've read
is that there are too many SSH connections, and that the error goes away
if the connections are allowed to time out. I've tried kpill ssh on the
video server and waiting overnight to no avail.
Here is the debug output for the reverse SSH command, when trying to
connect to the video server from my home server:
ssh -vvv -p 2226 chris at localhost:
OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2226.
debug1: Connection established.
debug1: identity file /home/chris/.ssh/identity type -1
debug3: Not a RSA1 key file /home/chris/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace (25 times)
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/chris/.ssh/id_rsa type 1
debug1: identity file /home/chris/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
When I try to connect to my workstation from my home server with an
equivalent command, only the last line above changes:
[...]
debug1: identity file /home/chris/.ssh/id_dsa type -1 (as before)
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6p1
Debian-5ubuntu0.1
debug1: match: OpenSSH_4.6p1 Debian-5ubuntu0.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-2
[...]
I searched auth.log on the video server for sshd entries, but there
weren't any. However, I was able to obtain the debug output from the
command:
ssh -vvv -p 443 -N -o StrictHostKeyChecking=no -R2226:localhost:22
chris at mydomain.tld
[...]
debug1: Entering interactive session.
debug1: remote forward success for: listen 2226, connect localhost:22
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win
2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 2226,
originator 127.0.0.1 port 39823
debug2: fd 4 setting O_NONBLOCK
debug2: fd 4 setting TCP_NODELAY
debug3: fd 4 is O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug3: channel 0: waiting for connection
debug1: channel 0: not connected: Connection refused
debug2: channel 0: zombie
debug2: channel 0: garbage collecting
debug1: channel 0: free: 127.0.0.1, nchannels 1
debug3: channel 0: status: The following connections are open:
debug3: channel 0: close_fds r 4 w 4 e -1 c -1
debug3: fd 0 is not O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
debug3: fd 2 is not O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 228.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0
The same command from the workstation gives:
[...]
debug1: confirm forwarded-tcpip (as before)
debug3: channel 0: waiting for connection (as before)
debug1: channel 0: connected
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: read<=0 rfd 4 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: 127.0.0.1, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 127.0.0.1 (t4 r2 i3/0 o3/0 fd 4/4 cfd -1)
debug3: channel 0: close_fds r 4 w 4 e -1 c -1
debug1: Killed by signal 2.
I realized that scp should work if ssh does, and indeed I can copy files
both to and from the video server with scp run on the video server. Any
guesses why the reverse SSH is getting stuck?
Thanks,
Chris
----- End forwarded message -----
--
-bill!
bill at newbreedsoftware.com
http://www.newbreedsoftware.com/
More information about the vox-tech
mailing list