Problem using PuTTY and Dropbear for port forwarding (ssh tunneling)
Hi all,
I'm trying to do the following:
I have a couple of 'client' pc's that are behind routers. I want to be
able to connect to them (using VNC) from anywhere when needed without
having to open up ports on the routers.
My plan is to let those clients set up and keep open an SSH connection
to a server on the Internet that I have access to (running Dropbear as
an SSH server).
The clients I want to take over, are running a startup script creating
the connection and keeping it open. Over the connection, a tunnel is
then created from client port X, to server port Y. From my PC I then
create an SSH connection to the server and create a tunnel from PC
port Z to server port Y.
I'm currently testing this setup using two Windows pc's and a Linux
server (running Dropbear) in my own network, and using PuTTY. One pc
(A) is running ultra VNC. The other PC (B) is running the vnc viewer.
I use PuTTY to create an SSH connection from PC A to the server and
create a *remote* forward from server port X to PC A, port 5900 (this
is where ultra VNC is listening).
Then, I use PuTTY to create an SSH connection from PC B to the server
and create a *local* forward from PC B, port 5900 to server port X.
Then, I fire up Ultra VNC viewer on PC B and connect it to '<ip
address PC B>::5900'.
Now, I'm getting a connection error, saying something about a protocol
error.
I can connect directly from PC B to PC A fine ('<ip address PC A>::
5900').
Does anyone have a clue about what I'm doing wrong or forgot to do?
Kind regards!
Re: Problem using PuTTY and Dropbear for port forwarding (sshtunneling)
Hi all,
See below for an update. Hopefully someone can point me in the right
direction?
-----
Hi Eric and the rest,
Thanks for your thoughts!
I understand your way of thinking, and it even makes me doubt my
solution a bit.
Indeed, you could wonder how VNC server on PC A can listen on port
5900 while PuTTY is also using that port for communicating with the
Dropbear server.
I hope and think that the way a tunnel is implemented in general, is
in some way transparent to the operating system. So I think that for a
'remote port forward', PuTTY isn't really listening on the local port
that you have configured, but only makes sure in some way that the
unencrypted traffic is delivered to that port number.
Anyone else?
Is my set-up technically possible? So should I be able to set up those
tunnels as a kind of 'pass-through' mechanism?
Does anyone have a clue about what I'm doing wrong or forgot to do?
Kind regards,Rik.
Subject: RE: Again with additional info: Problem trying to create
'pass through' with PuTTY and Dropbear
Date: Thu, 18 Sep 2008 16:43:00 -0400
From: Erxxxxxxu.com
To: rikrikxxxxxmail.com
I am by no means an expert at any of this, and I have no knowledge of
Dropbear so please forgive me as I ask a few questions and possibly
get you thinking in a different way.
If PC A :5900 <-- Server 10001 using Dropbear (?), what is answering
on PC A; what application, VNC?
If the VNC port 5900 is already in a conversation with Dropbear or
PuTTY or something else between PC A and the Server, how can VNC
answer when PC B calls?
In the same respect, how can PC B transmit on 5900, if it is also
talking to the server from its 5900 to the server 10001?
How does Dropbear know to forward a packets from PC B to PC A though
the PuTTY SSH link?
If I am completely missing the picture, please let me know and I will
be happy to step aside and let someone more knowledgeable help.
Good Luck!
-Eric.
-----Original Message-----
From: listncesecurityfocus.com [mailto:listbousecurityfocus.com] On
Behalf Of
Sent: Thursday, September 18, 2008 3:43 PM
To: [email]secuell@securityfocus.com[/email]
Subject: Again with additional info: Problem trying to create 'pass
through' with PuTTY and Dropbear
Hello,
I already posted this problem before, but haven't had any response so
far.
I added some details and additional information and tried to make it
more clear to you.
Maybe, this time someone can help me out or at least give some hints
or feedback?
The problem:
I'm trying to do the following: I have a couple of 'client' pc's that
are behind routers.
I want to be able to connect to them (using VNC) from anywhere when
needed without having to open up ports on the routers.
Therefore, the connection needs to be initiated from the client side
(thus from behind the routers).
My plan is to let those clients set up and keep open an SSH connection
to a server on the Internet that I have access to (running Dropbear as
an SSH server). The clients I want to take over, are running a startup
script creating the connection and keeping it open. Over the
connection, a tunnel is then created from client port X, to server
port Y. From my PC I then create an SSH connection to the server and
create a tunnel from PC port Z to server port Y. I'm currently testing
this setup on my LAN using PuTTY on two Windows pc's (one acting as
the server and one acting as the client) and a Linux server (S)
running Dropbear. One pc (A) is running VNC Server. The other PC (B)
is running the vnc viewer.
I use PuTTY to create an SSH connection from PC A to the server (S)
and create a *remote* forward from server port 10001 to PC A, port
5900 (this is where ultra VNC is listening). Then, I use PuTTY to
create an SSH connection from PC B to the server (S) and create a
*local* forward from PC B, port 5900 to server port 10001. After this,
I start Ultra VNC viewer on PC B and connect it to '::5900'.
Now, I'm getting the following connection error: "Connection failed -
Error reading Protocol Version". I have tried Putty 0.58 and 0.60.
Using both versions gives the same error message in Ultra VNC. I have
no problems connecting directly from PC B to PC A (':: 5900').
To make sure it isn't an Ultra VNC problem, I set up the same tunnels
(but using port 23 instead of 5900) and then used telnet to connect
from one host to the running telnet server on the other host. The
screen goes black (dosprompt under Windows XP) until I press a key,
then I get back my prompt. Nothing happens. I also used Wireshark
(network sniffer) on the server side and no packets were captured (not
even in promiscious mode).
Is my set-up technically possible? So should I be able to set up those
tunnels as a kind of 'pass-through' mechanism?
Does anyone have a clue about what I'm doing wrong or forgot to do?
Kind regards, Rik.
Re: Problem using PuTTY and Dropbear for port forwarding (ssh tunneling)
What's the problem with opening a port on the router?
If you're going to connect to the dropbear server, you're going to need
a port open on the firewall protecting the dropbear server, so what's
the difference?
I've been accessing my home PC from work for years using VNC (rfb)
protocol and nothing but open source software and it's quite stable and
secure. You could do the same thing on each of the PC's you want to
access.
On my home PC/network I have :
dyndns (since I don't have a static IP)
CopSSH (Installs minimal cygwin - just enough to run openssh server)
Run sshd on a nonstandard port to hide it from the script kiddies.
Use a keypair to authenticate and disable password authentication.
Ultavnc server
On the remote PC I set up port forwarding and connect to the forwarded
port with either krdc or ultravnc client depending on if I'm running
Windows or Linux.
