port forwarding and secured connection - SSH

This is a discussion on port forwarding and secured connection - SSH ; Hi all, openssh 3.7.1.0 with zlib and openssl 0.9.6.7 are installed on AIX4.3. The config files are listed at the end of this mail. I have one machineA on which I have configured local port forwarding: machineA:#sshd -p 2222 machineA:#ssh ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: port forwarding and secured connection

  1. port forwarding and secured connection

    Hi all,

    openssh 3.7.1.0 with zlib and openssl 0.9.6.7 are installed on AIX4.3.
    The config files are listed at the end of this mail.
    I have one machineA on which I have configured local port forwarding:
    machineA:#sshd -p 2222
    machineA:#ssh -f -g -N -L 2223:machineA:23 machineA

    A client telnet connection to port 2223 of machine A works.

    If I understand local port forwarding,
    the connection between the client and port 2223 on machine A should be
    not secured,
    the connection between port 2223 on machine A and port 23 should be
    secured.

    But when I use ip listener on what goes out from port 2223 and what
    arrives to port 23, I see that the connection is not secured.

    What should be secured:
    1/Should the connection between port 2223 on machine A and port 23 be
    secured in both way, I mean from 2223 to 23 and from 23 to 2223?
    2/Or should connection between 2223 and 2222 not secured, and between
    2222 and 23 secured? In both way?
    3/Do I need to install another package?


    Thanks in advance.


    Here are extracts of sshd_config and ssh_config files:
    ssh_config:
    # Host *
    ForwardAgent yes
    # ForwardX11 no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # AddressFamily any
    # ConnectTimeout 0
    # StrictHostKeyChecking ask
    Port 2222
    # Protocol 2,1

    sshd_config:
    Port 2222
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    PermitRootLogin yes
    #StrictModes yes

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in
    /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    #IgnoreRhosts yes

    #PasswordAuthentication yes
    #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    #UsePAM yes

    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #KeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10


  2. Re: port forwarding and secured connection


    > machineA:#sshd -p 2222
    > machineA:#ssh -f -g -N -L 2223:machineA:23 machineA
    >
    > A client telnet connection to port 2223 of machine A works.
    >
    > If I understand local port forwarding,
    > the connection between the client and port 2223 on machine A should be
    > not secured,
    > the connection between port 2223 on machine A and port 23 should be
    > secured.


    No; they are both unsecured by SSH. In this model:

    A -- TCP --> B == (ssh -L p:q C) ==> C -- TCP --> D:q

    .... the connections A->B and C->D are plain TCP and unsecured by SSH.
    However, if either A=B or C=D (as it is in your case), that leg is
    generally considered secure since it does not go over a network. However,
    the plaintext does go from one process to another on host C=D, and so
    anyone privileged to inspect that IPC mechanism (loopback IP in this
    case), can read the plaintext.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: port forwarding and secured connection

    Thanks for your answer.

    I reformulate my questions :
    1/is the connection between B and C secured (I mean encapsuled by ssh)?
    2/is it secured in the two ways (B => C and C=>B)?

    If answer to question 1/ is yes (should be), then why do I see TCP
    between B and C when I listen to ports? Is it a problem in config file,
    ssh version, ...?




    Richard E. Silverman wrote:
    > > machineA:#sshd -p 2222
    > > machineA:#ssh -f -g -N -L 2223:machineA:23 machineA
    > >
    > > A client telnet connection to port 2223 of machine A works.
    > >
    > > If I understand local port forwarding,
    > > the connection between the client and port 2223 on machine A should be
    > > not secured,
    > > the connection between port 2223 on machine A and port 23 should be
    > > secured.

    >
    > No; they are both unsecured by SSH. In this model:
    >
    > A -- TCP --> B == (ssh -L p:q C) ==> C -- TCP --> D:q
    >
    > ... the connections A->B and C->D are plain TCP and unsecured by SSH.
    > However, if either A=B or C=D (as it is in your case), that leg is
    > generally considered secure since it does not go over a network. However,
    > the plaintext does go from one process to another on host C=D, and so
    > anyone privileged to inspect that IPC mechanism (loopback IP in this
    > case), can read the plaintext.
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  4. Re: port forwarding and secured connection

    >>>>> "titeuf" == titeuf tuti@caramail com writes:

    titeuf> Thanks for your answer. I reformulate my questions : 1/is the
    titeuf> connection between B and C secured (I mean encapsuled by ssh)?
    titeuf> 2/is it secured in the two ways (B => C and C=>B)?

    titeuf> If answer to question 1/ is yes (should be), then why do I see
    titeuf> TCP between B and C when I listen to ports? Is it a problem in
    titeuf> config file, ssh version, ...?

    Like most connection-oriented Internet protocols, SSH is carried in a TCP
    connection.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: port forwarding and secured connection

    Yes, I agree with you, but that does not answer to my question.

    I can connect with ssh, when listening to port, it is unreadable.
    That's correct.
    The problem is I can see login and password between C and D when
    listening to port.

    But when using forwarding, from a telnet for example, it is never
    unreadable.
    What's the problem?



    Richard E. Silverman wrote:
    > >>>>> "titeuf" == titeuf tuti@caramail com writes:

    >
    > titeuf> Thanks for your answer. I reformulate my questions : 1/is the
    > titeuf> connection between B and C secured (I mean encapsuled by ssh)?
    > titeuf> 2/is it secured in the two ways (B => C and C=>B)?
    >
    > titeuf> If answer to question 1/ is yes (should be), then why do I see
    > titeuf> TCP between B and C when I listen to ports? Is it a problem in
    > titeuf> config file, ssh version, ...?
    >
    > Like most connection-oriented Internet protocols, SSH is carried in a TCP
    > connection.
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  6. Re: port forwarding and secured connection


    > Yes, I agree with you, but that does not answer to my question.


    It answers the question you asked: "then why do I see TCP between B and
    C". Perhaps it does not answer the question you meant to ask.

    > I can connect with ssh, when listening to port, it is unreadable.
    > That's correct.


    I assume by "listening to port" you mean snooping the TCP traffic carrying
    the SSH connection.

    > The problem is I can see login and password between C and D when
    > listening to port.


    We already established that the C->D connection is not secured by SSH, so
    this is expected.

    > But when using forwarding, from a telnet for example, it is never
    > unreadable.


    I don't understand this sentence at all. First, an SSH port forwarding
    situation is implicit in the previous statement, so I don't understand the
    meaning of "But when using forwarding..." Second, "it is never
    unreadable" means "it is always readable," just like the last connection
    referred to (C->D), so I don't understand what juxtaposition you're trying
    to set up.

    --
    Richard Silverman
    res@qoxp.net


  7. Re: port forwarding and secured connection

    OK, sorry, my last mail was not clear.
    My question was not C->D but B->C.

    By listening, I mean using iptrace and ipreport.
    In the schema, you say B=>C is encapsuled by ssh:
    A -- TCP --> B:2223 == (ssh -L 2223:23 C) ==> C -- TCP --> D:23

    My problem is : iptrace (in and out) on
    port B=C:2223: I can see login/password
    port C=D:23: I can see login/password
    (In my tests, I have B=C=D, but it is the same if B<>C with C=D.)

    In the debug traces of ssh, I have this:
    debug1: channel 1: free: direct-tcpip: listening port 2223 for B port
    23, connect from xx.xx.xxx.xxx port 3702, nchannels 2
    debug3: channel 1: status: The following connections are open:
    #1 direct-tcpip: listening port 2223 for B port 23, connect from
    xx.xx.xxx.xxx port 3702 (t4 r0 i3/0 o3/0 fd 5/5)
    debug3: channel 1: close_fds r 5 w 5 e -1



    Richard E. Silverman wrote:
    > > Yes, I agree with you, but that does not answer to my question.

    >
    > It answers the question you asked: "then why do I see TCP between B and
    > C". Perhaps it does not answer the question you meant to ask.
    >
    > > I can connect with ssh, when listening to port, it is unreadable.
    > > That's correct.

    >
    > I assume by "listening to port" you mean snooping the TCP traffic carrying
    > the SSH connection.
    >
    > > The problem is I can see login and password between C and D when
    > > listening to port.

    >
    > We already established that the C->D connection is not secured by SSH, so
    > this is expected.
    >
    > > But when using forwarding, from a telnet for example, it is never
    > > unreadable.

    >
    > I don't understand this sentence at all. First, an SSH port forwarding
    > situation is implicit in the previous statement, so I don't understand the
    > meaning of "But when using forwarding..." Second, "it is never
    > unreadable" means "it is always readable," just like the last connection
    > referred to (C->D), so I don't understand what juxtaposition you're trying
    > to set up.
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  8. Re: port forwarding and secured connection

    For information for all:
    I solved the problem:
    This schema is not exactly true:
    A -- TCP --> B:2223 == (ssh -L 2223:C:23 C) ==> C -- TCP --> C:23
    The good one is:
    A -- TCP --> B:2223 --> BortABC == (ssh -L 2223:C:23 C) ==> C:22 ---
    TCP --> C:23
    I listened on the bad port, ssh uses an auxiliary port to send the
    data.

    Thanks for answer.
    Bye.

    titeuf.tuti@caramail.com wrote:
    > OK, sorry, my last mail was not clear.
    > My question was not C->D but B->C.
    >
    > By listening, I mean using iptrace and ipreport.
    > In the schema, you say B=>C is encapsuled by ssh:
    > A -- TCP --> B:2223 == (ssh -L 2223:23 C) ==> C -- TCP --> D:23
    >
    > My problem is : iptrace (in and out) on
    > port B=C:2223: I can see login/password
    > port C=D:23: I can see login/password
    > (In my tests, I have B=C=D, but it is the same if B<>C with C=D.)
    >
    > In the debug traces of ssh, I have this:
    > debug1: channel 1: free: direct-tcpip: listening port 2223 for B port
    > 23, connect from xx.xx.xxx.xxx port 3702, nchannels 2
    > debug3: channel 1: status: The following connections are open:
    > #1 direct-tcpip: listening port 2223 for B port 23, connect from
    > xx.xx.xxx.xxx port 3702 (t4 r0 i3/0 o3/0 fd 5/5)
    > debug3: channel 1: close_fds r 5 w 5 e -1
    >
    >
    >
    > Richard E. Silverman wrote:
    > > > Yes, I agree with you, but that does not answer to my question.

    > >
    > > It answers the question you asked: "then why do I see TCP between B and
    > > C". Perhaps it does not answer the question you meant to ask.
    > >
    > > > I can connect with ssh, when listening to port, it is unreadable.
    > > > That's correct.

    > >
    > > I assume by "listening to port" you mean snooping the TCP traffic carrying
    > > the SSH connection.
    > >
    > > > The problem is I can see login and password between C and D when
    > > > listening to port.

    > >
    > > We already established that the C->D connection is not secured by SSH, so
    > > this is expected.
    > >
    > > > But when using forwarding, from a telnet for example, it is never
    > > > unreadable.

    > >
    > > I don't understand this sentence at all. First, an SSH port forwarding
    > > situation is implicit in the previous statement, so I don't understand the
    > > meaning of "But when using forwarding..." Second, "it is never
    > > unreadable" means "it is always readable," just like the last connection
    > > referred to (C->D), so I don't understand what juxtaposition you're trying
    > > to set up.
    > >
    > > --
    > > Richard Silverman
    > > res@qoxp.net



  9. Re: port forwarding and secured connection


    > By listening, I mean using iptrace and ipreport.
    > In the schema, you say B=>C is encapsuled by ssh:
    > A -- TCP --> B:2223 == (ssh -L 2223:23 C) ==> C -- TCP --> D:23
    >
    > My problem is : iptrace (in and out) on
    > port B=C:2223: I can see login/password


    Yes; you are looking at the plain TCP connection A->B:2223.

    > port C=D:23: I can see login/password


    Yes; you are looking at the plain TCP connection C->D:23.

    It's only the data in the SSH connection, an from ephemeral port on B to
    C:22, that is protected by SSH.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread