Port Forwarding -- Checking to be sure I understand it - SSH

This is a discussion on Port Forwarding -- Checking to be sure I understand it - SSH ; I am providing support for some friends and family (I'm sure everyone knows what I mean -- unpaid tech support you can't easily get out of), and a few people are behind restrictive firewalls. With most of my family, I ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Port Forwarding -- Checking to be sure I understand it

  1. Port Forwarding -- Checking to be sure I understand it

    I am providing support for some friends and family (I'm sure everyone knows
    what I mean -- unpaid tech support you can't easily get out of), and a few
    people are behind restrictive firewalls. With most of my family, I use
    RealVNC. I have a dynamic IP address, so I use DynDNS for address and have
    written scripts so they can just click and it'll start a RealVNC server and
    connect to my system.

    The problem is the few behind restrictive firewalls. I'm not a security or
    networking person, so I've been reading up on this and I'd like it if I
    could get some help verifying that what I've pieced together is correct.

    For an easy example, I have one friend who cannot accept inbound connections
    for RealVNC, so he has to use the RealVNC server and add me as a client.
    From what I understand, if he uses ssh on port 443, the firewall will not
    be able to tell that apart from HTTPS, so (since the firewall lets HTTPS
    connections through), it should let the ssh connection through.

    He's on Windows, and I've just found OpenSSH for Windows
    (http://sshwindows.sourceforge.net/), but not installed it yet. (I
    understand it uses the same command line and config options as SSH would on
    *nix.) If I understand correctly, he can log into my computer with ssh (or
    ssh for Windows, technically) and specify this:

    ssh -L 5500:myaddress.dyndns.org:443 myaddress.dyndns.org

    And it will connect to my computer (through my firewall) and he can log in
    (or, as is likely, I can use a passwordless login). At that point, if I
    understand, his port 5500 will be forwarded to my port 443.

    I'm pretty sure I've got this right so far.

    As I understand it, I don't have to add any strange config at this point to
    get this to work. The part is user names. I can create a dummy account
    for all my friends to login with that gives them minimal permissions (since
    they won't be doing anything anyway!). Does that effect the forwarding?
    If I'm running "vncviewer -listen -p443" on my account (and let's skip the
    root-only access to ports < 1024 for now), will I still receive his
    forwarded signal, on my account, while he's logged in via ssh on his
    account? And do I have to change any config options for sshd on my system
    (other than th make sure AllowTCPForwarding=yes)?

    Now here's one last question: is there a way to set up this forwarding
    without my friend actually logging in? I might use this from a Java class,
    and would like for it to make the connection for forwarding, but I don't
    want to open any additional windows on his system.

    Thanks for any help on this!

    Hal

  2. Re: Port Forwarding -- Checking to be sure I understand it

    I'm not sure I follow exactly what you're trying to do. You say you're
    providing support for friends/relatives but you want them logging in to
    your system. It usually goes the other way around. They run an ssh
    server and VNC service. You set up a tunnel from your client to their
    server. If you want to run the tunnel over some port other than 22 (the
    ssh default) you need to specify the alternate port either in the
    ssh_config file, or with the -p option on the command line. The server
    must be listening on the same port so that would require a similar
    modification to the sshd_config file on the server. This should all be
    documented in the sshd man page, or you can just read the comments in
    the ssh config files.

    For example, say you connect to a VNC server (port 5800 IIRC) on
    relative.dyndns.org using port 443 (to get through someone's firewall).
    You would first run the VNC and sshd services on the machine your
    connecting to and on the client run

    ssh -p 443 -L 5800:localhost:5800 userID@relative.dyndns.org

    IIRC there's an option you need to set on RealVNC to allow connections
    from localhost too. I use UltraVNC had to do that.

    HTH

    BTW I would recommend CopSSH instead of sshWindows. The latter hasn't
    been updated for close to a year. CopSSH is updated regularly. They're
    both free.

  3. Re: Port Forwarding -- Checking to be sure I understand it

    Chuck wrote:

    > I'm not sure I follow exactly what you're trying to do. You say you're
    > providing support for friends/relatives but you want them logging in to
    > your system. It usually goes the other way around. They run an ssh
    > server and VNC service. You set up a tunnel from your client to their
    > server. If you want to run the tunnel over some port other than 22 (the
    > ssh default) you need to specify the alternate port either in the
    > ssh_config file, or with the -p option on the command line. The server
    > must be listening on the same port so that would require a similar
    > modification to the sshd_config file on the server. This should all be
    > documented in the sshd man page, or you can just read the comments in
    > the ssh config files.


    The problem is I have three behind a firewall that is rather restrictive and
    we can't connect with an incoming (to them) connection. *My parents are on
    a dynamic IP and don't want me doing anything to their system, router, or
    anything else, so, again, it is easier to use an outbound connection. *With
    them, I have a script that starts RealVNC as a server then adds my
    Dyndns.org domain as a client and it connects to me. *In the long run, I
    may try to use this with clients, so I have that in the back of my mind,
    but it isn't an issue now. *However, I have two friends and a sister behind
    restrictive firewalls that deny all incoming connections and block most
    ports. *We tried using RealVNC on port 80, but it was blocked, so my best
    guess is that firewall (and the others) don't just block ports, but check
    the data on them. *I know those firewalls allow HTTPS connections, so I
    figure they should allow ssh over port 443, since, from what little I know,
    their firewalls won't be able to tell the difference between that and their
    browser going to a secure site.

    >
    > For example, say you connect to a VNC server (port 5800 IIRC) on
    > relative.dyndns.org using port 443 (to get through someone's firewall).
    > You would first run the VNC and sshd services on the machine your
    > connecting to and on the client run
    >
    > ssh -p 443 -L 5800:localhost:5800 userID@relative.dyndns.org
    >
    > IIRC there's an option you need to set on RealVNC to allow connections
    > from localhost too. I use UltraVNC had to do that.


    That's what I'm working with now -- or trying to set up. *If I do that, and
    my friend/relative logs in on their own account, I should still get the
    forwarded data stream if I'm running a program on my account, right?

    > HTH
    >
    > BTW I would recommend CopSSH instead of sshWindows. The latter hasn't
    > been updated for close to a year. CopSSH is updated regularly. They're
    > both free.


    I've also discovered PuTTY and PLINK, and may go with the latter. *What I'd
    like is one they can run to tunnel/forward the data without them actually
    having to log in. *I've looked at stunnel, but this is where the long term
    comes in: I'd really like to use the same program on Windows and Linux and
    stunnel isn't always an easy compile on Linux and isn't always easy to
    install by a package manager (saw a case of RPM hell with it). *PuTTY and
    PLINK are close enough to SSH that if I can't use the exact same program, I
    still am using the same backend.

    I'll look at CopSSH. *I've never heard of it before, but it's worth a look.

    Thanks for the help and info!

    Hal

  4. Re: Port Forwarding -- Checking to be sure I understand it


    There's a lot of convoluted stuff in your post, including
    misunderstandings that I'm not going to unravel just now. I'll just
    suggest:

    - Your friend runs the VNC server on his computer.

    - If his firewall does not allow outbound connections on the normal SSH
    port, but you think he can use port 443, then you configure your SSH
    server to listen on 443.

    - He does: "ssh -R 590:localhost:5900 -p 443 "

    - You point your VNC client (on the SSH server machine) to display
    localhost:.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: Port Forwarding -- Checking to be sure I understand it

    Richard E. Silverman wrote:

    >
    > There's a lot of convoluted stuff in your post, including
    > misunderstandings


    Which is why I'm asking about it!

    > that I'm not going to unravel just now. I'll just
    > suggest:
    >
    > - Your friend runs the VNC server on his computer.
    >
    > - If his firewall does not allow outbound connections on the normal SSH
    > port, but you think he can use port 443, then you configure your SSH
    > server to listen on 443.
    >
    > - He does: "ssh -R 590:localhost:5900 -p 443 "
    >
    > - You point your VNC client (on the SSH server machine) to display
    > localhost:.


    But does it matter what username they log into my system under? For
    instance, can I create an account with almost no permissions and will that
    effect my ability, when logged in under my account, to receive their data
    forwarded through ssh?

    Or is there some way to set up the forwarding without them having to
    actually log in to my system?

    Hal

  6. Re: Port Forwarding -- Checking to be sure I understand it

    >>>>> "HV" == Hal Vaughan writes:

    HV> Richard E. Silverman wrote:
    >> There's a lot of convoluted stuff in your post, including
    >> misunderstandings


    HV> Which is why I'm asking about it!

    >> that I'm not going to unravel just now. I'll just suggest:
    >>
    >> - Your friend runs the VNC server on his computer.
    >>
    >> - If his firewall does not allow outbound connections on the normal
    >> SSH port, but you think he can use port 443, then you configure
    >> your SSH server to listen on 443.
    >>
    >> - He does: "ssh -R 590:localhost:5900 -p 443 "
    >>
    >> - You point your VNC client (on the SSH server machine) to display
    >> localhost:.


    HV> But does it matter what username they log into my system under?
    HV> For instance, can I create an account with almost no permissions
    HV> and will that effect my ability, when logged in under my account,
    HV> to receive their data forwarded through ssh?

    The word is "affect."

    As long as their process has the right to listen on a TCP port and accept
    connections, it doesn't matter at all.

    HV> Or is there some way to set up the forwarding without them having
    HV> to actually log in to my system?

    If they're using SSH, they have to log into something. It could be a
    different machine on which they have an account, but then anyone could
    connect to the forwarded port, and the VNC traffic between you and that
    host would be plaintext. Not good unless VNC has its own security (which
    I guess some versions do).

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread