Using ssh forwarding for ssh itself. - SSH

This is a discussion on Using ssh forwarding for ssh itself. - SSH ; I'm trying to ssh into my (Linux) computer at work. Normally I ssh into the department's main (Unix) computer, then ssh into my own, but I thought I'd try out port forwarding. So in one xterm I do this: $ ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Using ssh forwarding for ssh itself.

  1. Using ssh forwarding for ssh itself.

    I'm trying to ssh into my (Linux) computer at work. Normally I ssh
    into the department's main (Unix) computer, then ssh into my own, but
    I thought I'd try out port forwarding. So in one xterm I do this:


    $ ssh -L 9999:my_computer:22 main_computer
    [main_computer prints login message then the following]

    channel 3: open failed: administratively prohibited: open failed
    channel 3: open failed: administratively prohibited: open failed


    In another xterm, I try this:


    $ netstat -tl
    [shows my computer is listening on 9999]

    $ ssh -p 9999 -v localhost
    debug1: Reading configuration data /home/adam/.ssh/config
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to localhost [127.0.0.1] port 9999.
    debug1: Connection established.
    debug1: identity file /home/adam/.ssh/identity type -1
    debug1: identity file /home/adam/.ssh/id_rsa type -1
    debug1: identity file /home/adam/.ssh/id_dsa type -1
    ssh_exchange_identification: Connection closed by remote host


    Does the "administratively prohibited" message mean that main_computer
    is configured not to allow this? Or am I doing something wrong?

    If I can get this working, will I also be able to use scp directly
    from my home computer to my desktop (instead of copying to my account
    on main_computer first)?


    Thanks,
    Adam


  2. Re: Using ssh forwarding for ssh itself.

    In comp.security.ssh Adam Funk wrote:
    > I'm trying to ssh into my (Linux) computer at work. Normally I ssh
    > into the department's main (Unix) computer, then ssh into my own, but
    > I thought I'd try out port forwarding. So in one xterm I do this:

    [..]

    > If I can get this working, will I also be able to use scp directly
    > from my home computer to my desktop (instead of copying to my account
    > on main_computer first)?


    Why not just stick some alias like this in .bashrc?

    alias scpd='tar -czf - . |ssh remhost1 "cat -" |ssh remhost2 "cd ~/boz; tar -xzf -"'

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 10: hardware stress fractures

  3. Re: Using ssh forwarding for ssh itself.

    Adam Funk a écrit :
    > I'm trying to ssh into my (Linux) computer at work. Normally I ssh
    > into the department's main (Unix) computer, then ssh into my own, but
    > I thought I'd try out port forwarding. So in one xterm I do this:
    >
    >
    > $ ssh -L 9999:my_computer:22 main_computer
    > [main_computer prints login message then the following]
    >
    > channel 3: open failed: administratively prohibited: open failed
    > channel 3: open failed: administratively prohibited: open failed


    Hi,
    This message is printed when you try to use TCP forwarding and sshd
    doesn't authorize it. You need to ask your administrator to put
    "AllowTcpForwarding yes" in sshd_config on the gateway.

    According to "man sshd_config", if you can log into a host, disabling
    TCP forwarding doesn't realy improve security ( quote : '...Note that
    disabling TCP forwarding does not improve security unless users are also
    denied shell access, as they can always install their own forwarders' )

    Mat

    >
    >
    > In another xterm, I try this:
    >
    >
    > $ netstat -tl
    > [shows my computer is listening on 9999]
    >
    > $ ssh -p 9999 -v localhost
    > debug1: Reading configuration data /home/adam/.ssh/config
    > debug1: Reading configuration data /etc/ssh/ssh_config
    > debug1: Applying options for *
    > debug1: Connecting to localhost [127.0.0.1] port 9999.
    > debug1: Connection established.
    > debug1: identity file /home/adam/.ssh/identity type -1
    > debug1: identity file /home/adam/.ssh/id_rsa type -1
    > debug1: identity file /home/adam/.ssh/id_dsa type -1
    > ssh_exchange_identification: Connection closed by remote host
    >
    >
    > Does the "administratively prohibited" message mean that main_computer
    > is configured not to allow this? Or am I doing something wrong?
    >
    > If I can get this working, will I also be able to use scp directly
    > from my home computer to my desktop (instead of copying to my account
    > on main_computer first)?
    >
    >
    > Thanks,
    > Adam
    >


  4. Re: Using ssh forwarding for ssh itself.

    > Adam Funk a écrit :
    >> I'm trying to ssh into my (Linux) computer at work. Normally I ssh
    >> into the department's main (Unix) computer, then ssh into my own, but
    >> I thought I'd try out port forwarding. So in one xterm I do this:
    >>
    >>
    >> $ ssh -L 9999:my_computer:22 main_computer
    >> [main_computer prints login message then the following]
    >>
    >> channel 3: open failed: administratively prohibited: open failed
    >> channel 3: open failed: administratively prohibited: open failed

    >
    > Hi,
    > This message is printed when you try to use TCP forwarding and sshd
    > doesn't authorize it. You need to ask your administrator to put
    > "AllowTcpForwarding yes" in sshd_config on the gateway.
    >
    > According to "man sshd_config", if you can log into a host, disabling
    > TCP forwarding doesn't realy improve security ( quote : '...Note that
    > disabling TCP forwarding does not improve security unless users are also
    > denied shell access, as they can always install their own forwarders' )
    >
    > Mat
    >
    >>
    >>
    >> In another xterm, I try this:
    >>
    >>
    >> $ netstat -tl
    >> [shows my computer is listening on 9999]
    >>
    >> $ ssh -p 9999 -v localhost
    >> debug1: Reading configuration data /home/adam/.ssh/config
    >> debug1: Reading configuration data /etc/ssh/ssh_config
    >> debug1: Applying options for *
    >> debug1: Connecting to localhost [127.0.0.1] port 9999.
    >> debug1: Connection established.
    >> debug1: identity file /home/adam/.ssh/identity type -1
    >> debug1: identity file /home/adam/.ssh/id_rsa type -1
    >> debug1: identity file /home/adam/.ssh/id_dsa type -1
    >> ssh_exchange_identification: Connection closed by remote host
    >>
    >>
    >> Does the "administratively prohibited" message mean that main_computer
    >> is configured not to allow this? Or am I doing something wrong?
    >>
    >> If I can get this working, will I also be able to use scp directly
    >> from my home computer to my desktop (instead of copying to my account
    >> on main_computer first)?


    Sorry I forgot one part of the response. If your administrator authorize
    TCP forwarding as I mentioned earlier, then you could use scp directly
    after tunnel establishment using :

    scp -oport=9999 localhost:/tmp/myfile /tmp/
    (pull)
    or
    scp -oport=9999 /tmp/my2file localhost:/tmp/
    (push)

    Mat

    >>
    >>
    >> Thanks,
    >> Adam
    >>


  5. Re: Using ssh forwarding for ssh itself.

    In comp.security.ssh Adam Funk wrote:
    > I'm trying to ssh into my (Linux) computer at work. Normally I ssh
    > into the department's main (Unix) computer, then ssh into my own, but
    > I thought I'd try out port forwarding. So in one xterm I do this:
    >
    >
    > $ ssh -L 9999:my_computer:22 main_computer
    > [main_computer prints login message then the following]
    >
    > channel 3: open failed: administratively prohibited: open failed
    > channel 3: open failed: administratively prohibited: open failed
    >
    >
    > In another xterm, I try this:
    >
    >
    > $ netstat -tl
    > [shows my computer is listening on 9999]
    >
    > $ ssh -p 9999 -v localhost
    > debug1: Reading configuration data /home/adam/.ssh/config
    > debug1: Reading configuration data /etc/ssh/ssh_config
    > debug1: Applying options for *
    > debug1: Connecting to localhost [127.0.0.1] port 9999.
    > debug1: Connection established.
    > debug1: identity file /home/adam/.ssh/identity type -1
    > debug1: identity file /home/adam/.ssh/id_rsa type -1
    > debug1: identity file /home/adam/.ssh/id_dsa type -1
    > ssh_exchange_identification: Connection closed by remote host
    >
    >
    > Does the "administratively prohibited" message mean that main_computer
    > is configured not to allow this? Or am I doing something wrong?
    >
    > If I can get this working, will I also be able to use scp directly
    > from my home computer to my desktop (instead of copying to my account
    > on main_computer first)?
    >
    >

    You may want to use ssh trampoline. For this, you need to have netcat
    (or "nc") installed in "main_computer". (the main_computer from your port
    forwarding example)

    You just have to edit your ~/.ssh/config file and add something like the
    following:

    ================================================== ====================
    Host my_computer # you can do an alias in /etc/hosts if
    # this intra-net IP exist in your intra-net at
    # home..
    ProxyCommand ssh main_computer "netcat %h %p" # you need
    # netcat in
    # main_computer (replace
    # netcat by "nc" in
    # some OS)
    ================================================== ====================

    with that, you can access "my_computer" just by typing: ssh my_computer.
    You can do "scp", sftp, tunnels etc.. like if you have directly access
    to my_computer..

    It's very convenient to use ssh-agent in such configuration, too don't
    have to type password many times.

    Good luck

    --
    Martin


  6. Re: Using ssh forwarding for ssh itself.

    On 2007-06-20, Mat wrote:

    > This message is printed when you try to use TCP forwarding and sshd
    > doesn't authorize it. You need to ask your administrator to put
    > "AllowTcpForwarding yes" in sshd_config on the gateway.


    Aha, the server's sshd_config file (which is world-readable) does
    contain "AllowTcpForwarding no".


    > According to "man sshd_config", if you can log into a host, disabling
    > TCP forwarding doesn't realy improve security ( quote : '...Note that
    > disabling TCP forwarding does not improve security unless users are also
    > denied shell access, as they can always install their own forwarders' )


    I'll ask the admin if he's willing to change it. Thanks for the
    supportive citation!

  7. Re: Using ssh forwarding for ssh itself.

    On 2007-06-20, Martin Gagnon wrote:

    > You may want to use ssh trampoline. For this, you need to have netcat
    > (or "nc") installed in "main_computer". (the main_computer from your port
    > forwarding example)
    >
    > You just have to edit your ~/.ssh/config file and add something like the
    > following:


    I've found another server that allows tcp forwarding to others in the
    department, so I'm just using the straight ssh tunnelling technique.
    But I'll try the trampoline later on --- thanks!

  8. Re: Using ssh forwarding for ssh itself.

    On 2007-06-20, Martin Gagnon wrote:

    > You may want to use ssh trampoline. For this, you need to have netcat
    > (or "nc") installed in "main_computer". (the main_computer from your port
    > forwarding example)
    >
    > You just have to edit your ~/.ssh/config file and add something like the
    > following:
    >
    >================================================== ====================
    > Host my_computer # you can do an alias in /etc/hosts if
    > # this intra-net IP exist in your intra-net at
    > # home..
    > ProxyCommand ssh main_computer "netcat %h %p" # you need
    > # netcat in
    > # main_computer (replace
    > # netcat by "nc" in
    > # some OS)
    >================================================== ====================
    >
    > with that, you can access "my_computer" just by typing: ssh my_computer.
    > You can do "scp", sftp, tunnels etc.. like if you have directly access
    > to my_computer..


    That works brilliantly, thanks!

    (BTW, I already use ssh-agent.)

  9. SSH trampoline leaves processes running. (was: Using ssh forwarding for ssh itself)

    On 2007-06-20, Martin Gagnon wrote:

    > You may want to use ssh trampoline. For this, you need to have netcat
    > (or "nc") installed in "main_computer". (the main_computer from your port
    > forwarding example)
    >
    > You just have to edit your ~/.ssh/config file and add something like the
    > following:
    >
    >================================================== ====================
    > Host my_computer # you can do an alias in /etc/hosts if
    > # this intra-net IP exist in your intra-net at
    > # home..
    > ProxyCommand ssh main_computer "netcat %h %p" # you need
    > # netcat in
    > # main_computer (replace
    > # netcat by "nc" in
    > # some OS)
    >================================================== ====================
    >
    > with that, you can access "my_computer" just by typing: ssh my_computer.
    > You can do "scp", sftp, tunnels etc.. like if you have directly access
    > to my_computer..
    >
    > It's very convenient to use ssh-agent in such configuration, too don't
    > have to type password many times.


    Thanks very much for this very useful tip!

    I've noticed, however, that the related processes don't terminate, so
    every now and then I notice that `ps ux` includes several old ones
    with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
    can kill them without any problem and AFAIK they don't cause trouble,
    but is this a normal result of ssh trampoline?

  10. Re: SSH trampoline leaves processes running. (was: Using ssh forwarding for ssh itself)

    On 2007-08-19, Adam Funk wrote:
    [...]
    > Thanks very much for this very useful tip!
    >
    > I've noticed, however, that the related processes don't terminate, so
    > every now and then I notice that `ps ux` includes several old ones
    > with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
    > can kill them without any problem and AFAIK they don't cause trouble,
    > but is this a normal result of ssh trampoline?


    Some versions of netcat don't check if their input has closed so they
    don't shut down cleanly in that case. I used to use this, which worked
    fine:

    http://www.meadowy.org/~gotoh/projects/connect

    but I believe that there are some versions of netcat that also work.

    There's also a patch to sshd that will send a SIGHUP to processes when
    trying to close them down.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  11. Re: SSH trampoline leaves processes running.

    On 2007-08-27, Darren Tucker wrote:

    > On 2007-08-19, Adam Funk wrote:
    > [...]
    >> Thanks very much for this very useful tip!
    >>
    >> I've noticed, however, that the related processes don't terminate, so
    >> every now and then I notice that `ps ux` includes several old ones
    >> with the descriptions "sshd: adam@pts/0" and "sshd: adam@notty". I
    >> can kill them without any problem and AFAIK they don't cause trouble,
    >> but is this a normal result of ssh trampoline?

    >
    > Some versions of netcat don't check if their input has closed so they
    > don't shut down cleanly in that case.


    In my case, that's the version of netcat installed on the gateway
    machine, right?


    > I used to use this, which worked
    > fine:
    >
    > http://www.meadowy.org/~gotoh/projects/connect
    >
    > but I believe that there are some versions of netcat that also work.
    >
    > There's also a patch to sshd that will send a SIGHUP to processes when
    > trying to close them down.


    I'll look into putting connect in ~/bin/ on my account on the gateway
    machine. Thanks for the advice.

+ Reply to Thread