[Courses] [Security] Port forwarding with SSH
andipchains/iptables
jennyw
jennyw at dangerousideas.com
Wed Mar 27 21:14:44 EST 2002
On Tue, 2002-03-26 at 12:51, Raven, corporate courtesan wrote:
> Sorry it took me so long to get to this; today seems to be "Unix
Not long at all!
> Also, are you using ssh1, ssh2, or OpenSSH for this?
It's OpenSSH. How different are the implementations from each other? I
thought OpenSSH was compatible with the now commercial ssh?
> Quoth jennyw (Thu, Mar 21, 2002 at 11:54:12AM -0800):
> > su -c "ssh -L 80:192.168.1.108:80 192.168.1.3 -l jen"
...
> Why are you using the -l jen in there? Is ssh on the remote
> machine set up to run under that userid rather than as root? I've never
> seen port forwarding for ports under 1024 work when run as a user -- you
> need to be root most of the time to open any port under 1024. So you
> might have problems opening port 80 if you don't run the ssh command as
> root. I can see that you're root on the local side, and the user jen on
> the remote side -- let me know if you do make this work. I'm interested
> to see what happens.
It was a Windows box ... any user can open any port on Windows. ;-) That
wasn't the real problem with my example, though -- I also wrote the
command wrong ... I should have had 192.168.1.108 in where I have
192.168.1.3 (.3 was localhost).
I tried the new command:
su -c "ssh -g -L 80:server:80 server -l jen"
and it worked fine!
> As for a way to forward ports without getting a shell -- I know
> if you just want to run a single command with ssh, ssh -c will do that
> for you, but you still need a password. I've never tried running that
> with port forwarding, but I would think it would work. The other sneaky
> thing -- port forwarding will stop when your ssh session stops, so make
> sure there are no timeouts on this ssh session if you want it to be a
> perpetual thing.
Not sure what you mean by that ... with the ssh I use (OpenSSH) -c
specifies a cipher type. Not even sure what that means.
> If you don't want to type in passwords all the time, look into
> using ssh-agent. I'm rather a fan of it. More detail available if
> desired.
Sounds great. I need to learn more about using keys with SSH. I just
bought the snail book. I'm flying to Boston on Friday for a wedding, so
now I'll have something to read on the flight! Oh, wait, they consider
crypto stuff munitions, don't they? I wonder if that'll confuse airport
security ;-)
This discussion has helped a lot. I now know more about SSH. I also now
know that chances are I probably won't be using it. The main issue is
the reliability of the connection -- I think it'll be tricky to come up
with a way to check the connection and to reestablish if it's down.
It also seems easier and more flexible to setup a single firewall that
also has the VPN software on there and apply filtering rules to the
decoded packets on the outgoing interface. In theory. We'll see how I do
...
Thanks!
Jen
More information about the Courses
mailing list