Question concerning remote port-forwarding with SSH
I have difficulties to find out when I should use SSH remote port-forwarding e.g. ssh sshserver -R 7777:localhost:110 Notice the -R and instead of -L This would cause a data traffic (with the syntax: in-port:machine:out-port): MailClient(on remote):* -> 7777:SSHServer:* -> 22:SSHClient(on localhost):* -> 110:MailServer(on localhost) Are the following statement correct: - Use remote port-forwarding (-R) when the connection between SSH-Server and ApplicationServer (e.g.MailServer) should be encrypted - Use "normal" port-forwarding (-L) when the connection between App...

Prevent blocking remote port when setting up a SSH tunnel/SSH port forwarding?
Assume I create an SSH tunnel to a remote computer with ssh foobar@remcomp -L 20110:remcomp:110 then it seems to me that on the remote computer port 110 is blocked for other clients. Is this true? How can I prevent this exclusive locking? Peter pins1000@yahoo.com (Peter Insold) writes: > Assume I create an SSH tunnel to a remote computer with > > ssh foobar@remcomp -L 20110:remcomp:110 > > then it seems to me that on the remote computer port 110 is blocked for other > clients. Is this true? No. DES -- Dag-Erling Smørgrav - des@des.no...

To Port Forward or Not To Port Forward
System: DP MDD G4, OS 10.4.9 Inet connection: DSL with static i.p.,Broadcom Gateway to Linksys WRT54G Wireless Router using DHCP, 1 computer connected via enet, 3 connected wirelessly, basic home use only Wireless security is very basic: Unique router name and pw, SSID disabled, and connections allowed by MAC addresses only, Linksys firewall is enabled with all the other features set to their defaults, Mac OS firewall is disabled I recently purchased a Logitec QuickCam Pro 5000 webcam that works just fine with iChat right out of the box. Learning how to use it I found some Apple docs and ot...

remote/reverse port forward, ssh client setting source IPs to what ssh server reports
Note: most of this post is based on OpenSSH When I do a remote forward (port on server listens for incoming traffic, traffic gets forwarded to port that is listening on client), the source IPs of all the incoming connections in the server app on the client machine are 127.0.0.1/localhost. Using "-v", I can see that sshd passes the IP addresses of what computers connected to the sshd's port that forwards to the client. The client does not use/set the originating information when connect. RFC 4254 requires the server send the originating IP across the wire to the client. ------------------------------------------------------------------------------------------------------------------------- 7.2. TCP/IP Forwarding Channels When a connection comes to a port for which remote forwarding has been requested, a channel is opened to forward the port to the other side. byte SSH_MSG_CHANNEL_OPEN string "forwarded-tcpip" uint32 sender channel uint32 initial window size uint32 maximum packet size string address that was connected uint32 port that was connected ###string originator IP address########################################### uint32 originator port -------------------------------------------------------------------------------------------------------------------------- The 'originator IP address' is the numeric IP address of the machine from where the conn...

SSH Port Forwarding Question
I am having a problem using OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4, OpenSSL 0.9.7d on the client and OpenSSH_3.7p1 for Solaris 7 on the server. I have port forwarded the default Oracle port from my local machine through a bastion host to my Oracle machine like so: ssh -L 1521:oracle_box:1521 username@bastion And all works fine at first. I am doing some load testing on an application and am trying to see how many instances I can run at one time. Each instance of the application initiates its own connection to the Oracle database through the SSH tunnel. This works great until I get to 25 hosts and then I start seeing this error on the console of the bastion host where I have ssh'd to: channel 53: open failed: administratively prohibited: open failed It appears there is some sort of hard limit that I have reached and I am wondering if this is something I can change on the client side, the server side, or whether it is hardcoded into either the server or client and I'm out of luck. I do not have the luxury of simply selecting another local port to forward because of the way the application is configured so I'd really like to be able to get at least 100 connections through per tunnel. I have tried this on 3 different Linux boxes, all with the same result. The per-process limit on concurrent open file descriptors for sshd on the server is probably set to 64; try increasing it. -- Richard Silverman res@qoxp.net ...

ssh remote port forwarding
Hello experts, I have a little problem using ssh and remote port forwarding. Here is the problem: I have one machine (A) behind a nat firewall that I'd like to be able to access from the outside via ssh. Unfortunately I have no control over the router, so no DMZing it. So I was thinking of sshing from machine A behind the firewall to a machine outside the nat (machine B) and using reverse port forwarding on that machine. Then I could ssh to machine B and that would then forward the connection to A. so far I run this on A: sudo ssh -g -N -R 2222:127.0.0.1:22 machineBusername@machineB.something then running the following in the outside world: ssh -p 2222 machineAusername@machineB.something yields a time out. I'm a bit confused on how to get this to work. Is what I want to do pricipally possible and if so, what can I do to make it work? Regards, Sven. -- s v e n (dot) d (dot) m e i e r (at) g m x (dot) n e t In article <e0s4cl$dua$1@dennis.cc.strath.ac.uk> Sven <no@spam.com> writes: > >I have a little problem using ssh and remote port forwarding. Here is >the problem: I have one machine (A) behind a nat firewall that I'd like >to be able to access from the outside via ssh. Unfortunately I have no >control over the router, so no DMZing it. > >So I was thinking of sshing from machine A behind the firewall to a >machine outside the nat (machine B) and using reverse ...

port forwarding with ssh on linux
Hey all. I'm sort of a linux and ssh newbie. I've been using anonymizer.com's secure tunneling service on windows. On windows I use the teraterm pro ssh client. But I'm having trouble getting port forwaring to work on linux. Here's what I'm doing: $ ssh -l username -p 22 -L 80:cyberpass.net:80 cyberpass.net $ [ prompt for password ] [ enter password ] I'm logged in with the greeting message. Ok, now with mozilla I have manually configured the http proxy field to listen to localhost on port 80. Now when I go surfing I'm able to download from the web perfectly. Except that the traffic doesn't seem to be going through the remote server. It seems that the requests to web pages are being made directly with my ip address. Now if I kill the ssh process I'll get an error in my browser and am not able to download anything(until I change the mozilla configuration to work without a proxy). This is strange, it seems it's using the ssh client in one way, but not fully in the way that it's supposed to. Apache and an sshd process start by default on my Suse system so I kill them before I login to the remote ssh server. I've also deactived my Suse personal firewall. It still doesn't work right. I've also tried doing it as root and regular user. I'm using Suse 7.3 if that matters. Any help appreciated. -ed Try using the -D portnumber option to do dynamic port forwarding emulating Socks proxy. The...

ssh port forwarding questions
Folks, I am trying to setup X11 base working environment on my macbook (at home). What I am trying to do is to login to my work unix machine, run commands, bring up GUI's (on my macbook). I was told that SSH port forwarding is best for this. (I am unix VNC, and it works great, but problem is I end up using mouse lot; cant' easily switch between windows on KDE..and on mac I can use all shortcuts to navigate faster). So here is what I have: work machine: name.company.com (I use hostname to find out; not sure how to get ip or full name, I am just assuming that domain is comp...

SSH port forwarding/tunneling question
Before I waste a lot of time trying, I'm wondering if what I want is even possible. I want to connect via TightVNC from my home Linux system to my Win2k system at work. Unfortunately my work system is behind a firewall which filters out incoming ssh, so running an ssh server on the Win2k system at work won't fly. So my question is, is it possible to set up an ssh connection from a client machine (Win2k) to a server machine (my Linux box), then run VNC over it with the ssh client being the VNC server, and the ssh server being the VNC client? I'm hoping I can just set up a putty ...

SSH Port Forwarding Question #2
I would like to create a large amount of local port forward ports to another host. When setting them up on 1 putty session I get an error at about the 42nd tunnel port that I have too many. This is before I even try to connect to the server. Due to new policies I need to set up tunnel sessions through 1 gateway to up to 312 different ip/ports on the other side. NOT at one time though. I want my users to be able to ssh 1 time to the gateway and use a Procomm Directory to telnet to a max of 25 sessions at one time. But these 25 sessions could be any combination of the 312 available sessions. Is there any way to increase the available local port fwd sessions on one Putty session? Can you point me to any documentation to allow me to increase this limit? Is there another alternative? Example use SSH from windows to UNIX gateway On windows computer telnet to localhost 13000 - 13499 individually up to 25 consecutive. Putty sets tunnel L13000=192.x.x.001:23 - L13499=10.x.x.250:23 each local port being a separate server that can only be accessed from the unix gateway. "csharpe3@gmail.com" <csharpe3@gmail.com> writes: > I would like to create a large amount of local port forward ports to > another host. When setting them up on 1 putty session I get an error > at about the 42nd tunnel port that I have too many. > > This is before I even try to connect to the server. > > Due to new policies I need to set up tunnel sessions through...

SSH port forwarding in OS X
Whenever I have to take the WinXP laptop away from the office I use TerraTerm SSH to set up an SSH tunnel back to our mail machine and also tell it to forward port 25 on localhost to 25 on the mail machine. This allows me to send mail via our mail server without being limited to only sending within the company (otherwise it won't send mail offsite when I am remote). Then all I do in addition is tell Eudora to use localhost as the mail server. Is there a way I can do the same under OS X? Thanks, In article <tim.streater-BEBB5C.11230424052004@individual.net>, Tim Streater <...

What is the difference between local port forwarding (-L) and remote port forwarding (-R)
Hi! I need to do an SSH tunnel to encrypt the data sent between an agent and a the server. I'm able to establish a tunnel but there's something that I can't understand... What is the difference between the bit -L and the bit -R. I've read the man of SSH on Fedora. It's seems to be simple but in practice, I don't understand. Can somebody help me on this subject? Thanks a lot! Yann > What is the difference between the bit -L and the bit -R. -L forwards a port from the client to the server. -R forwards a port from the server to the client. -- To reply by email, replace "deadspam.com" by "alumni.utexas.net" In article <d73d6e32.0404262310.5dd662ed@posting.google.com>, Yann Laviolette <yann_laviolette@gnome.org> wrote: >What is the difference between the bit -L and the bit -R. I've read >the man of SSH on Fedora. It's seems to be simple but in practice, I >don't understand. Example: "ssh -L 2000:1.2.3.4:2000 server" is a "local" forward and will listen on the client (ie the machine you ssh'ed from) on port 2000. If something connects to the client on port 2000, a "channel" will be opened inside the SSH connection and the server will connect to 1.2.3.4 on port 2000. Any data sent or received will be forwarded over this channel. In contrast, "ssh -R 2000:1.2.3.4:2000 server" is a "remote" forward, which will cause the *server* to listen o...

SSH from Windows to Linux w/port forwarding.
I have a Linux Server (Debian Sarge) behind a firewall that I need to tunnel into and forward ports from. I can orward all the ports I need from my laptop (Windows XP SP2) if I use either putty or Tunnelier from bitvise. I've been attempting to tunnel from OpenSSH on Cygwin but without much success. I can forward the RemoteDesktop port but not the others. Here is the command I use to start ssh and create the tunnel from xterm on Cygwin: $ ssh -F ~/.ssh/home_ssh_config myserver.dyndns.org -N -f -v Below are the contents of the above mentioned ssh config file: LogLevel DEBUG3 Host myserver.dyndns.org HostName myserver.dyndns.org GatewayPorts no TCPKeepAlive yes Compression no # This one works LocalForward 3390 myserver.dyndns.org:3389 #MS Windows Remote Desktop # These don't. Why? LocalForward 19150 myserver.dyndns.org:19150 #Gkrellm LocalForward 9000 myserver.dyndns.org:9000 #Slimserver Web Interface LocalForward 3483 myserver.dyndns.org:3483 #Slimserver SB Interface LocalForward 80 myserver.dyndns.org:80 #Local Apache Server (Please note that my server is not actually named myserver.dyndns.org) The debug output shows that ssh is listening and forwarding ports but the clients for the respective services just time-out. As I can succesfully forward ports with Putty and Tunnelier I'm assuming that there is a problem with Cygwin. Thanks in advance, R. Owen. > # This one works > LocalForward 3390 myser...

Port forwarding to a remote host AND local processing on redhat linux
I use kernel 2.4.x. My requirement is to do port forwarding to a remote host AND to process these packets locally. I tried using iptables for port forwarding. It works. But I can't process these packets locally as well i.e. I need to pass these packets to a local application for further processing in addition to remote host forwarding. Any other tips other than using iptables? Thanks for the help. ceek63@yahoo.com wrote: > I use kernel 2.4.x. > My requirement is to do port forwarding to a remote host AND to process > these packets locally. http://www.iptables.org/documentat...

ssh port forward
Hi, Im trying to set up ssh local port forward. But I dont know the ports to connect to on the remote machine beforehand. Is it possible to setup forward for a range of ports? thanks rc You can specify multiple ports to forward on the command line, or establish a VPN if you have the need for UDP. See: http://www.securitybulletins.com/mediawiki/index.php/SSH_Tunnelling for info on both types. Doug On 21 Nov 2006 15:57:54 -0800 chandranramesh@gmail.com wrote: > Hi, > > Im trying to set up ssh local port forward. > But I dont know the ports to connect to on the remote machine > beforehand. > > Is it possible to setup forward for a range of ports? -- For UNIX, Linux and security articles visit http://SecurityBulletins.com/ In article <1164153474.108673.130230@b28g2000cwb.googlegroups.com> chandranramesh@gmail.com writes: > >Im trying to set up ssh local port forward. >But I dont know the ports to connect to on the remote machine >beforehand. You could perhaps use OpenSSH's "dynamic" port forwarding, i.e. SOCKS - see the -D option. >Is it possible to setup forward for a range of ports? Not as such (with OpenSSH), though (with OpenSSH) you can AFAIK give any number of -L options - i.e. a range is just a matter of giving one -L option for every port in the range. A bit verbose, but the end result would be the same - ssh (any flavour) would need to open a separate socket for every port in the range, the...

[OT] Linux, IPTables, port forwarding, PPTP, and Terminal Services question
I'm trying to run Terminal Services via the Internet but am not having any luck. Here's my setup: My T1 connects to a Netgear FVS318 ProSafe VPN Firewall. TCP Port 1723 (PPTP) is forwarded to the red zone of my Shorewall/IPTables/Linux server. From there, port 1723 is DNATed to the W2K server in the green zone running remote access. I'm doing the same thing with TCP Port 3389 for Terminal Services. No luck with either. Is there a limitation on the number of hops from the Internet to the Terminal Services/Remote Access server? Outbound is fine. I maintain a ...

Port Forwarding and Multiple SSH Servers
Behind my firewall I have several SSH servers that I connect to with something like: ssh -p xx user@firewall_IP_address and then the firewall forwards it to the correct server, generally running some version of Linux. The problem is this error message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending key in /home/user/.ssh/known_hosts:19 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,password,keyboard-interactive). On the client system $HOME/.ssh/config I've put : Host firewall_IP_address StrictHostkeyChecking no but I still get the error message. My workaound is to remove the key in known_hosts and then connect but I need to find a better solution. Is there one? The client is cygwin running on WinXP. Thanks...

remote host access on a remote forwarded port
Hi, I tried to connect my home lan to my office. So I want to use VNC in order to forward only one port. Because of the firewall of my office(I don't manage), I want to create a tunnel by this way : LAN(OFFICE)->OFFICE_FIREWALL->(INTERNET)->HOME_FIREWALL->LAN(HOME) to be able to use VNC by this way : VNCClient(HOME)->(tunnel)->VNCServer(OFFICE) I use port 443 to bypass the firewall of my office. So I use the commands : OFFICE: ssh -g -R 5900:VNCServer:5900 -p 443 HOME_FIREWALL HOME: vncclient HOME_FIREWALL But it looks like if the -g option doesn't work with -R option ? Is that true ? Thanks in advance ! Regards PS : sorry for my english ! :) ...

Ports for DB2 behind firewall / ssh port forward
hi newsgroup, I'd like to connect to a remote DB2 Database V 8.2 using the "DB2 Steuerzentrale" (I guess it's called something like "DB2 management console" in the English version). Since the database host is behind a firewall I tried to communicate through ssh port forwarding. Therefore, I run: ssh -L 6789:remotename:6789 -L 50000:remotename:50000 -L 50001:remotename:50001 -L 523:remotename:523 remotename Though the ssh connection is established, my "DB2 Steuerzentrale" won't connect to localhost successfully and shows an error num...

port tunneling over ssh (not port-forwarding in the traditional sense)
Does anybody know of a way to do port forwarding over ssh not using the standard ssh functionality, but rather by running a utility on the server and using a special client that forwards data through the terminal session. I think PPP and slirp would do the job, but I would prefer to have a standalone client that exists solely to forward one (or several) ports, rather than acting as my main network connection. > Does anybody know of a way to do port forwarding over ssh not using the > standard ssh functionality, but rather by running a utility on the server > and using a spe...

Warning: remote port forwarding failed for listen port 4043
I have a script that does a port forwarding for me: ssh -n -R localhost:4043:localhost:22 remoteserver.example.com The problem with this is that if port forwarding fails, ssh prints Warning: remote port forwarding failed for listen port 4043 But it STAYS CONNECTED instead of properly failing with exit code. So it is a MAJOR pain to detect this condition and kill ssh. How can I change is so that, when report port forwarding cannot be accomplished, ssh exits right away? I think that it is a bug, period. thanks i >>>>> "Ignoramus3694" == Ignoramus3694 <ignoramus3694@NOSPAM.3694.invalid> writes: Ignoramus3694> I have a script that does a port forwarding for me: ssh Ignoramus3694> -n -R localhost:4043:localhost:22 Ignoramus3694> remoteserver.example.com Ignoramus3694> The problem with this is that if port forwarding fails, Ignoramus3694> ssh prints Ignoramus3694> Warning: remote port forwarding failed for listen port Ignoramus3694> 4043 Ignoramus3694> But it STAYS CONNECTED instead of properly failing with Ignoramus3694> exit code. Ignoramus3694> So it is a MAJOR pain to detect this condition and kill Ignoramus3694> ssh. Ignoramus3694> How can I change is so that, when report port Ignoramus3694> forwarding cannot be accomplished, ssh exits right Ignoramus3694> away? Reading the documentation [ssh_config(5)]: ExitOnForwardFai...

launching a kernel on a remote linux machine through ssh from a linux machine
Greetings: I am trying to launch a kernel on a faster linux machine (call it "fast.here.com", IP address "5.5.5.5") and connect it to my local front end (on "lamo.here.com", IP address "7.7.7.7"). Both run Mathematica 5.0.1.0 on Fedora Linux (3 and 2, respectively). The connection goes through ssh. On the front end on lamo.here.com I now try to add a kernel with "Kernel Configuration Options...". If I select as the remote machine the same as my local machine "lamo.here.com", everything works fine. I know I could do this without going through TCP/IP, but just for checking it out: Arguments passed to MLOpen: -LinkMode Listen -LinkProtocol TCPIP String passed to shell to launch kernel: ssh lamo.here.com "math -mathlink -LinkMode Connect -LinkProtocol TCPIP -LinkName `linkname`" Choosing this to be the notebook's kernel, once I execute the first calculation it pops up a box saying "Link created on 35945@7.7.7.7,35946@7.7.7.7", then asks for the password for lamo.here.com, and everything works fine; I can run calculations as usual. The problem appears when I change the above string to ssh fast.here.com "math -mathlink -LinkMode Connect -LinkProtocol TCPIP -LinkName `linkname`" (note that only the computer name has changed). When I do the first calculation, I still get a box saying "Link created on 35950@7.7.7.7,35951@7.7.7...

some question about port forwarding(?)
Hi i got a problem with somewhat port forwarding(?). here's my situation i'm in newtwork controled by some firewall. and it blocked all connection to server A(xxx.xxx.xxx.xxx) but i wanna connect server A, so i use ssh tunneling with my server B(yyy.yyy.yyy.yyy) in outside of that network assume the port is 80, then it shows localhost:80 <-> B:80 <-> A:80 so i can connect A:80, using localhost:80 but this is only possible, when i can change servername A(xxx.xxx.xxx.xxx) -> localhost i mean, if servername A is just builtin thing in some application and ...

Port forwarding question
Are there any tools out there that will do the following? In a nutshell, I would like one process that would listen on two ports on one machine, and one that would initiate a connection on two ports on another machine, allowing a server application to be on machine that initiates a connection to the client machine. I know this is not very clear, so hear is an example: On a webserver, I would run this tool to initiate a connection to port 80 on localhost, and initate another connection to port 777 on a client machine. On the client machine, I would run the tool to listen to port 777, as well as port 80. Then, when I navigate to http://locahost on the client machine, I get a page from the webserver, but the WEBSERVER MACHINE is the one who initiated the TCP/IP connection. I don't think this tool would be that difficult to make, but I figure something like this is already out there? Thanks Dave Spam Tester wrote: > Are there any tools out there that will do the following? In a nutshell, I > would like one process that would listen on two ports on one machine, and > one that would initiate a connection on two ports on another machine, > allowing a server application to be on machine that initiates a connection > to the client machine. I know this is not very clear, so hear is an example: Hi, this is known as "port forwarding" (look at http://en.wikipedia.org/wiki/Port_forwarding). Depending on which platfor...