f



remote/reverse port forward, ssh client setting source IPs to what ssh server reports

Note: most of this post is based on OpenSSH

When I do a remote forward (port on server listens for incoming
traffic, traffic gets forwarded to port that is listening on client),
the source IPs of all the incoming connections in the server app on
the client machine are 127.0.0.1/localhost. Using "-v", I can see that
sshd passes the IP addresses of what computers connected to the sshd's
port that forwards to the client. The client does not use/set the
originating information when connect. RFC 4254 requires the server
send the originating IP across the wire to the client.
-------------------------------------------------------------------------------------------------------------------------
7.2. TCP/IP Forwarding Channels


   When a connection comes to a port for which remote forwarding has
   been requested, a channel is opened to forward the port to the
other
   side.

      byte      SSH_MSG_CHANNEL_OPEN
      string    "forwarded-tcpip"
      uint32    sender channel
      uint32    initial window size
      uint32    maximum packet size
      string    address that was connected
      uint32    port that was connected
###string    originator IP
address###########################################
      uint32    originator port
--------------------------------------------------------------------------------------------------------------------------
   The 'originator IP address' is the numeric IP address of the
machine
   from where the connection request originates, and the 'originator
   port' is the port on the host from where the connection originated.
--------------------------------------------------------------------------------------------------------------------------

from -v of ssh, ssh client does know the originator IP and port, but
server app on computer with ssh client will never see this

--------------------------------------------------------------------------------------------------------------------------
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 6 win
131072 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 80,
originator 81.910.872.450 port 50454
debug1: channel 7: new [81.910.872.450]
debug1: confirm forwarded-tcpip
debug1: channel 7: connected
debug1: channel 7: free: 81.910.872.450, nchannels 11
--------------------------------------------------------------------------------------------------------------------------


The fact that all incoming connection to the server app running on the
client are 127.0.0.1/localhost causes severe problems. Any security
scheme relying on looking at the IPs of the incoming connections to
the server app are now useless. For example if the server app is a
webserver, it can't record the IPs of customers who buy something in
an online store.

My question is, are there any ssh clients, FOSS or commercial that
will set the source IP addresses to what the ssh server reports?
Either through being a VPN, emulating a NIC/network interface, or
playing with raw sockets/socket options, or something else? For the
FOSS community, this is kindda a feature request.

I also dug around in the source of OpenSSH, "connect_to" function in
channels.c is what I think creates the connection on the ssh client to
the destination in a remote forward. It uses Berkeley Sockets. Perhaps
there should be a option to use raw sockets and spoof the source IP to
what the ssh server passed to the ssh client, or set
"ip_nonlocal_bind" with sysctl on linux or do whatever it takes to
have a arbitrary IP address bind with a particular OS (not portable, I
know),  and then do a bind with the source IP form the ssh server on
the socket before doing the connect. Then OpenSSH client will be
reporting the correct source IP to the server app. Note, adding the
feature to "connect_to" would also require editing
"channel_connect_by_listen_address" function in channels.c to forward
the originating IP I think.I am not a expert an programing or posix
OSes so my implementation theories might be faulty.

I'm sure it will be asked, "why not use real layer 2 or 3 VPN
software?". I'm dealing with a grandfathered network router/firewall
that is a PC that runs FreeBSD. It can't be formated or removed and
root can not be obtained since the it belongs to the ISP/Service
Integrator/IT support company and doing any of that violates the
contract, but I am allowed legitimately to access the shell for
dealing with logs and use their configuration scripts. The server came
installed with with OpenSSH on it, I didn't install it, no limits were
put on me running any existing tool that my account has permissions to
run. OpenSSH would be the only way to run a server and meet demands
from users to run non HTTP traffic over that internet connection (box
allows web browsing through a HTTP proxy on it (no HTTPS) and for
direct TCPIP connections only some intranet software ports to hard
coded static IPs). The Service Integrator/IT support company argues
that they won't allow anything else because our support contract
doesn't cover supporting anything else, getting the support contract
changed is impossible. OpenSSH is a contract friendly way around the
problem and the only way I can think of.
0
bulk88 (13)
2/26/2008 6:18:56 PM
comp.security.ssh 4228 articles. 0 followers. terra1024 (490) is leader. Post Follow

1 Replies
513 Views

Similar Articles

[PageSpeed] 17

On 26 Feb, 18:18, bul...@hotmail.com wrote:
> Note: most of this post is based on OpenSSH
>
> When I do a remote forward (port on server listens for incoming
> traffic, traffic gets forwarded to port that is listening on client),
> the source IPs of all the incoming connections in the server app on
> the client machine are 127.0.0.1/localhost. Using "-v", I can see that
> sshd passes the IP addresses of what computers connected to the sshd's
> port that forwards to the client. The client does not use/set the
> originating information when connect. RFC 4254 requires the server
> send the originating IP across the wire to the client.

??? I'm looking through the RFC at http://www.ietf.org/rfc/rfc4254.txt,
and I've got to tell you, I do not see what you seem to see. If the
SSH connection does *NOT* use use the SSH server's own IP address, or
one of the addresses requested by the SSH client, I don't see how any
other network services could reach back through the port. The
"originating IP address" is useless to any other services which may
connect to that local port.

Or do I misunderstand your point?
0
nkadel (705)
2/28/2008 6:42:16 PM
Reply:

Similar Artilces:

Prevent blocking remote port when setting up a SSH tunnel/SSH port forwarding?
Assume I create an SSH tunnel to a remote computer with ssh foobar@remcomp -L 20110:remcomp:110 then it seems to me that on the remote computer port 110 is blocked for other clients. Is this true? How can I prevent this exclusive locking? Peter pins1000@yahoo.com (Peter Insold) writes: > Assume I create an SSH tunnel to a remote computer with > > ssh foobar@remcomp -L 20110:remcomp:110 > > then it seems to me that on the remote computer port 110 is blocked for other > clients. Is this true? No. DES -- Dag-Erling Smørgrav - des@des.no...

SSH Keys: MULTINET SSH Client to TCPIP SSH Server
Has anyone here had occasion to configure a Multinet 4.4 SSH client to use public key authentication when connecting to an HP TCPIP (5.4) SSH Server? I created my public/private DSA key pair on the Multinet host, copied the public key to my [.SSH2] directory on the TCPIP server, and referenced the new key in the TCPIP server's AUTHENTICATION file. From what I understand of the TCPIP SSH docs, the format of the public key file is a single (long) line, beginning with the key type and followed by the key value, e.g.: ssh-dss AAAAB3NzaC1kc...sf5C4quB5GaOVn+zogU= So after I copied my public key to the TCPIP host, I edited it with EVE to get it into the format shown above. Was this my mistake? Shuold I have used another method to make these two SSH implementations compatible? On the Multinet client, the same public key appears in this format: ---- BEGIN SSH2 PUBLIC KEY ---- Subject: <username> AAAAB3NzaC1kc... ... sf5C4quB5GaOVn+zogU= ---- END SSH2 PUBLIC KEY ---- To make the SSH connection, I entered this command on the MU host and received the following responses: $ SSH/USER=<host2username>/IDENT=<private key filename> <host> warning: <MUhostdev:[dir.SSH2]<private-key>.: 4: parsing line failed. warning: <MUhostdev:[dir.SSH2]<private-key>.: 5: parsing line failed. warning: <MUhostdev:[dir.SSH2]<private-key>.: 6: parsing line failed. warning: <MUhostdev:[dir.SSH2]<private-key>.: 7: parsi...

ssh to ssh
I have the following scenerio: Remote PC with Xmanager small linux gateway, with sshd and ssh but no X software local host with sshd and X software I am trying to do the following from the remote PC: ssh -X (gateway addr. x.x.x.x "ssh -X (local host add 192.168.25.40) xterm" and it is failing. Please help if possible. Looking at the verbose output I see: OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to x.x.x.x [x.x.x.x] port 80. debug1: Connection established. debug1: ident...

SSH over SSH
Hi all, Our university network is accessed through a gateway machine, which accepts SSH connections and from which I can SSH onto other machines. I'm looking to write a program to make it easy for Mac OS X users to set up tunnels. Part of this involves storing passwords in the keychain. If I just want to forward a local port to the gateway machine, I can set SSH_ASKPASS to something suitable which looks in the keychain. However, if I want to forward a local port to another machine on my university network, i.e., another hop, I need to somehow have an SSH_ASKPASS utility on the gateway m...

ssh ssh
I am trying to write a script that takes a list of hosts and sshs into the first one and then can ssh to other ones. I can only ssh to the other hosts from the first host. Here is what I tried: I think it is waiting for the ssh to the first host to finish. I guess I could scp a partial hostlist and a program to *.domain and then run the program remotely. Am I on a right track? #!/bin/perl use strict; open( HL, '<hostlist3.txt' ) || die "can't open hostlist3"; #!/bin/perl use strict; open( HL, '<hostlist3.txt' ) || die "can't open hostlist3&qu...

Using ssh forwarding for ssh itself.
I'm trying to ssh into my (Linux) computer at work. Normally I ssh into the department's main (Unix) computer, then ssh into my own, but I thought I'd try out port forwarding. So in one xterm I do this: $ ssh -L 9999:my_computer:22 main_computer [main_computer prints login message then the following] channel 3: open failed: administratively prohibited: open failed channel 3: open failed: administratively prohibited: open failed In another xterm, I try this: $ netstat -tl [shows my computer is listening on 9999] $ ssh -p 9999 -v localhost debug1: Reading configuration data /home/adam/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 9999. debug1: Connection established. debug1: identity file /home/adam/.ssh/identity type -1 debug1: identity file /home/adam/.ssh/id_rsa type -1 debug1: identity file /home/adam/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host Does the "administratively prohibited" message mean that main_computer is configured not to allow this? Or am I doing something wrong? If I can get this working, will I also be able to use scp directly from my home computer to my desktop (instead of copying to my account on main_computer first)? Thanks, Adam In comp.security.ssh Adam Funk <a24061@ducksburg.com> wrote: > I'm trying to ssh into my (Linux) computer at work. Normally I ssh > in...

Axessh Windows SSH Client and SSH Server 4.0
Axessh is a Windows SSH client. It is a superb terminal emulator/ telnet client for Windows. It provides SSH capabilities to Axessh without sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold anywhere in the world (apart from places where people aren't allowed to own cryptographic software). SSH is the industry standard for remote logins. It addresses most of the critical issues which concerns most users while on the internet ; cyber hackers stealing passwords and other important information. Axessh brings y...

net::ssh::Perl connecting to f-secure ssh server
Hi, I asked this on the wonderful Perlmonks site and am repeating here incase the one with the answer is here and not there.... We need to write a script that will connect to a softswitch (Ericsson), run commands retrieving output to files and sometimes using some of that output as parameters to more commands. The softswitch runs on Windows NT server and uses F-Secure 3.2.0. The client box will be Solaris with Perl 5.8.8. I can run ssh from the shell and connect OK. I can run the "commands" and see output on screen. I have started to write a demo in Perl and I can login f...

Port Forwarding and Multiple SSH Servers
Behind my firewall I have several SSH servers that I connect to with something like: ssh -p xx user@firewall_IP_address and then the firewall forwards it to the correct server, generally running some version of Linux. The problem is this error message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA h...

Reversed ssh security possible? (public key on server, private key on client)
Hi all, Let's say I got a bunch of untrusted machines and I would like would like to manage them using ssh. If I stored private keys on the machines(one for each) than the someone might be able to retrive them. And than be able to connect to the same machine from other machines. (The machines are restored to their original state after each user.) But if I stored the same public key on all the machines and I had the private key on my machine than I would be able to connect to the machines without the problems I described above. Is this public key on server and private key on client scenario somehow possible with ssh? ifj. Tarnay K?lm?n <KalmiSoft@gmail.com> wrote: > Hi all, > > Let's say I got a bunch of untrusted machines and I would like would > like to manage them using ssh. > > If I stored private keys on the machines(one for each) than the > someone might be able to retrive them. And than be able to connect to > the same machine from other machines. (The machines are restored to > their original state after each user.) I'm not sure which private keys you're referring to. Every SSH server has a private host key, but it doesn't require private user keys for access. > But if I stored the same public key on all the machines and I had the > private key on my machine than I would be able to connect to the > machines without the problems I described above. For user keys, that's correct. Unless this is ...

ssh remote port forwarding
Hello experts, I have a little problem using ssh and remote port forwarding. Here is the problem: I have one machine (A) behind a nat firewall that I'd like to be able to access from the outside via ssh. Unfortunately I have no control over the router, so no DMZing it. So I was thinking of sshing from machine A behind the firewall to a machine outside the nat (machine B) and using reverse port forwarding on that machine. Then I could ssh to machine B and that would then forward the connection to A. so far I run this on A: sudo ssh -g -N -R 2222:127.0.0.1:22 machineBusername@machineB.something then running the following in the outside world: ssh -p 2222 machineAusername@machineB.something yields a time out. I'm a bit confused on how to get this to work. Is what I want to do pricipally possible and if so, what can I do to make it work? Regards, Sven. -- s v e n (dot) d (dot) m e i e r (at) g m x (dot) n e t In article <e0s4cl$dua$1@dennis.cc.strath.ac.uk> Sven <no@spam.com> writes: > >I have a little problem using ssh and remote port forwarding. Here is >the problem: I have one machine (A) behind a nat firewall that I'd like >to be able to access from the outside via ssh. Unfortunately I have no >control over the router, so no DMZing it. > >So I was thinking of sshing from machine A behind the firewall to a >machine outside the nat (machine B) and using reverse ...

SSH Tunnel through a firewall with a SSH Server
Hello, We have just release a new software to manage ssh Tunnel. SSH tunnels are very easy to set up to allow external worker to get encrypt access (VPN) to a LAN. Please visit our web site for more information about ssh tunnels. http://www.ssheasytunnel.com SSH Tunnel is the most reliable way to build A Virtual Private Network. SSH Tunnel works with a SSH server and allows to access resources within a Local Area Network from the outside. SSH Easy Tunnel uses plink software (a part of putty) to build up an encrypted tunnel. We decided to use plink for its reliability and because it is p...

python ssh and Tetia SSH server
Anyone out there any experience of using python ssh modules to connect to the Tetia SSH server from SSH (ssh.com)? ...

Python ssh with SSH Tectia server
Has anyone any experiencing with ssh between a python client and the SSH Tectia server from SSH (ssh.com) ? Does it work? ...

ssh called from ssh bug report.
Hi. I have a problem with ssh failing. Some external users send data to our firewall using ssh. $ ssh firewall handle_data args < data When handle_data do a 'ssh real_host handle_data', all works well. But when handle_data do 'iconv -f utf8 -t latin1 | ssh real_host handle_data' the data get cut. I have made a small script to demo the bug: -- cut -- #!/bin/bash # produce output with pauses for (( I=0 ; I < 10 ; I=I+1 )) ; do cat $0 sleep 1 done | ssh localhost 'cat | ssh localhost cat' -- cut -- I have tried different versions: OpenSSH_3.6.1p2 De...

ssh.com v3.2.9.1 slow performance with ftp over ssh port forwarding?
Hi, i am using a ssh port forwarded tunnel to secure a ftp connection between 2 linux boxes. both run the same ssh version, mentioned in subject. what i do is: ssh -l username remotehost -L ftp/10001:localhost:21 ftp/ should ensure that the data channel is encrypted via the tunnel as well, not only the control channel. anyways, i got a 3 mbit dsl line here, and am not able to get more than 210KByte/sec over the forwarded ftp connection. i treid the same setup to other machines as well, same results. i tried changing the ciphers, performance stays the same. i mean i would expect some overh...

How to secure SSH from low security app server to high security DB server?
We need to be able to run commands from a low security application server (as this is running web servers and thus a large number of people have access to the web servers) to a high security database server. I would like to use SSH (maybe a locked down ssh server) to do this but the system administrators will not allow this as they say that if a bug is found with the SSH server then the secure database server could be compromised by the compromised SSH server. The sysadmins want us to come up with another way of running commands on the database server from the application server. I th...

FTP port forwarding in SSH.. Secure??
I was trying the "FTP Port Forwarding" to secure the FTP transfer). I really like it, but I have a question: On the unix manual pages (man ssh2), the description of the "-L" option indicates that part of the connection is not secure when you use FTP Port Forwarding, could someone please explain me what part is not secure? Is it referring to the FTP data which is non-encrypted inside the tunnel? Below is text from manual page for F-Secure SSH2 SSH2 SSH2(1) ...

SSH port forwarding on shared server
Hi, At uni I sometimes want to connect to things on my home server (web server, etc). I can do this using ssh with port forwarding (ssh -L ...), but the problem is that the servers at uni run dozens of other terminal clients, so everyone else gets access to my forwarded port! Is there a way of making the local port secure in the sense that ssh will only allow me to connect to it? One idea I had is as follows: - Wait until connection to local port - Look through /proc for processes being run by the same user as ssh - For each process owned by the user, look at any pipes it has open - For ea...

IOS
Many IOS IP commands (eg, telnet) by default generate packets with the source address of the interface through which they are sending. My "ISP" (UCLA central services) is refusing packets with a source IP address of the department - backbone DMZ for security reasons. I have found a number of commands that allow one to change the behavior to that of using some other interface (eg, Loopback0) for generated traffic. However, I can't figure out how to fix outbound ssh. The logical command would be IP SSH SOURCE-INTERFACE LOOPBACK0, but this command isn't valid on my 6...

I have a question about Remote port forwarding in SSH
Hi, I am trying do remote port forwarding in SSH and make the forwarded port available over a network. One machine, S, is behind a firewall and I can ssh out, but not ssh in. I can connect using a VPN which only works with Windoze. The other machine, H, is behind a different firewall, and it can SSH in or out. So I what I do is connect to the machine S from the machine H and then give the command: user@S$ ssh -R22222:localhost:22 H Then, on the machine H, I give the command user@H$ ssh -p 22222 localhost and I am connected. Using public key authentication, I don't need to ...

Help SSH client does not see SSH agent...
I performed all of the steps necessary to set up an agent. I check the permissions of my .ssh dir on both client and server and they are correct. Here's the verbose output. I have RH Fedora on server, and HPUX 10.20 on client. Pertinent values have been changed to hide identity. Any pointers on how I can debug this further? Script started on Thu Aug 12 15:50:16 2004 24;1HJ0mSSH_CLIENT 93: ssh -v SSH_SERVER ls SSH Version 1.2.26 [hppa1.1-hp-hpux10.20], protocol version 1.5. Standard version. Does not use RSAREF. SSH_CLIENT: ssh_connect: getuid 101 geteuid 110 anon 1 SSH_CLIENT: Connecting...

ssh for playbook with ssh agent forwarding and keys
We use ssh keys and agent for a lot of our work. You cannot login with a password to do some functions, only keys. Telnet SSH for the Blackberry playbook does ssh only with passwords. Does anyone know of an SSH application for the playbook which allows the use of Agent forwarding and ssh keys? On Dec 22, 11:02=A0am, "leona...@sympatico.ca" <leona...@sympatico.ca> wrote: > We use ssh keys and agent for a lot of our work. You cannot login with > a password to do some functions, only keys. > > Telnet SSH for the Blackberry playbook does ssh only with passwords. Playbook Telnet SSH application starting from v. 1.0.0.7 supports key based authentication. First you need to upload your private key to a shared folder and then on Auth page you'll be able to choose this key. > Does anyone know of an SSH application for the playbook which allows > the use of Agent forwarding and ssh keys? ...

ssh tunnel to non-standard ssh port
I have an instance where I am wanting to connect to a remote server which has ssh listening on a non-standard port (22170). I cannot create a ssh tunnel without ssh also listening to port 22 or have no port assigned -- I also have to open port 22 on my firewall. Is there a way that I can create a ssh tunnel to a remote server which has ssh listening on a non-standard port? Here is my tunnel command: ssh -f -N -R 22170:localhost:22 user@10.10.10.1 TIA gmac63 Am Mon, 20 Aug 2007 04:03:38 -0700 schrieb gmac63: > I have an instance where I am wanting to connect to a remote server > whi...

Web resources about - remote/reverse port forward, ssh client setting source IPs to what ssh server reports - comp.security.ssh

Reverse video - Wikipedia, the free encyclopedia
Reverse video (or invert video or inverse video or ' reverse screen' ) is a computer display technique whereby the background and text color ...

J.P. Morgan Analyst Doug Anmuth Reverses Course On Facebook Outlook
Facebook got its first good news from Wall Street in 2013, as J.P. Morgan Analyst Doug Anmuth wrote in a research note that he was “incrementally ...

Reverse Engineering the WMD Editor
We’ve been quite happy with the WMD Markdown editor on Stack Overflow, kindly provided by the author, John Fraser of AttackLabs. However, there ...

Song Reverse Quiz on the App Store on iTunes
Get Song Reverse Quiz on the App Store. See screenshots and ratings, and read customer reviews.

Reverse mortgages could drown pensioners in debt
Retirees beware: the Productivity Commission is on the campaign trail arguing that pensioners should have to raid the equity in their homes rather ...

Defence White Paper: Andrew Nikolic reverses position on Rudd's 'unscientific' 12 submarines plan
The new chair of Federal Parliament's intelligence committee reverses his position on whether the Government needs 12 new submarines.

Breitbart Reverses Smear: Heckles Ailes, Murdoch, Beck, Establishment in FoxNews.Com Front Page Article ...
Breitbart Reverses Smear: Heckles Ailes, Murdoch, Beck, Establishment in FoxNews.Com Front Page Article

Supreme Court reverses conviction of Louisiana death row inmate
Justices say undisclosed evidence could have helped case of man convicted in 1998 death of teenage pizza delivery driver

Donald Trump reverses position on torture, killing terrorists' families
CNN Donald Trump reverses position on torture, killing terrorists' families CNN Washington (CNN) Republican front-runner Donald Trump moved ...

Donald Trump reverses position on torture - CNNPolitics.com
Republican front-runner Donald Trump said Friday that he would not order the U.S. military to violate international laws, a stark reversal.

Resources last updated: 3/7/2016 7:03:00 PM