Member
|
How is SSH tunneling set up on OS X?
|
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
I take it you started this thread because of my post in your other thread? Was the link I posted to my tutorial not enough?
SSH tunneling is a facility of your SSH client, not of the operating system. Mac OS X (nor any other system) has any default rules or such set up to tunnel things through SSH. This is because you have to first establish an SSH connection to another computer before you can pipe to it. Maybe I can make it a little clearer in case the walkthrough wasn't enough. ---------- Computer A is the server. It has lots of cool services. Computer B is the client. It wants to connect securely to Computer A to do stuff like VNC so all of the data being transmitted and received will be encrypted. Computer A must be running an SSH server. Computer B needs an SSH client. Computer B connects to Computer A over SSH with arguments similar to this: ssh -L 1234:127.0.0.1:5678 -C username@host. When a service on Computer B tries to communicate to localhost's port 1234, it'll actually get passed through SSH to host's port 5678. Computer B closes its SSH connection to Computer A. Now, any services trying to communicate on the ports that were being forwarded will now be going to localhost and will probably get confused and disconnect. ---------- Does that help? The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Super bump! This seemed to be the best place to get some tutorial help.
I was trying to learn about SSH tunneling and I'm having a challenge getting it working on my local server. Brad, since Project-Think is gone I can't read your original articles but would like to. What I'm trying to do is connect to my home server which is a Linux box running SME Server. I'm trying to be able to do command line stuff so I can eventually remove the monitor and keyboard from the box and just let it run. So my only real goal is to log in as root in secure shell to allow me to run those modifications. I don't think I'll need remote access, since I can VPN via PPTP to the server and then do the SSH as though I'm on the local network. For the most part, all modifications would be using one of my Macs, though it is possible I'd need a PC access at some point. So I saw an article that said I should open Terminal and type: sudo ssh -L local port number:hostname In this case it would: sudo ssh -L 22:192.168.4.1 Right? Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
@kk@pennytucker.social
Join Date: Jan 2005
|
I just learned how to do ssh last week. I needed it to set up VNC securely.
There are directions on how to do that in this thread Majost and Brad helped me how a lot. I don't know about the command-line stuff, but setting up a ssh is pretty simple now that I know how to do it. |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
That thread does help, but then it brings up the question of which is better? SSH or PPTP VPN? When I'm on my local network there really isn't an issue. Unless I want to be paranoid about my WiFi connection and it being sniffed.
At least I have been able to bring up Lenny in Terminal. (Lenny is the name of my Linux server, I'm so original I know. ) So for now I know how to connect to my server via VPN and then once connected it is as though I'm local to the machine. For my Terminal command I used "ssh root@192.168.4.1" and then entered my password and it brought up my "root@lenny" prompt. So then if I VPN into my server I would be encrypted and can connect to the server without issue. But if I'm going to be modifying command line stuff and have to SSH into the server anyway, would it be better to straight SSH into the server? Seems like this would leave more open doors than I want. Seems to me the best option is to keep as many ports shut as possible. So the Server is set to only allow connection from local network systems. Is VPN connection my best option? Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
is the next Chiquita
Join Date: Feb 2005
|
I found myself needing a SSH/VPN configuration, so I went ahead and set it up using Brad's instruction, some exotic installation from Cygwin (is there supposed to be a unwritten rule stipulating that any *nix implementation must be pain in ass to setup?), and RealVNC. It worked great.
Except for two small things. 1) My windows box has a small monitor 2) I imagine that the internet is straining under the heavy stress of my iMac blotting the 1680x1050 screen per second. Is there a way to help lighten the load; perhaps by limiting the size of what can be viewed, or something? I suppose I could lower the resolution, but would prefer to pursue other options if possible. AFAIK, RealVNC doesn't use any encryption. (it won't let me, but that's okay, as I presume SSH does all the work anyway) and I remembered there was an option to allow for faster blotting, but can't find it. |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Another question-
This article, which I stumbled while searching for something else, claims that SSH, with host key, can protect against Man-in-the-Middle attack. This came to me as a surprise, as I've assumed that there was absolutely no way to prevent such attacks, because Internet is fundamentally designed in a way that intermediaries were needed to complete the connection. I can't imagine any way to prevent people from sniffing packets in between short of rolling out your own ethernet line from the client to server and securing the line so it doesn't get tapped into. Maybe anyone can explain to me how such security can actually even be possible? (Of course, we already know that there is no such thing as "totally secure system", but let's keep this in practical realm) |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Well, if anyone's interested, there's some stuff that could use tweaking if you want extra security:
Quote:
To clarify the bit about "Protocol 2", the default is "Protocol 2, 1", but SSH-1 is not as secure; by removing the 1, you are mandating connection by SSH-2 protocol and refuse to connect using protocol 1. Also, I don't think there is a line "AllowUsers" by default, so I added it after "PermitEmptyPasswords" line. |
|
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
Wow, that went over my head. I guess I don't understand enough about SSH yet.
|
quote |
is the next Chiquita
Join Date: Feb 2005
|
Sorry.
This is somehow out of context, because this was a comment responding to an article about setting up a SSH server for Windows. Lemme see if I can try and explain it better.... sshd_config is a file located in /private/etc/ If you open that file with TextEdit, you can read it, and look for the parameters to modify... So first thing you may find when you scan through that file is Code:
#Protocol 2, 1 The above comment tells that you should change it to Code:
#Protocol 2 to force SSH-2 connection and refuse any attempts to downgrade to older and weaker SSH-1 connection.Scanning downward, you should find: Code:
#ServerKeyBits 756 Replace the 756 with 2056 to increase the length of key, making it stronger.Ditto with Code:
#PermitRootLogin Yes This is quite a surprise to me; I would have thought they knew better than to permit root login, so you definitely want to replace with a "No" to prevent this.Finally, if you go to the line where it says Code:
#PermitEmptyPasswords No You would (and I'm not 100% positive here), add the line following:Code:
#PermitEmptyPasswords No
#AllowUsers MyUserName Did that clarify? |
quote |
Lord of the Rant.
Formerly turtle2472 Join Date: Mar 2005
Location: Upstate South Carolina
|
It certainly does help me out. My only question about this though is if I'm logging into my Linux server to make command line changes wouldn't I need root access to do that? So to disable root there wouldn't work. This is great for me logging into my Mac Mini while on the road though, especially with Vine Server and client software. I'm guessing these mods were specifically for Remote VNC connections, right?
Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.” Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it. |
quote |
hustlin
Join Date: May 2004
|
Quote:
Quote:
Anyway, remember, google is your friend, and the same goes for man pages. This stuff is largely the same on your macs, too. |
||
quote |
is the next Chiquita
Join Date: Feb 2005
|
All right. While my SSH'ing to Mac work well, I am having difficulty doing the reverse.
I've set up the OpenSSH server for Windows as instructed. I know that the Cygwin sshd service is running, and I've already assigned my computer a static private IP, and opened a hole in the firewall toward the computer. In my test, I was able to ssh from my Windows box to itself using the public IP. But when I'm at Mac, I keep getting "ssh: connection to hostname timed out" I've tried adjusting my commands as the instruction I've linked above and what Brad has instructed differs a bit, from using the host name to explicitly using a IP address, but nothing seems to work. I know that I can ping either IP and domain, but just... can't ssh in. What should be my next step troubleshooting this? |
quote |
is the next Chiquita
Join Date: Feb 2005
|
I wanted to use VNC, but seem to be unable to bind the port forwarding. I'm not sure how to diagnose the problem:
Code:
debug1: Local connections to LOCALHOST:5900 forwarded to remote address 127.0.0.1:5900
debug1: Local forwarding listening on ::1 port 5900.
bind: Address already in use
debug1: Local forwarding listening on 127.0.0.1 port 5900.
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 5900
Could not request local forwarding. My guts says it's something wrong with my iMac, not the remote Windoze computer, but I've verified that software firewall is off. I tried to open port 5900 on both sides, just to make sure it wasn't in use, but it didn't take. Since I am initiating the connection, there should be no need to configure my local router, right? Other place I should look at? |
quote |
is the next Chiquita
Join Date: Feb 2005
|
^
Still stumped. I've verified that there are no processes running on either machine that would use the port 5900. Anyone? |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Aha! Now I have a clue. Looking at the top and netstat -a, I figured out that there was a OSXvnc-server process running. I made sure that Vine Server wasn't running, and it wasn't Chicken of VNC's, so I killed the process, but it just resurrects after a delay of 10 second. In that period, I was able to verify it was indeed using the port 5900.
So, how do I kill this process for good? |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
If you're on Leopard, Screen Sharing provides a VNC service and is managed by launchd, so if you have Screen Sharing enabled, that could be the culprit as well. SSH is telling you that something on your computer is already using port 5900. However…
The local port (on your computer) and the remote port (on the server) need not be the same. I've used commands like this to access VNC servers that are behind a firewall that allows only SSH through: Code:
ssh -L 1202:thraddash.local:5900 -C pemarks@my.hostname.net Then when I open "Screen Sharing.app," I connect to localhost:1202, which is forwarded to thraddash.local:5900 on the remote side. Note that the remote side destination can be a hostname, and need not be the same server to which you've connected via SSH. So if 5900 is in use on your local system, just pick another port and manually override the default port in whatever application you're using.Does that help? EDIT: also note there's nothing inherently wrong with your iMac because of this. It's perfectly normal for a VNC server to occupy port 5900, which simply necessitates you finding another (free) local port for forwarding purposes. Apparently I call the cops when I see people litter. Last edited by ShadowOfGed : 2008-05-27 at 20:19. Reason: Minor addition about something being "wrong with [his] iMac." |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Using Tiger here.
Actually, that was what I tried earlier, but 1) the remote is already set to 5900, so I can't change that and it's not configurable from a console, 2) I tried it but got an error. Can't remember what it was, but at least I got it to work (by fudging- I used that delay to kill the vnc server and log in before it resurrects; probably not wisest, but I was tired and just wanted it out of way) To be clear, I didn't want any VNC server running. Or are you saying it's built-in? |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Quote:
Example: Quote:
In ShadowOfGed's example, he's mapping local port 1202 to the remote 5900 port, but not all VNC clients (like CotVNC) allow you to specify an arbitrary port. Sounds like it. System Preferences -> Sharing -> Screen Sharing. Is it on or off? The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting. |
||
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
Oh, and to see what's running on your 5900 port if it's not the Screen Sharing app:
Code:
lsof -i@localhost:5900 |
quote |
is the next Chiquita
Join Date: Feb 2005
|
Wait, so it's actually
Code:
localport:IP4:remoteport , not the other way around? That may be why I didn't get it right first time.Thanks for the explanation about display, I was kind of scratching my head over this. As for Screen Sharing, I've looked at the Sharing, but there's nothing named "Screen Sharing"; the only thing checked in Services tab is Remote Login, and in Firewall, only two are checked; Remote Login and iChat Bonjour. Thanks for the command lsof- I will remember that when next time I have the problem. It has gone away for time being... |
quote |
Travels via TARDIS
Join Date: Aug 2005
Location: Earthsea
|
Just an aside: Apple Remote Desktop will also run a VNC server, in case you've got that enabled.
|
quote |
‽
|
Quote:
Code:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side. Where "host" is the machine running the SSH server, i.e. the one you're connecting to. |
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Using ssh tunneling to get around ISP-blocked ports | noleli2 | Genius Bar | 0 | 2004-07-26 12:53 |