User Name
Password
AppleNova Forums » Genius Bar »

SSH tunneling


Register Members List Calendar Search FAQ Posting Guidelines
SSH tunneling
Thread Tools
ShiggyMiyamoto
Member
 
Join Date: Jun 2004
Location: Way south of Maine
Send a message via AIM to ShiggyMiyamoto Send a message via MSN to ShiggyMiyamoto  
2004-10-27, 20:06

How is SSH tunneling set up on OS X?
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2004-10-27, 21:53

I take it you started this thread because of my post in your other thread? Was the link I posted to my tutorial not enough?

SSH tunneling is a facility of your SSH client, not of the operating system. Mac OS X (nor any other system) has any default rules or such set up to tunnel things through SSH. This is because you have to first establish an SSH connection to another computer before you can pipe to it.

Maybe I can make it a little clearer in case the walkthrough wasn't enough.

----------

Computer A is the server. It has lots of cool services.

Computer B is the client. It wants to connect securely to Computer A to do stuff like VNC so all of the data being transmitted and received will be encrypted.

Computer A must be running an SSH server.

Computer B needs an SSH client.

Computer B connects to Computer A over SSH with arguments similar to this: ssh -L 1234:127.0.0.1:5678 -C username@host.

When a service on Computer B tries to communicate to localhost's port 1234, it'll actually get passed through SSH to host's port 5678.

Computer B closes its SSH connection to Computer A.

Now, any services trying to communicate on the ports that were being forwarded will now be going to localhost and will probably get confused and disconnect.

----------

Does that help?

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2007-08-08, 14:17

Super bump! This seemed to be the best place to get some tutorial help.

I was trying to learn about SSH tunneling and I'm having a challenge getting it working on my local server. Brad, since Project-Think is gone I can't read your original articles but would like to.

What I'm trying to do is connect to my home server which is a Linux box running SME Server. I'm trying to be able to do command line stuff so I can eventually remove the monitor and keyboard from the box and just let it run. So my only real goal is to log in as root in secure shell to allow me to run those modifications.

I don't think I'll need remote access, since I can VPN via PPTP to the server and then do the SSH as though I'm on the local network. For the most part, all modifications would be using one of my Macs, though it is possible I'd need a PC access at some point.

So I saw an article that said I should open Terminal and type:
sudo ssh -L local port number:hostname

In this case it would: sudo ssh -L 22:192.168.4.1 Right?

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote
kieran
@kk@pennytucker.social
 
Join Date: Jan 2005
 
2007-08-08, 14:31

I just learned how to do ssh last week. I needed it to set up VNC securely.

There are directions on how to do that in this thread

Majost and Brad helped me how a lot.

I don't know about the command-line stuff, but setting up a ssh is pretty simple now that I know how to do it.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2007-08-08, 15:40

That thread does help, but then it brings up the question of which is better? SSH or PPTP VPN? When I'm on my local network there really isn't an issue. Unless I want to be paranoid about my WiFi connection and it being sniffed.

At least I have been able to bring up Lenny in Terminal. (Lenny is the name of my Linux server, I'm so original I know. ) So for now I know how to connect to my server via VPN and then once connected it is as though I'm local to the machine. For my Terminal command I used "ssh root@192.168.4.1" and then entered my password and it brought up my "root@lenny" prompt.

So then if I VPN into my server I would be encrypted and can connect to the server without issue. But if I'm going to be modifying command line stuff and have to SSH into the server anyway, would it be better to straight SSH into the server? Seems like this would leave more open doors than I want. Seems to me the best option is to keep as many ports shut as possible.

So the Server is set to only allow connection from local network systems. Is VPN connection my best option?

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-08-09, 17:09

I found myself needing a SSH/VPN configuration, so I went ahead and set it up using Brad's instruction, some exotic installation from Cygwin (is there supposed to be a unwritten rule stipulating that any *nix implementation must be pain in ass to setup?), and RealVNC. It worked great.

Except for two small things.

1) My windows box has a small monitor
2) I imagine that the internet is straining under the heavy stress of my iMac blotting the 1680x1050 screen per second.

Is there a way to help lighten the load; perhaps by limiting the size of what can be viewed, or something? I suppose I could lower the resolution, but would prefer to pursue other options if possible.

AFAIK, RealVNC doesn't use any encryption. (it won't let me, but that's okay, as I presume SSH does all the work anyway) and I remembered there was an option to allow for faster blotting, but can't find it.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-08-09, 20:46

Another question-

This article, which I stumbled while searching for something else, claims that SSH, with host key, can protect against Man-in-the-Middle attack.

This came to me as a surprise, as I've assumed that there was absolutely no way to prevent such attacks, because Internet is fundamentally designed in a way that intermediaries were needed to complete the connection. I can't imagine any way to prevent people from sniffing packets in between short of rolling out your own ethernet line from the client to server and securing the line so it doesn't get tapped into.

Maybe anyone can explain to me how such security can actually even be possible? (Of course, we already know that there is no such thing as "totally secure system", but let's keep this in practical realm)
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-08-10, 20:06

Well, if anyone's interested, there's some stuff that could use tweaking if you want extra security:

Quote:
Originally Posted by A helpful comment at end of article linked below
on mac os x, sshd_config is at
/private/etc/sshd_config
In addition to changing
Protocol 2
I would also change
ServerKeyBits 2056
PermitRootLogin no
AllowUsers username
Source

To clarify the bit about "Protocol 2", the default is "Protocol 2, 1", but SSH-1 is not as secure; by removing the 1, you are mandating connection by SSH-2 protocol and refuse to connect using protocol 1.

Also, I don't think there is a line "AllowUsers" by default, so I added it after "PermitEmptyPasswords" line.
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2007-08-10, 20:36

Wow, that went over my head. I guess I don't understand enough about SSH yet.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-08-10, 21:27

Sorry.

This is somehow out of context, because this was a comment responding to an article about setting up a SSH server for Windows.

Lemme see if I can try and explain it better....

sshd_config is a file located in /private/etc/

If you open that file with TextEdit, you can read it, and look for the parameters to modify...

So first thing you may find when you scan through that file is
Code:
#Protocol 2, 1
The above comment tells that you should change it to
Code:
#Protocol 2
to force SSH-2 connection and refuse any attempts to downgrade to older and weaker SSH-1 connection.

Scanning downward, you should find:
Code:
#ServerKeyBits 756
Replace the 756 with 2056 to increase the length of key, making it stronger.

Ditto with

Code:
#PermitRootLogin Yes
This is quite a surprise to me; I would have thought they knew better than to permit root login, so you definitely want to replace with a "No" to prevent this.

Finally, if you go to the line where it says
Code:
#PermitEmptyPasswords No
You would (and I'm not 100% positive here), add the line following:
Code:
#PermitEmptyPasswords No #AllowUsers MyUserName
Did that clarify?
  quote
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2007-08-10, 23:31

It certainly does help me out. My only question about this though is if I'm logging into my Linux server to make command line changes wouldn't I need root access to do that? So to disable root there wouldn't work. This is great for me logging into my Mac Mini while on the road though, especially with Vine Server and client software. I'm guessing these mods were specifically for Remote VNC connections, right?

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote
autodata
hustlin
 
Join Date: May 2004
 
2007-08-11, 01:22

Quote:
Originally Posted by turtle2472 View Post
What I'm trying to do is connect to my home server which is a Linux box running SME Server. I'm trying to be able to do command line stuff so I can eventually remove the monitor and keyboard from the box and just let it run. So my only real goal is to log in as root in secure shell to allow me to run those modifications.
That's not "tunneling." Tunneling is sending other stuff through the ssh connection.
Quote:
Originally Posted by turtle2472 View Post
My only question about this though is if I'm logging into my Linux server to make command line changes wouldn't I need root access to do that?
No. You can create a new user ("adduser imausername") and then set them in the sudoers file (simple version: log in as root, run "visudo" then add your user below root with the same options). Then you can disable root and run commands using sudo.

Anyway, remember, google is your friend, and the same goes for man pages. This stuff is largely the same on your macs, too.
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2007-08-11, 10:49

All right. While my SSH'ing to Mac work well, I am having difficulty doing the reverse.

I've set up the OpenSSH server for Windows as instructed. I know that the Cygwin sshd service is running, and I've already assigned my computer a static private IP, and opened a hole in the firewall toward the computer.

In my test, I was able to ssh from my Windows box to itself using the public IP.

But when I'm at Mac, I keep getting "ssh: connection to hostname timed out"

I've tried adjusting my commands as the instruction I've linked above and what Brad has instructed differs a bit, from using the host name to explicitly using a IP address, but nothing seems to work. I know that I can ping either IP and domain, but just... can't ssh in.

What should be my next step troubleshooting this?
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-05-26, 21:52

I wanted to use VNC, but seem to be unable to bind the port forwarding. I'm not sure how to diagnose the problem:

Code:
debug1: Local connections to LOCALHOST:5900 forwarded to remote address 127.0.0.1:5900 debug1: Local forwarding listening on ::1 port 5900. bind: Address already in use debug1: Local forwarding listening on 127.0.0.1 port 5900. bind: Address already in use channel_setup_fwd_listener: cannot listen to port: 5900 Could not request local forwarding.
My guts says it's something wrong with my iMac, not the remote Windoze computer, but I've verified that software firewall is off. I tried to open port 5900 on both sides, just to make sure it wasn't in use, but it didn't take. Since I am initiating the connection, there should be no need to configure my local router, right? Other place I should look at?
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-05-27, 18:35

^

Still stumped. I've verified that there are no processes running on either machine that would use the port 5900.

Anyone?
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-05-27, 19:55

Aha! Now I have a clue. Looking at the top and netstat -a, I figured out that there was a OSXvnc-server process running. I made sure that Vine Server wasn't running, and it wasn't Chicken of VNC's, so I killed the process, but it just resurrects after a delay of 10 second. In that period, I was able to verify it was indeed using the port 5900.

So, how do I kill this process for good?
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-05-27, 20:17

If you're on Leopard, Screen Sharing provides a VNC service and is managed by launchd, so if you have Screen Sharing enabled, that could be the culprit as well. SSH is telling you that something on your computer is already using port 5900. However…

The local port (on your computer) and the remote port (on the server) need not be the same. I've used commands like this to access VNC servers that are behind a firewall that allows only SSH through:

Code:
ssh -L 1202:thraddash.local:5900 -C pemarks@my.hostname.net
Then when I open "Screen Sharing.app," I connect to localhost:1202, which is forwarded to thraddash.local:5900 on the remote side. Note that the remote side destination can be a hostname, and need not be the same server to which you've connected via SSH. So if 5900 is in use on your local system, just pick another port and manually override the default port in whatever application you're using.

Does that help?

EDIT: also note there's nothing inherently wrong with your iMac because of this. It's perfectly normal for a VNC server to occupy port 5900, which simply necessitates you finding another (free) local port for forwarding purposes.

Apparently I call the cops when I see people litter.

Last edited by ShadowOfGed : 2008-05-27 at 20:19. Reason: Minor addition about something being "wrong with [his] iMac."
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-05-27, 20:48

Using Tiger here.

Actually, that was what I tried earlier, but 1) the remote is already set to 5900, so I can't change that and it's not configurable from a console, 2) I tried it but got an error. Can't remember what it was, but at least I got it to work (by fudging- I used that delay to kill the vnc server and log in before it resurrects; probably not wisest, but I was tired and just wanted it out of way)

To be clear, I didn't want any VNC server running. Or are you saying it's built-in?
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2008-05-28, 06:19

Quote:
Originally Posted by Banana View Post
Using Tiger here.

Actually, that was what I tried earlier, but 1) the remote is already set to 5900, so I can't change that and it's not configurable from a console, 2) I tried it but got an error. Can't remember what it was, but at least I got it to work (by fudging- I used that delay to kill the vnc server and log in before it resurrects; probably not wisest, but I was tired and just wanted it out of way)
You can change what the remote 5900 maps to locally. Mapping to local 5900 is only a convenience. You can just as easily map it to, say, 5901 instead. This way you don't have to change anything on the VNC server's remote config.

Example:

Quote:
ssh -L 5901:127.0.0.1:5900 -C remoteuser@remoteaddress
When you access port 5901 on your local machine, it will be mapped to remoteaddress's port 5900. In terms of VNC, that means instead of "display 0" you want to use "display 1" because the display numbers start from 5900. So, if you use Chicken of the VNC on your Mac, you'll use address localhost and display 1.

In ShadowOfGed's example, he's mapping local port 1202 to the remote 5900 port, but not all VNC clients (like CotVNC) allow you to specify an arbitrary port.

Quote:
Originally Posted by Banana View Post
To be clear, I didn't want any VNC server running. Or are you saying it's built-in?
Sounds like it. System Preferences -> Sharing -> Screen Sharing. Is it on or off?

The quality of this board depends on the quality of the posts. The only way to guarantee thoughtful, informative discussion is to write thoughtful, informative posts. AppleNova is not a real-time chat forum. You have time to compose messages and edit them before and after posting.
  quote
Brad
Selfish Heathen
 
Join Date: May 2004
Location: Zone of Pain
 
2008-05-28, 06:31

Oh, and to see what's running on your 5900 port if it's not the Screen Sharing app:

Code:
lsof -i@localhost:5900
  quote
Banana
is the next Chiquita
 
Join Date: Feb 2005
 
2008-05-28, 08:06

Wait, so it's actually

Code:
localport:IP4:remoteport
, not the other way around? That may be why I didn't get it right first time.

Thanks for the explanation about display, I was kind of scratching my head over this.

As for Screen Sharing, I've looked at the Sharing, but there's nothing named "Screen Sharing"; the only thing checked in Services tab is Remote Login, and in Firewall, only two are checked; Remote Login and iChat Bonjour.

Thanks for the command lsof- I will remember that when next time I have the problem. It has gone away for time being...
  quote
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-05-28, 11:07

Just an aside: Apple Remote Desktop will also run a VNC server, in case you've got that enabled.
  quote
chucker
 
Join Date: May 2004
Location: near Bremen, Germany
Send a message via ICQ to chucker Send a message via AIM to chucker Send a message via MSN to chucker Send a message via Yahoo to chucker Send a message via Skype™ to chucker 
2008-05-28, 11:09

Quote:
Originally Posted by Banana View Post
Wait, so it's actually

Code:
localport:IP4:remoteport
, not the other way around?
Yes. From the manpage:

Code:
-L [bind_address:]port:host:hostport Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
Where "host" is the machine running the SSH server, i.e. the one you're connecting to.
  quote
Posting Rules Navigation
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Post Reply

Forum Jump
Thread Tools
Similar Threads
Thread Thread Starter Forum Replies Last Post
Using ssh tunneling to get around ISP-blocked ports noleli2 Genius Bar 0 2004-07-26 12:53


« Previous Thread | Next Thread »

All times are GMT -5. The time now is 06:53.


Powered by vBulletin®
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004 - 2024, AppleNova