LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-23-2011, 03:14 PM   #1
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Rep: Reputation: 0
Impossible ssh tunnel


Hello,
I need your help, I try to create ssh tunnel for two days on my debian server (using openssh-server).
The connection work, but the tunnel don't.
Code:
$ ssh -L 2080:localhost:80 root@debian-server
In Firefox (network set), I have an error: Connection refused by the server.

Why?

My sshd_config:
Code:
#       $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
#       $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09
:06 kensmith Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20100308

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
:q
freebsd-server# cat /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
#	$FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.2.2.1 2010/06/14 02:09:06 kensmith Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20100308

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes 
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication no 

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no 

PermitRootLogin yes
AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
PermitTunnel yes 
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

Last edited by tommytom; 01-23-2011 at 04:19 PM.
 
Old 01-23-2011, 03:21 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
well you've not said how you're trying to USE the tunnel. are you trying to go to localhost:2000 in firefox? run "netstat -plnt" and check that sshd is listening on port 2000 for your connection, if it is, then the tunnel is working. If not, show us the output of the ssh connection with a -v added for debugging.
 
Old 01-23-2011, 03:36 PM   #3
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
This is response of netstat -plnt:
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1866/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1866/sshd
And for firefox, I set localhost:2080 Socks v5 proxy in network configuration

Last edited by tommytom; 01-23-2011 at 03:46 PM.
 
Old 01-23-2011, 03:46 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
ok, so what does the ssh -v output say? Oh, and that netstat should be on the *client* right? not the server.
 
Old 01-23-2011, 03:53 PM   #5
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
Oh sorry :s,
on the client:
Code:
$ netstat -plnt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      -                   
tcp        0      0 127.0.0.1:2080              0.0.0.0:*                   LISTEN      2952/ssh            
tcp        0      0 ::1:631                     :::*                        LISTEN      -                   
tcp        0      0 ::1:2080                    :::*                        LISTEN      2952/ssh
And:
Code:
$ ssh -v -L 2080:localhost:80 root@192.168.100.108
OpenSSH_5.5p1, OpenSSL 1.0.0c-fips 2 Dec 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.100.108 [192.168.100.108] port 22.
debug1: Connection established.
debug1: identity file /home/tommytom/.ssh/id_rsa type -1
debug1: identity file /home/tommytom/.ssh/id_rsa-cert type -1
debug1: identity file /home/tommytom/.ssh/id_dsa type -1
debug1: identity file /home/tommytom/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.100.108' is known and matches the RSA host key.
debug1: Found key in /home/tommytom/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/tommytom/.ssh/id_rsa
debug1: Trying private key: /home/tommytom/.ssh/id_dsa
debug1: Next authentication method: password
root@192.168.100.108's password: 
debug1: Authentication succeeded (password).
debug1: Local connections to LOCALHOST:2080 forwarded to remote address localhost:80
debug1: Local forwarding listening on ::1 port 2080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 2080.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=ibus
debug1: Sending env LANG = en_US.utf8

Last edited by tommytom; 01-23-2011 at 03:54 PM.
 
Old 01-23-2011, 04:00 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
right, so it'd working.

Oh I see... you're doing a static tunnel but trying to use it as socks, that's not right. for a socks proxy you would just do "-D 2080" with no remote part as it's a proxy. so it's a -D with that port set as a socks in Firefox OR it's no proxy settings and then go to localhost:2080 to *JUST* get to the remote webserver instance via ssh with the -L tunnel you have there.
 
Old 01-23-2011, 04:04 PM   #7
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
But how configure firefox to use a static ssh tunnel ?
 
Old 01-23-2011, 04:05 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
you don't configure that, you just *use* it... click this.... http://localhost:2080 I think you've got the two different types of tunnel mixed up as a single thing. If you're not clear, explain what you're actually trying to achieve?
 
Old 01-23-2011, 04:12 PM   #9
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
My purpose is just to change ip on my lan, just for test, for training.
But nothing work, maybe I don't understand exactly that I try to do.
 
Old 01-23-2011, 04:20 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
change your IP???

if you mean "for my web traffic to be seen to be coming from a different source address" then that's a socks on firefox and the "-D 2080" ssh tunnel
 
Old 01-23-2011, 04:26 PM   #11
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
Not exactly change ip, sorry,
at my school, we can't use ftp, and I wish to upload my project when I am here, and I need to create ssh tunnel for it.

I have understand the difference between static and dynamic tunnel, but I can't do it.
 
Old 01-23-2011, 04:32 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977Reputation: 1977
Well the tunnel appears to be working just fine from what you've shown, use it as I described. You need to create an ssh tunnel for ftp? in what way? What actual experience do you want to have? with a static tunnel you could map local port 2121 to remote port 21 and then ftp with a bog standard ftp client to localhost port 2121 and connect to the remote ftp server. alternatively you set up a dynamic tunnel, and make an ftp client locally use a specific socks proxy on that port and then connect to any destination that you know to be available from the destination ssh server.
 
Old 01-23-2011, 04:39 PM   #13
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
Yes, but at the moment, I want to use a tunnel to port 80, and I had make a php script on my router with the variable $_SERVER['REMOTE_ADDR'], just for test the good working of my tunnel. And you know my problem

I have follow lot of howto found on google and impossible to use my static tunnel with firefox.
 
Old 01-30-2011, 01:08 PM   #14
tommytom
LQ Newbie
 
Registered: Jan 2011
Location: France
Distribution: Slackware
Posts: 15

Original Poster
Rep: Reputation: 0
I solved my problem with a dynamic tunnel, but the syntax wasn't
Code:
$ssh -D 2080 root@debian-server
But
Code:
$ssh root@debian-server -D 2080
Now it's works.

Last edited by tommytom; 01-30-2011 at 01:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with ssh tunnel gms5002 Linux - Networking 7 10-06-2008 05:18 PM
Trying to tunnel X over SSH DaneM Linux - Software 23 06-07-2008 09:17 AM
setting up an ssh soxy or local ssh tunnel from within an ssh soxy Mangenius Linux - Networking 0 03-05-2007 04:15 PM
Impossible outside connections to localhost [apache, ssh] introuble Ubuntu 3 09-24-2006 03:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration