gabriel rosenkoetter on Wed, 3 Apr 2002 19:00:16 +0200


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] network/ssh question


On Wed, Apr 03, 2002 at 11:41:37AM -0500, eric@lucii.org wrote:
> So, I tell e-smith to forward port NNNN to port 22 (for ssh)
> on the server.  So far so good.

That's all well and good, but that only gets you the listener, not
the forked off sshd that actually communicates with the client on a
higer port number. Stop blocking ports >1024.

>      ssh -l username -p NNNN IP.IP.IP.IP
[...]
> I get no response.  The client just "hangs" until interrupted by
> ctrl-C.  If I try to telnet to it this happens:

Yep, because the client's connected with the listening sshd at port
22, which has spawned off another sshd on a higher (>1024) port
number and redirected the client to that port, but your firewall's not
letting that communication happen.

(No, you can't write a rule in your firewall to map these ports, the
decision is made on the fly by the listening sshd. You'd have to
teach sshd how to talk to the firewall and update its port
forwarding table if you wanted only the ports necessary open on the
fly. That's non-trivial.)

>    telnet IP.IP.IP.IP NNNN
>    Trying IP.IP.IP.IP...
>    Connected to thedomain.dnsalias.com.
>    Escape character is '^]'.
>    SSH-1.99-OpenSSH_2.9p2
> 
> Then it "hangs" and must be interrupted.

... which is all a listening sshd ever does when you telnet to it.
You're expected to reply with a version string of your own, then you
receive the server public key and compare it with your cached
version (if you have one). But doing that by hand is less than fun,
obviously.

> I can post the /etc/rc.d/init.d/masq file if that helps anyone.

Wouldn't help me, since I'm not familiar with the details of the
firewall, but maybe the general what-to-do advice above will help
you.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpuxch1tjqLI.pgp
Description: PGP signature