Date: Mon, 27 Oct 2008 10:45:38 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Kevin Kinsey <kdk@daleco.biz> Cc: daleco@daleco.biz, freebsd-questions@freebsd.org Subject: Re: SSH Port forwarding when "PermitRootLogin"==no ? Message-ID: <20081027174538.GA27082@icarus.home.lan> In-Reply-To: <20081027170446.GA946@ezekiel.daleco.biz> References: <20081027170446.GA946@ezekiel.daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 27, 2008 at 12:04:46PM -0500, Kevin Kinsey wrote: > Hello, > > I'm (still) trying to work around a limitation I've encountered > with a new service provider (cf. "MTA on non-standard port"). > > As root: > # ssh -L 24:server:52525 server > > fails because root logins aren't permitted in > /etc/sshd_config on the server. I recently discussed how to deal with this in a manner that does not involve compromising root's security: 1) Make a public key on the machine you're doing "ssh -L 24:server:52525 server" from. Run ssh-keygen as root 2) Place contents of /root/.ssh/id_rsa.pub in /root/.ssh/authorized_keys on "server". Make sure the /root/.ssh directory is perm 0700, and authorized_keys is perm 0600. 3) On "server", edit /etc/ssh/sshd_config and change this line: #PermitRootLogin no ...to: PermitRootLogin without-password 4) Send a SIGHUP signal to the master sshd process. This might disconnect any existing SSH sessions to the machine: kill -HUP `cat /var/run/sshd.pid` If you're concerned about what "without-password" does, read the man page. It WILL NOT let people SSH into the root account, UNLESS they have the private key (on "server"). > Also as root: > # ssh -L 24:server:52525 user@server > > fails - an terminal session is established, but > when I telnet localhost:24 I receive this in the > terminal: > > channel 3: open failed: administratively prohibited: open failed No idea what the "channel 3: open failed" part means, but the latter likely implies firewalling rules of some kind on the local machine. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081027174538.GA27082>