Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 2008 10:45:38 -0700
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Kevin Kinsey <kdk@daleco.biz>
Cc:        daleco@daleco.biz, freebsd-questions@freebsd.org
Subject:   Re: SSH Port forwarding when "PermitRootLogin"==no  ?
Message-ID:  <20081027174538.GA27082@icarus.home.lan>
In-Reply-To: <20081027170446.GA946@ezekiel.daleco.biz>
References:  <20081027170446.GA946@ezekiel.daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Oct 27, 2008 at 12:04:46PM -0500, Kevin Kinsey wrote:
> Hello,
> 
> I'm (still) trying to work around a limitation I've encountered
> with a new service provider (cf. "MTA on non-standard port").
> 
> As root:
>  # ssh -L 24:server:52525 server
> 
>    fails because root logins aren't permitted in
> /etc/sshd_config on the server.

I recently discussed how to deal with this in a manner that does not
involve compromising root's security:

1) Make a public key on the machine you're doing "ssh -L 24:server:52525 server"
   from.  Run ssh-keygen as root
2) Place contents of /root/.ssh/id_rsa.pub in /root/.ssh/authorized_keys
   on "server".  Make sure the /root/.ssh directory is perm 0700,
   and authorized_keys is perm 0600.
3) On "server", edit /etc/ssh/sshd_config and change this line:

#PermitRootLogin no

...to:

PermitRootLogin without-password

4) Send a SIGHUP signal to the master sshd process.  This might
disconnect any existing SSH sessions to the machine:

kill -HUP `cat /var/run/sshd.pid`

If you're concerned about what "without-password" does, read the man
page.  It WILL NOT let people SSH into the root account, UNLESS they
have the private key (on "server").

> Also as root:
>  # ssh -L 24:server:52525 user@server
> 
> fails - an terminal session is established, but
> when I telnet localhost:24 I receive this in the
> terminal:
>    
> channel 3: open failed: administratively prohibited: open failed

No idea what the "channel 3: open failed" part means, but the latter
likely implies firewalling rules of some kind on the local machine.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081027174538.GA27082>