From owner-freebsd-security Thu Feb 24 2:30:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B094437BB81 for ; Thu, 24 Feb 2000 02:30:16 -0800 (PST) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 12NvWk-0002fi-00; Thu, 24 Feb 2000 10:29:46 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 12NvWl-0005Dz-00; Thu, 24 Feb 2000 10:29:47 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Damien Tougas Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding In-reply-to: Your message of "Wed, 23 Feb 2000 17:04:57 MST." <20000223170457.A2185@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 24 Feb 2000 10:29:47 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am looking at setting up a VPN using the SSH port forwarding > features, but I have a question: > > I have inetd listening on port X for ppp connections. I set > up SSH on the client machine to pass all packets going from port X > on the client to port X on the server through the secure channel. > > After starting ppp, I do netstat -a and realize that the actual ppp > connection is taking place on random port Y. My question is, is SSH > smart enough to realize this has taken place and encrypt the session > on port Y as well? If not, how do I set it up so that the random > port picked during the negotiation process is also sent through > the secure channel? Ah, which ports are you talking about? A typical port-forwarding setup looks like this when in progress: Client Machine Server Machine +----------------------+ +-----------------------+ ! User process ! ! Server process ! ! +--------------+ ! ! +----------------+ ! ! ! ! ! ! ! ! ! ! ! --+--+ ! <- A D -> ! +--+-- ! ! ! ! ! ! ! ! ! ! ! ! ! +--------------+ ! ! ! ! +----------------+ ! ! ! ! ! ! ! ! SSH client ! ! ! ! SSH server ! ! +--------------+ ! ! ! ! +----------------+ ! ! ! ! ! ! ! ! ! ! ! ! ! (--+--+ ! <- B C -> ! +--+--) ! ! ! ! ( ! ! SSH tunnel ! ! ) ! ! ! ! (==+================================+====+==) ! ! ! ! ! ! ! ! ! ! ! +--------------+ ! ! +----------------+ ! ! ! ! ! +----------------------+ +-----------------------+ Your server process will be listening on its normal port number (D). The ssh client will often be listening on the same port number (B). It has to be told which port to linten on and what address and port the SSH server should be told to use at the other end. The user process will use an arbitary port (A). It has to be told to contact the SSH client (on port (B)) instead of contacting the server process directly. The SSH server will use an arbitary port when forwarding the connection from itself to the server process (C). So which ports do you think are wrong? And on which machine? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message