Date: Thu, 24 Feb 2000 10:29:47 +0000 From: David Pick <D.M.Pick@qmw.ac.uk> To: Damien Tougas <damien@tougas.net> Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding Message-ID: <E12NvWl-0005Dz-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Wed, 23 Feb 2000 17:04:57 MST." <20000223170457.A2185@tougas.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am looking at setting up a VPN using the SSH port forwarding
> features, but I have a question:
>
> I have inetd listening on port X for ppp connections. I set
> up SSH on the client machine to pass all packets going from port X
> on the client to port X on the server through the secure channel.
>
> After starting ppp, I do netstat -a and realize that the actual ppp
> connection is taking place on random port Y. My question is, is SSH
> smart enough to realize this has taken place and encrypt the session
> on port Y as well? If not, how do I set it up so that the random
> port picked during the negotiation process is also sent through
> the secure channel?
Ah, which ports are you talking about? A typical port-forwarding
setup looks like this when in progress:
Client Machine Server Machine
+----------------------+ +-----------------------+
! User process ! ! Server process !
! +--------------+ ! ! +----------------+ !
! ! ! ! ! ! ! !
! ! --+--+ ! <- A D -> ! +--+-- ! !
! ! ! ! ! ! ! ! ! !
! +--------------+ ! ! ! ! +----------------+ !
! ! ! ! ! !
! SSH client ! ! ! ! SSH server !
! +--------------+ ! ! ! ! +----------------+ !
! ! ! ! ! ! ! ! ! !
! ! (--+--+ ! <- B C -> ! +--+--) ! !
! ! ( ! ! SSH tunnel ! ! ) ! !
! ! (==+================================+====+==) ! !
! ! ! ! ! ! ! !
! +--------------+ ! ! +----------------+ !
! ! ! !
+----------------------+ +-----------------------+
Your server process will be listening on its normal port number (D).
The ssh client will often be listening on the same port number (B). It has
to be told which port to linten on and what address and port the SSH server
should be told to use at the other end.
The user process will use an arbitary port (A). It has to be told to contact
the SSH client (on port (B)) instead of contacting the server process directly.
The SSH server will use an arbitary port when forwarding the connection
from itself to the server process (C).
So which ports do you think are wrong? And on which machine?
--
David Pick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E12NvWl-0005Dz-00>