From owner-freebsd-security  Mon Jan  7 16: 9:36 2002
Delivered-To: freebsd-security@freebsd.org
Received: from Thanatos.Shenton.Org (a3.ebbed1.client.atlantech.net [209.190.235.163])
	by hub.freebsd.org (Postfix) with SMTP id 978FE37B405
	for <freebsd-security@freebsd.org>; Mon,  7 Jan 2002 16:09:23 -0800 (PST)
Received: (qmail 41571 invoked by uid 1000); 8 Jan 2002 00:09:22 -0000
To: freebsd-questions@FreeBSD.ORG
Cc: freebsd-security@freebsd.org
Subject: SSH TCP forwarding: works with v1, not with v2 ssh
From: Chris Shenton <chris@shenton.org>
Date: 07 Jan 2002 19:09:22 -0500
In-Reply-To: <200104180902.f3I92cG94606@lk.tempest.sk>
Message-ID: <87lmf9snyl.fsf@thanatos.shenton.org>
Lines: 105
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I need to set up an SSH tunnel from my work to my home so I can get in
over the weekend.  Worked on my previous work box, but not on my
current one.  So I looked at the differences in the way they
established tunnels and saw that the old working one used SSHv1 from
work to my house, the broken one used SSHv2.  Both of them indicate
that they're setting up the tunnels with no problem, but the v2 tunnel
just hangs when I try and use it from home.

Below, I first establish a tunnel over SSHv1, then telnet back to show
I can get to the work ssh daemon:

  cshenton@Palimpsest(257> ssh -1 -R 65001:palimpsest:22 chris@shenton.org
  chris@shenton.org's password: 
  FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan  4 10:18:35 EST 2002

  chris@thanatos[257> netstat -an|grep 65001
  tcp4       0      0  127.0.0.1.65001        *.*   LISTEN
  tcp6       0      0  ::1.65001              *.*   LISTEN

  chris@thanatos[258> telnet 127.0.0.1 65001
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202
  quit
  Protocol mismatch.  [no problem, I typed garbage; the tunnel does work]


Then I do the same, from work to home, but with SSHv2. I'm including
some of the verbose output here so you can see it claims to be setting
up the tunnel:

  cshenton@Palimpsest(257> ssh -v -R 65002:palimpsest:22 chris@shenton.org
  OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
  debug1: Reading configuration data /etc/ssh/ssh_config
  [debug elided]
  debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202
  debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH
  Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20011202
  [key and auth negotiation elided]
  debug1: Connections to remote port 65002 forwarded to local address palimpsest:22
  debug1: channel 0: new [client-session]
  debug1: channel_new: 0
  debug1: send channel open 0
  debug1: Entering interactive session.
  debug1: client_init id 0 arg 0
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: Requesting authentication agent forwarding.
  debug1: channel request 0: shell
  debug1: channel 0: open confirm rwindow 0 rmax 16384

  FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan  4 10:18:35 EST 2002

Now I check the netstat and see a listener, then try telnet to see if
something answers (if I get "connection refused" there's no listener);
the telnet connection hangs -- I don't get the SSH prompt when I do
the telnet hack.

  chris@thanatos[257> netstat -an|grep 65002
  tcp4       0      0  127.0.0.1.65002        *.*                    LISTEN
  tcp6       0      0  ::1.65002              *.*                    LISTEN

  chris@thanatos[258> telnet 127.0.0.1 65002
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  foo
  Connection closed by foreign host.

I'm using telnet here instead of ssh back because "ssh -v" doesn't
show you that nothing answers; for yucks, I then try ssh and it does
hang:

  chris@thanatos[259> ssh -v -p 65002 cshenton@127.0.0.1
  OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
  debug1: Reading configuration data /home/chris/.ssh/config
  debug1: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Rhosts Authentication disabled, originating port will not be trusted.
  debug1: restore_uid
  debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1
  debug1: Connecting to 127.0.0.1 [127.0.0.1] port 65002.
  debug1: temporarily_use_uid: 1000/1000 (e=1000)
  debug1: restore_uid
  debug1: temporarily_use_uid: 1000/1000 (e=1000)
  debug1: restore_uid
  debug1: Connection established.
  debug1: identity file /home/chris/.ssh/identity type 0
  debug1: identity file /home/chris/.ssh/id_rsa type -1
  debug1: identity file /home/chris/.ssh/id_dsa type -1
  [hangs indefinitely here]

The man page for sshd says the daemon forwardds TCP connections by
default, and the verbose output above would indicate it *thinks* the
connection's being forwarded, but nothing happens.  

There is no change if I use -1 or -2 versions when I try to come back
through the tunnel, as if my home client isn't able to connecto the
the work server and negotiate SSH versions. 

Any clues where I can look to see why the incoming connection is just
hanging? Thanks.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message