From owner-freebsd-security Tue Jan 8 11:13:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-in.sc5.paypal.com (smtp-in.sc5.paypal.com [216.136.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 3D79637B41A; Tue, 8 Jan 2002 11:13:23 -0800 (PST) Received: from xchange.xpa1.x.com (xchange.x.com [10.1.1.41]) by smtp-in.sc5.paypal.com (8.11.6/8.11.6) with ESMTP id g08JDKN20175; Tue, 8 Jan 2002 11:13:20 -0800 Received: from pa1.paypal.com (stinky.pa1.paypal.com [10.1.2.6]) by xchange.xpa1.x.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id C3MQ5S9H; Tue, 8 Jan 2002 11:13:19 -0800 Message-ID: <3C3B44E5.6030605@pa1.paypal.com> Date: Tue, 08 Jan 2002 11:13:41 -0800 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20011226 X-Accept-Language: en-us MIME-Version: 1.0 To: Chris Shenton Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH TCP forwarding: works with v1, not with v2 ssh References: <87lmf9snyl.fsf@thanatos.shenton.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Shenton wrote: >I need to set up an SSH tunnel from my work to my home so I can get in >over the weekend. Worked on my previous work box, but not on my >current one. So I looked at the differences in the way they >established tunnels and saw that the old working one used SSHv1 from >work to my house, the broken one used SSHv2. Both of them indicate >that they're setting up the tunnels with no problem, but the v2 tunnel >just hangs when I try and use it from home. > >Below, I first establish a tunnel over SSHv1, then telnet back to show >I can get to the work ssh daemon: > > cshenton@Palimpsest(257> ssh -1 -R 65001:palimpsest:22 chris@shenton.org > chris@shenton.org's password: > FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 > > chris@thanatos[257> netstat -an|grep 65001 > tcp4 0 0 127.0.0.1.65001 *.* LISTEN > tcp6 0 0 ::1.65001 *.* LISTEN > > chris@thanatos[258> telnet 127.0.0.1 65001 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 > quit > Protocol mismatch. [no problem, I typed garbage; the tunnel does work] > > >Then I do the same, from work to home, but with SSHv2. I'm including >some of the verbose output here so you can see it claims to be setting >up the tunnel: > > cshenton@Palimpsest(257> ssh -v -R 65002:palimpsest:22 chris@shenton.org > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /etc/ssh/ssh_config > [debug elided] > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 > debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20011202 > [key and auth negotiation elided] > debug1: Connections to remote port 65002 forwarded to local address palimpsest:22 > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: client_init id 0 arg 0 > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > debug1: channel request 0: shell > debug1: channel 0: open confirm rwindow 0 rmax 16384 > > FreeBSD 4.5-PRERELEASE (Thanatos) #4: Fri Jan 4 10:18:35 EST 2002 > >Now I check the netstat and see a listener, then try telnet to see if >something answers (if I get "connection refused" there's no listener); >the telnet connection hangs -- I don't get the SSH prompt when I do >the telnet hack. > > chris@thanatos[257> netstat -an|grep 65002 > tcp4 0 0 127.0.0.1.65002 *.* LISTEN > tcp6 0 0 ::1.65002 *.* LISTEN > > chris@thanatos[258> telnet 127.0.0.1 65002 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > foo > Connection closed by foreign host. > >I'm using telnet here instead of ssh back because "ssh -v" doesn't >show you that nothing answers; for yucks, I then try ssh and it does >hang: > > chris@thanatos[259> ssh -v -p 65002 cshenton@127.0.0.1 > OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /home/chris/.ssh/config > debug1: Applying options for * > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 > debug1: Connecting to 127.0.0.1 [127.0.0.1] port 65002. > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: temporarily_use_uid: 1000/1000 (e=1000) > debug1: restore_uid > debug1: Connection established. > debug1: identity file /home/chris/.ssh/identity type 0 > debug1: identity file /home/chris/.ssh/id_rsa type -1 > debug1: identity file /home/chris/.ssh/id_dsa type -1 > [hangs indefinitely here] > >The man page for sshd says the daemon forwardds TCP connections by >default, and the verbose output above would indicate it *thinks* the >connection's being forwarded, but nothing happens. > >There is no change if I use -1 or -2 versions when I try to come back >through the tunnel, as if my home client isn't able to connecto the >the work server and negotiate SSH versions. > >Any clues where I can look to see why the incoming connection is just >hanging? Thanks. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > I am having the *exact* same problem... though it's only with -R ssh -L works like a charm. It's also important to note that I am not having this problem when connecting to Linux machines, just to my own FreeBSD machine... the difference is that the linux machine is running some 3.x version of openssh... so this may already be fixed in 3.x -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message