FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 06-21-2008, 03:20 AM
Rick Bilonick
 
Default ssh tunnel problems

I'm using Fedora 8 on a server behind a firewall (with incoming ssh
blocked) and my computer at home.

I did the following on the server:

> ssh -R 5000:localhost:22 me@home

which connected to my home computer after I entered the password. (I
could list files, etc.) I also set up /etc/ssh/sshd_config on the server
to keep the connection open.

At home I entered (using the password for user=server on the server):

> ssh server@localhost -p 5000
ssh: connect to host localhost port 5000: Connection refused

I've tried adding:

sshd : ALL : allow
portmap : ALL : allow

to /etc/hosts.allow but still get the same message. I have no idea why
I'm not able to connect to the server through the ssh connection. I can
ssh out from the home computer to other servers with port 22 not
blocked.

Rick B.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 04:01 AM
Kevin Martin
 
Default ssh tunnel problems

Rick Bilonick wrote:

I'm using Fedora 8 on a server behind a firewall (with incoming ssh
blocked) and my computer at home.

I did the following on the server:



ssh -R 5000:localhost:22 me@home



which connected to my home computer after I entered the password. (I
could list files, etc.) I also set up /etc/ssh/sshd_config on the server
to keep the connection open.

At home I entered (using the password for user=server on the server):



ssh server@localhost -p 5000


ssh: connect to host localhost port 5000: Connection refused

I've tried adding:

sshd : ALL : allow
portmap : ALL : allow

to /etc/hosts.allow but still get the same message. I have no idea why
I'm not able to connect to the server through the ssh connection. I can
ssh out from the home computer to other servers with port 22 not
blocked.

Rick B.



Rick,



On your home machine, does a netstat -an | grep 5000 show you a
listening port?* When do you get if you add the -v flag to your
connection attempt from your home computer?



FWIW, your use of localhost on both the server side and the home side
makes this a very confusing read.



Kevin



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 02:22 PM
Rick Bilonick
 
Default ssh tunnel problems

On Fri, 2008-06-20 at 23:01 -0500, Kevin Martin wrote:
>
>
> Rick Bilonick wrote:
> > I'm using Fedora 8 on a server behind a firewall (with incoming ssh
> > blocked) and my computer at home.
> >
> > I did the following on the server:
> >
> >
> > > ssh -R 5000:localhost:22 me@home
> > >
> >
> > which connected to my home computer after I entered the password. (I
> > could list files, etc.) I also set up /etc/ssh/sshd_config on the server
> > to keep the connection open.
> >
> > At home I entered (using the password for user=server on the server):
> >
> >
> > > ssh server@localhost -p 5000
> > >
> > ssh: connect to host localhost port 5000: Connection refused
> >
> > I've tried adding:
> >
> > sshd : ALL : allow
> > portmap : ALL : allow
> >
> > to /etc/hosts.allow but still get the same message. I have no idea why
> > I'm not able to connect to the server through the ssh connection. I can
> > ssh out from the home computer to other servers with port 22 not
> > blocked.
> >
> > Rick B.
> >
> >
> Rick,
>
> On your home machine, does a netstat -an | grep 5000 show you a
> listening port? When do you get if you add the -v flag to your
> connection attempt from your home computer?
>
> FWIW, your use of localhost on both the server side and the home side
> makes this a very confusing read.
>
> Kevin
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Here's what I get:

[chippy@localhost ~]$ netstat -an | grep 5000
tcp 0 0 127.0.0.1:50001 0.0.0.0:*
LISTEN


[chippy@localhost ~]$ ssh server@localhost -p 5000 -v
OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 5000.
debug1: connect to address 127.0.0.1 port 5000: Connection refused
ssh: connect to host localhost port 5000: Connection refused

I'm using "localhost" because I was following an example. I guess I
could substitute an IP for localhost. Isn't "localhost" just another
name for the local computer? So on the first use of ssh, localhost
refers to the server and on the second use of ssh, it refers to the home
computer. At least, that's what I believe.

Rick B.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 02:29 PM
Rick Bilonick
 
Default ssh tunnel problems

On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> On Fri, 2008-06-20 at 23:01 -0500, Kevin Martin wrote:
> >
> >
> > Rick Bilonick wrote:
> > > I'm using Fedora 8 on a server behind a firewall (with incoming ssh
> > > blocked) and my computer at home.
> > >
> > > I did the following on the server:
> > >
> > >
> > > > ssh -R 5000:localhost:22 me@home
> > > >
> > >
> > > which connected to my home computer after I entered the password. (I
> > > could list files, etc.) I also set up /etc/ssh/sshd_config on the server
> > > to keep the connection open.
> > >
> > > At home I entered (using the password for user=server on the server):
> > >
> > >
> > > > ssh server@localhost -p 5000
> > > >
> > > ssh: connect to host localhost port 5000: Connection refused
> > >
> > > I've tried adding:
> > >
> > > sshd : ALL : allow
> > > portmap : ALL : allow
> > >
> > > to /etc/hosts.allow but still get the same message. I have no idea why
> > > I'm not able to connect to the server through the ssh connection. I can
> > > ssh out from the home computer to other servers with port 22 not
> > > blocked.
> > >
> > > Rick B.
> > >
> > >
> > Rick,
> >
> > On your home machine, does a netstat -an | grep 5000 show you a
> > listening port? When do you get if you add the -v flag to your
> > connection attempt from your home computer?
> >
> > FWIW, your use of localhost on both the server side and the home side
> > makes this a very confusing read.
> >
> > Kevin
> > --
> > fedora-list mailing list
> > fedora-list@redhat.com
> > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
> Here's what I get:
>
> [chippy@localhost ~]$ netstat -an | grep 5000
> tcp 0 0 127.0.0.1:50001 0.0.0.0:*
> LISTEN
>
>
> [chippy@localhost ~]$ ssh server@localhost -p 5000 -v
> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to localhost [127.0.0.1] port 5000.
> debug1: connect to address 127.0.0.1 port 5000: Connection refused
> ssh: connect to host localhost port 5000: Connection refused
>
> I'm using "localhost" because I was following an example. I guess I
> could substitute an IP for localhost. Isn't "localhost" just another
> name for the local computer? So on the first use of ssh, localhost
> refers to the server and on the second use of ssh, it refers to the home
> computer. At least, that's what I believe.
>
> Rick B.
>

I forgot to add that I'm not sure why it is listening on port 50001. I'm
sure I set it up to use port 5000. If I try to use 50001:

ssh goldy@localhost -p 50001 -v
OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 50001.
debug1: Connection established.
debug1: identity file /home/chippy/.ssh/identity type -1
debug1: identity file /home/chippy/.ssh/id_rsa type -1
debug1: identity file /home/chippy/.ssh/id_dsa type -1

Then I have to ctrl c to get out of this.

Rick B.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 05:25 PM
Tim
 
Default ssh tunnel problems

On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> [chippy@localhost ~]$ ssh server@localhost -p 5000 -v
> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to localhost [127.0.0.1] port 5000.
> debug1: connect to address 127.0.0.1 port 5000: Connection refused
> ssh: connect to host localhost port 5000: Connection refused
>
> I'm using "localhost" because I was following an example. I guess I
> could substitute an IP for localhost. Isn't "localhost" just another
> name for the local computer? So on the first use of ssh, localhost
> refers to the server and on the second use of ssh, it refers to the
> home computer. At least, that's what I believe.

"localhost" is how a computer refers to itself. Just the same as a
group of people in a room will all think of themselves as "myself" or
"I". While correct, they could only ever converse about themselves, not
anyone else in the room. Trying to network between different computers
all going by the same hostname is going to twist your brain around in
circles.

If you do try "ssh server@localhost" you're going to try and connect to
the SSH daemon on the same machine that you're typing on, which may or
may not actually connect. But you're certainly not going to connect to
another machine, using that address.

If you don't have unique hostnames that are resolveable on your LAN
(i.e. everyone knows the name and IP of *all* hosts on the LAN), then
use numerical IP addresses.

Again, don't fall down the "looking in the mirror" trap by trying to
connect to 127.0.0.1. That's the numerical address for a machine to
refer to itself.

You're playing with the local loopback device. 127.0.0.1 is the
traditional IP address for it, and localhost is the traditional hostname
for it.

--
[tim@localhost ~]$ uname -r
2.6.25.6-55.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 05:46 PM
"Patrick O'Callaghan"
 
Default ssh tunnel problems

On Sun, 2008-06-22 at 02:55 +0930, Tim wrote:
> Again, don't fall down the "looking in the mirror" trap by trying to
> connect to 127.0.0.1. That's the numerical address for a machine to
> refer to itself.
>
> You're playing with the local loopback device. 127.0.0.1 is the
> traditional IP address for it, and localhost is the traditional
> hostname for it.

Not just traditional, it's a required standard (the IP at least). Also,
it's explicitly not routable, i.e. packets with 127.0.0.1 in either
source or destination fields can never appear on a network.

poc

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 06:41 PM
Kevin Martin
 
Default ssh tunnel problems

Rick Bilonick wrote:

On Fri, 2008-06-20 at 23:01 -0500, Kevin Martin wrote:



Rick Bilonick wrote:


I'm using Fedora 8 on a server behind a firewall (with incoming ssh
blocked) and my computer at home.

I did the following on the server:




ssh -R 5000:localhost:22 me@home



which connected to my home computer after I entered the password. (I
could list files, etc.) I also set up /etc/ssh/sshd_config on the server
to keep the connection open.

At home I entered (using the password for user=server on the server):




ssh server@localhost -p 5000



ssh: connect to host localhost port 5000: Connection refused

I've tried adding:

sshd : ALL : allow
portmap : ALL : allow

to /etc/hosts.allow but still get the same message. I have no idea why
I'm not able to connect to the server through the ssh connection. I can
ssh out from the home computer to other servers with port 22 not
blocked.

Rick B.




Rick,

On your home machine, does a netstat -an | grep 5000 show you a
listening port? When do you get if you add the -v flag to your
connection attempt from your home computer?

FWIW, your use of localhost on both the server side and the home side
makes this a very confusing read.

Kevin
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



Here's what I get:

[chippy@localhost ~]$ netstat -an | grep 5000
tcp 0 0 127.0.0.1:50001 0.0.0.0:*
LISTEN


[chippy@localhost ~]$ ssh server@localhost -p 5000 -v
OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 5000.
debug1: connect to address 127.0.0.1 port 5000: Connection refused
ssh: connect to host localhost port 5000: Connection refused

I'm using "localhost" because I was following an example. I guess I
could substitute an IP for localhost. Isn't "localhost" just another
name for the local computer? So on the first use of ssh, localhost
refers to the server and on the second use of ssh, it refers to the home
computer. At least, that's what I believe.

Rick B.





Rick,



The tunnel that you tried to establish from work to home is not running
otherwise you would see a listening socket on port 5000 on your home
machine.* Oh, and to find out what has port 50001 open do a "netstat
-anp | grep 5000" and you'll see what process has it open.



Kevin





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 11:34 PM
Rick Bilonick
 
Default ssh tunnel problems

On Sun, 2008-06-22 at 02:55 +0930, Tim wrote:
> On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> > [chippy@localhost ~]$ ssh server@localhost -p 5000 -v
> > OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug1: Connecting to localhost [127.0.0.1] port 5000.
> > debug1: connect to address 127.0.0.1 port 5000: Connection refused
> > ssh: connect to host localhost port 5000: Connection refused
> >
> > I'm using "localhost" because I was following an example. I guess I
> > could substitute an IP for localhost. Isn't "localhost" just another
> > name for the local computer? So on the first use of ssh, localhost
> > refers to the server and on the second use of ssh, it refers to the
> > home computer. At least, that's what I believe.
>
> "localhost" is how a computer refers to itself. Just the same as a
> group of people in a room will all think of themselves as "myself" or
> "I". While correct, they could only ever converse about themselves, not
> anyone else in the room. Trying to network between different computers
> all going by the same hostname is going to twist your brain around in
> circles.
>
> If you do try "ssh server@localhost" you're going to try and connect to
> the SSH daemon on the same machine that you're typing on, which may or
> may not actually connect. But you're certainly not going to connect to
> another machine, using that address.
>
> If you don't have unique hostnames that are resolveable on your LAN
> (i.e. everyone knows the name and IP of *all* hosts on the LAN), then
> use numerical IP addresses.
>
> Again, don't fall down the "looking in the mirror" trap by trying to
> connect to 127.0.0.1. That's the numerical address for a machine to
> refer to itself.
>
> You're playing with the local loopback device. 127.0.0.1 is the
> traditional IP address for it, and localhost is the traditional hostname
> for it.
>
> --
> [tim@localhost ~]$ uname -r
> 2.6.25.6-55.fc9.i686
>
> Don't send private replies to my address, the mailbox is ignored. I
> read messages from the public lists.
>

OK, apparently the example I followed from a website was not completely
correct.

So after trying a bunch of things, I did get this to work from my home
computer to my ISP's server. Here is what I did:

> ssh -R 4022:home:22 myaccnt@my.isp.net

where "home" is actually the IP of my home network (instead of using
"localhost" which definitely does NOT work). This asked me for my
password and it connected.

To see if the port was set up, I then did (on my.isp.net):

> netstat -an | grep 4022

and it shows that it is listening on port 4022.

So then from my.isp.net I did:

> ssh -p 4022 me@localhost

where "me" is the user on my home computer. Note that "localhost" must
be used here so I can use the port that I set up. This asks me for my
password and I connect and see files on my home computer (from being
logged in on the isp's server).

So I know that in principle this can work.

So I went back to my office and set up a connection from work to my home
computer:

> ssh -R 3022:work:22 me@home

where "work" is my work server's IP and "home" is my home computer's IP.
This asks me for my password and I connect and can see files, etc. I did
the "netstat -an | grep 3022" and it shows that it's listening on port
3022.

So then from my home computer I do:

> ssh -v -p 3022 abc@localhost

where "abc" is my user account on the work server and get:

OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 3022.
debug1: Connection established.
debug1: identity file /home/me/.ssh/identity type -1
debug1: identity file /home/me/.ssh/id_rsa type -1
debug1: identity file /home/me/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

It never asks for my password.

So it works from home to isp, but for some reason does NOT work from
work to home.

What on the work server could be preventing the reverse tunnel from
working? On the server I do use hosts.allow to only allow ssh from my
home computer. Could this possibly prevent the reverse tunnel from
working? Or is the problem on my home computer?

Thanks to everyone who replied with suggestions and questions. At least
I'm making some progress.

Rick B.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-21-2008, 11:51 PM
Rick Bilonick
 
Default ssh tunnel problems

On Sat, 2008-06-21 at 19:34 -0400, Rick Bilonick wrote:
> On Sun, 2008-06-22 at 02:55 +0930, Tim wrote:
> > On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> > > [chippy@localhost ~]$ ssh server@localhost -p 5000 -v
> > > OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> > > debug1: Reading configuration data /etc/ssh/ssh_config
> > > debug1: Applying options for *
> > > debug1: Connecting to localhost [127.0.0.1] port 5000.
> > > debug1: connect to address 127.0.0.1 port 5000: Connection refused
> > > ssh: connect to host localhost port 5000: Connection refused
> > >
> > > I'm using "localhost" because I was following an example. I guess I
> > > could substitute an IP for localhost. Isn't "localhost" just another
> > > name for the local computer? So on the first use of ssh, localhost
> > > refers to the server and on the second use of ssh, it refers to the
> > > home computer. At least, that's what I believe.
> >
> > "localhost" is how a computer refers to itself. Just the same as a
> > group of people in a room will all think of themselves as "myself" or
> > "I". While correct, they could only ever converse about themselves, not
> > anyone else in the room. Trying to network between different computers
> > all going by the same hostname is going to twist your brain around in
> > circles.
> >
> > If you do try "ssh server@localhost" you're going to try and connect to
> > the SSH daemon on the same machine that you're typing on, which may or
> > may not actually connect. But you're certainly not going to connect to
> > another machine, using that address.
> >
> > If you don't have unique hostnames that are resolveable on your LAN
> > (i.e. everyone knows the name and IP of *all* hosts on the LAN), then
> > use numerical IP addresses.
> >
> > Again, don't fall down the "looking in the mirror" trap by trying to
> > connect to 127.0.0.1. That's the numerical address for a machine to
> > refer to itself.
> >
> > You're playing with the local loopback device. 127.0.0.1 is the
> > traditional IP address for it, and localhost is the traditional hostname
> > for it.
> >
> > --
> > [tim@localhost ~]$ uname -r
> > 2.6.25.6-55.fc9.i686
> >
> > Don't send private replies to my address, the mailbox is ignored. I
> > read messages from the public lists.
> >
>
> OK, apparently the example I followed from a website was not completely
> correct.
>
> So after trying a bunch of things, I did get this to work from my home
> computer to my ISP's server. Here is what I did:
>
> > ssh -R 4022:home:22 myaccnt@my.isp.net
>
> where "home" is actually the IP of my home network (instead of using
> "localhost" which definitely does NOT work). This asked me for my
> password and it connected.
>
> To see if the port was set up, I then did (on my.isp.net):
>
> > netstat -an | grep 4022
>
> and it shows that it is listening on port 4022.
>
> So then from my.isp.net I did:
>
> > ssh -p 4022 me@localhost
>
> where "me" is the user on my home computer. Note that "localhost" must
> be used here so I can use the port that I set up. This asks me for my
> password and I connect and see files on my home computer (from being
> logged in on the isp's server).
>
> So I know that in principle this can work.
>
> So I went back to my office and set up a connection from work to my home
> computer:
>
> > ssh -R 3022:work:22 me@home
>
> where "work" is my work server's IP and "home" is my home computer's IP.
> This asks me for my password and I connect and can see files, etc. I did
> the "netstat -an | grep 3022" and it shows that it's listening on port
> 3022.
>
> So then from my home computer I do:
>
> > ssh -v -p 3022 abc@localhost
>
> where "abc" is my user account on the work server and get:
>
> OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to localhost [127.0.0.1] port 3022.
> debug1: Connection established.
> debug1: identity file /home/me/.ssh/identity type -1
> debug1: identity file /home/me/.ssh/id_rsa type -1
> debug1: identity file /home/me/.ssh/id_dsa type -1
> ssh_exchange_identification: Connection closed by remote host
>
> It never asks for my password.
>
> So it works from home to isp, but for some reason does NOT work from
> work to home.
>
> What on the work server could be preventing the reverse tunnel from
> working? On the server I do use hosts.allow to only allow ssh from my
> home computer. Could this possibly prevent the reverse tunnel from
> working? Or is the problem on my home computer?
>
> Thanks to everyone who replied with suggestions and questions. At least
> I'm making some progress.
>
> Rick B.
>
>
>

My guess at the moment is that I either need to get rid of the entries
in hosts.allow on the server or add an entry for localhost and the
forwarded port.

Rick B.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-22-2008, 07:58 AM
Tim
 
Default ssh tunnel problems

Tim:
>> You're playing with the local loopback device. 127.0.0.1 is the
>> traditional IP address for it, and localhost is the traditional
>> hostname for it.

Patrick O'Callaghan:
> Not just traditional, it's a required standard (the IP at least).

On a variety of systems, 127.0.0.x (where x can be almost anything) also
works the same way. On this box, x can be 1 to 255, for pinging, at
least. Actually, on this box, for "127.x.y.z", x, y, & z can all be
played with, and are still on the local loopback device.

--
[tim@localhost ~]$ uname -r
2.6.25.6-55.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 01:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org