[clug] Why is my SSH port forwarding failing all of a sudden?
Chris Smart
clug at christophersmart.com
Tue Feb 2 13:37:41 UTC 2016
On 02/02/16 22:31, Tony Lewis wrote:
> On 02/02/16 22:18, Chris Smart wrote:
>>
>> This looks like you're sshing to localhost on port 55554, is that what
>> is supposed to happen when you ssh to "remotehost?" Did you point the
>> remotehost to localhost in /etc/hosts or something?
>
> Sorry for the obfuscation.
>
> There are three machines concerned: client, tunnel and server.
>
> The client ssh (Cygwin) has a config like this:
>
> Host tunnel
> HostName tunnel.fqdn
> Port 12345
> User tunnel
> LocalForward 55554 server.local:22
>
> Host serverlocal
> HostName localhost
> Port 55554
>
> so I can "ssh -N tunnel" which translates to "ssh -p 12345 -L
> 55554:server.local:22 tunnel at tunnel.fqdn"
>
> And once the tunnel is established I can "ssh user at serverlocal" which
> translates to "ssh -p 55554 localhost", which should tunnel through the
> established connection to tunnel.fqdn and establish a connection to what
> the tunnel server knows as server.local
>
> The config file is just to enable me to give shorthand names to mappings.
>
>
Yep, OK so all that looks good to me. Sorry for the confusion.
On 01/02/16 21:46, Tony Lewis wrote:
>
> The problem is at the tunnel server. In /var/log/auth.log I see:
> Received request to connect to host blah.domain port 22, but the
> request was denied.
>
OK, going back to your original log line, that seems to come from this
part of the source:
[00:26 chris ~/code/openssh-portable (V_7_1_P2)]$ git grep "request to
connect to"
channels.c: logit("Received request to connect to host
%.100s port %d, "
channels.c: logit("Received request to connect to path %.100s, "
Which looking at the channel_connect_to_path function appears to be
about checking to see if the remote server and port you're trying to
connect to is permitted.
> Googlage indicates proposed solutions that involve enabling port
> forwarding. But I have no AllowTcpForwarding directive, and the
default is "yes".
If it was a TCPForwarding deny you should probably see this in the logs
instead:
refused local port forward: <details>
> There are no PermitOpen directives (though I tried them) and
> the result is the same with or without the PermitTunnel directive.
I know that you said you tried it, but I'm actually leaning towards
PermitOpen option in your remote server's sshd_config file.. that would
seem to make sense with the log error you're getting.
On the remote server, can you add this option then restart sshd:
PermitOpen any
Then try your ssh tunnel again and tail the audit.log.
Then ssh serverlocal
You could also try:
PermitOpen "server.local:22"
Fingers crossed!
-c
--
_
°v°
/(_)\
^ ^
More information about the linux
mailing list