Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Sun, 2002-05-19 at 12:28, David Douthitt wrote: On Saturday 18 May 2002 11:14 am, Stephen Lee wrote: I tunnel imap and smtp all the time except I use stunnel. Presumably you are pointing your host1 mail client to localhost:110 or localhost:143 and then ssh tunnelling those corresponding ports to host2:some_other_port_for poporimap? How are your ssh tunnels created? Does telnet localhost 110 result in a response by the remote pop server? ssh -L 143:host2:143 user@host2 -- or -- ssh -L 110:host2:110 -L 143:host2:143 user@host2 (I am trying to use IMAP only - but it's hard) No, telnet (or nc) to localhost 110 doesn't work (nor to port 143). host1 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.4.1UGSc2 125de0 127.0.0.1 127.0.0.1 UH 110566lo0 192.168.4 link#1 UC 40de0 192.168.4.10:0:c0:26:b4:8bUHLW 54 371de0 1193 192.168.4.20:0:c0:6:b9:5b UHLW1 513380de0 970 192.168.4.50:e0:29:6:ce:58UHLW3 316lo0 192.168.4.10 link#1 UHLW2 31de0 host2 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default198.77.254.129 UGSc 12 116xl0 127.0.0.1 127.0.0.1 UH 0 5059lo0 192.168.5.128/27 link#1 UC 20xl0 192.168.5.129 0:20:6f:10:e5:31 UHLW60xl0 757 192.168.5.140 0:50:da:cc:4d:c2 UHLW0 8375lo0 Note that ssh itself works - but the tunnel doesn't. It wouldn't have to do with the fact that the tunnel is from port 143 to port 143 would it? Possibly. This is what I have to do in stunnel: Client end: stunnel -c -d 3306 -r mysqlserver.dom:3307 Server end: stunnel -p stunnel.pem -d 3307 -r localhost:3306 So I let port 3307 and not 3306 through the remote firewall. Similar config for pop3 and imap. I did notice in the ssh man page the following: Privileged ports can be forwarded only when logging in as root on the remote machine. Does this apply to your situation? Stephen ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Monday 20 May 2002 02:53 am, Stephen Lee wrote: On Sun, 2002-05-19 at 12:28, David Douthitt wrote: On Saturday 18 May 2002 11:14 am, Stephen Lee wrote: I tunnel imap and smtp all the time except I use stunnel. Presumably you are pointing your host1 mail client to localhost:110 or localhost:143 and then ssh tunnelling those corresponding ports to host2:some_other_port_for poporimap? How are your ssh tunnels created? Does telnet localhost 110 result in a response by the remote pop server? ssh -L 143:host2:143 user@host2 -- or -- ssh -L 110:host2:110 -L 143:host2:143 user@host2 (I am trying to use IMAP only - but it's hard) Possibly. This is what I have to do in stunnel: Maybe I should try stunnel - I just fumbled my way through using cyrus-sasl to generate some sort of *.pem file. Now if I only knew for sure if cyrus-imap was using it I did notice in the ssh man page the following: Privileged ports can be forwarded only when logging in as root on the remote machine. Does this apply to your situation? Perhaps. I've just done an IMAP connection over a different SSH tunnel, and it works - and its one FreeBSD host (lets say, host3) to the same IMAP server host. No PPP link, but that shouldn't matter I think... ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Mon, 2002-05-20 at 10:13, David Douthitt wrote: Maybe I should try stunnel - I just fumbled my way through using cyrus-sasl to generate some sort of *.pem file. Now if I only knew for sure if cyrus-imap was using it You could always rename the pem file and see if it complains. Could you not use imaps instead of tunneling? The Courier imap and pop package does all of this encryption stuff effortlessly. I did notice in the ssh man page the following: Privileged ports can be forwarded only when logging in as root on the remote machine. Does this apply to your situation? Perhaps. I've just done an IMAP connection over a different SSH tunnel, and it works - and its one FreeBSD host (lets say, host3) to the same IMAP server host. No PPP link, but that shouldn't matter I think... Maybe defaultroute or proxyarp settings in ppp need adjustments? Stephen ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Monday 20 May 2002 03:28 pm, Stephen Lee wrote: On Mon, 2002-05-20 at 10:13, David Douthitt wrote: Maybe I should try stunnel - I just fumbled my way through using cyrus-sasl to generate some sort of *.pem file. Now if I only knew for sure if cyrus-imap was using it You could always rename the pem file and see if it complains. Could you not use imaps instead of tunneling? The Courier imap and pop package does all of this encryption stuff effortlessly. Actually, the *.pem file was used, but an error generated: May 20 13:54:47 lena imapd[80986]: TLS engine: cannot load CA data May 20 13:54:47 lena imapd[80986]: error initializing TLS: [CA_file: ] [CA_path: ] [cert_file: /var/imap/server.pem] [key_file: /var/imap/server.pem] The file: -rw-r--r-- 1 root wheel 1655 May 20 01:02 server.pem I realize its owned by root:wheel, but it is still world-readable (bad?) - I don't know what permissions to give it. Perhaps. I've just done an IMAP connection over a different SSH tunnel, and it works - and its one FreeBSD host (lets say, host3) to the same IMAP server host. No PPP link, but that shouldn't matter I think... Maybe defaultroute or proxyarp settings in ppp need adjustments? PPP works fine - I can go to any host I like - but the SSH tunnel fails. Remember too, that the endpoints of the PPP link and the endpoints of the SSH tunnel are four different hosts entirely. The PPP link is just one of the hops along the way that the SSH tunnel takes. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Mon, 2002-05-20 at 13:43, David Douthitt wrote: Actually, the *.pem file was used, but an error generated: May 20 13:54:47 lena imapd[80986]: TLS engine: cannot load CA data May 20 13:54:47 lena imapd[80986]: error initializing TLS: [CA_file: ] [CA_path: ] [cert_file: /var/imap/server.pem] [key_file: /var/imap/server.pem] The file: -rw-r--r-- 1 root wheel 1655 May 20 01:02 server.pem I realize its owned by root:wheel, but it is still world-readable (bad?) - I don't know what permissions to give it. I think the pem file needs to be readable by the Cyrus user. It looks to me that the pem file is not in a correct format for the TLS engine. Take a closer look at how you generated the certificate. I had a similar problem when generating a certificate for stunnel and tried for many hours to solve it. In the end, I simply took a pem file (generated with same SSL library) from another package and used that to good effect. I'm curious as to why you need to tunnel imap if you're already using SSL? What about imaps or simap? Stephen ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Monday 20 May 2002 04:37 pm, Stephen Lee wrote: On Mon, 2002-05-20 at 13:43, David Douthitt wrote: Actually, the *.pem file was used, but an error generated: May 20 13:54:47 lena imapd[80986]: TLS engine: cannot load CA data May 20 13:54:47 lena imapd[80986]: error initializing TLS: [CA_file: ] [CA_path: ] [cert_file: /var/imap/server.pem] [key_file: /var/imap/server.pem] The file: -rw-r--r-- 1 root wheel 1655 May 20 01:02 server.pem I realize its owned by root:wheel, but it is still world-readable (bad?) - I don't know what permissions to give it. I think the pem file needs to be readable by the Cyrus user. With the 644 permissions listed above, it is. It looks to me that the pem file is not in a correct format for the TLS engine. Take a closer look at how you generated the certificate. I followed the directions given at another site pointed out to me by Mike Leone, and went step by step. When I was done, I had three files: newreq.pem, newcert.pem, and cacert.pem. After this, things appeared to work. I was surprised to find that TSL operates over the standard unencrypted port 143, whereas SSL has a special port of 993. I had a similar problem when generating a certificate for stunnel and tried for many hours to solve it. In the end, I simply took a pem file (generated with same SSL library) from another package and used that to good effect. I'm not using stunnel now. I'm curious as to why you need to tunnel imap if you're already using SSL? What about imaps or simap? I wasn't using SSL when I started. I would use imaps but I'm now using TSL instead - I'll use SSL if TSL isn't available. It appears that TSL uses the standard port 143. According to my services file, there is no simap: only imap (port 143), imap3 (port 220), imap4-ssl (port 585), and imaps (port 993). Presumably both imap3 and imap4-ssl are deprecated. ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Saturday 18 May 2002 11:14 am, Stephen Lee wrote: I tunnel imap and smtp all the time except I use stunnel. Presumably you are pointing your host1 mail client to localhost:110 or localhost:143 and then ssh tunnelling those corresponding ports to host2:some_other_port_for poporimap? How are your ssh tunnels created? Does telnet localhost 110 result in a response by the remote pop server? ssh -L 143:host2:143 user@host2 -- or -- ssh -L 110:host2:110 -L 143:host2:143 user@host2 (I am trying to use IMAP only - but it's hard) No, telnet (or nc) to localhost 110 doesn't work (nor to port 143). host1 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.4.1UGSc2 125de0 127.0.0.1 127.0.0.1 UH 110566lo0 192.168.4 link#1 UC 40de0 192.168.4.10:0:c0:26:b4:8bUHLW 54 371de0 1193 192.168.4.20:0:c0:6:b9:5b UHLW1 513380de0 970 192.168.4.50:e0:29:6:ce:58UHLW3 316lo0 192.168.4.10 link#1 UHLW2 31de0 host2 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default198.77.254.129 UGSc 12 116xl0 127.0.0.1 127.0.0.1 UH 0 5059lo0 192.168.5.128/27 link#1 UC 20xl0 192.168.5.129 0:20:6f:10:e5:31 UHLW60xl0 757 192.168.5.140 0:50:da:cc:4d:c2 UHLW0 8375lo0 Note that ssh itself works - but the tunnel doesn't. It wouldn't have to do with the fact that the tunnel is from port 143 to port 143 would it? ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Sunday 19 May 2002 02:28 pm, David Douthitt wrote: On Saturday 18 May 2002 11:14 am, Stephen Lee wrote: I tunnel imap and smtp all the time except I use stunnel. Presumably you are pointing your host1 mail client to localhost:110 or localhost:143 and then ssh tunnelling those corresponding ports to host2:some_other_port_for poporimap? How are your ssh tunnels created? Does telnet localhost 110 result in a response by the remote pop server? ssh -L 143:host2:143 user@host2 -- or -- ssh -L 110:host2:110 -L 143:host2:143 user@host2 (I am trying to use IMAP only - but it's hard) No, telnet (or nc) to localhost 110 doesn't work (nor to port 143). host1 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.4.1UGSc2 125de0 127.0.0.1 127.0.0.1 UH 110566lo0 192.168.4 link#1 UC 40de0 192.168.4.10:0:c0:26:b4:8bUHLW 54 371de0 1193 192.168.4.20:0:c0:6:b9:5b UHLW1 513380de0 970 192.168.4.50:e0:29:6:ce:58UHLW3 316lo0 192.168.4.10 link#1 UHLW2 31de0 host2 # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default198.77.254.129 UGSc 12 116xl0 127.0.0.1 127.0.0.1 UH 0 5059lo0 192.168.5.128/27 link#1 UC 20xl0 192.168.5.129 0:20:6f:10:e5:31 UHLW60xl0 757 192.168.5.140 0:50:da:cc:4d:c2 UHLW0 8375lo0 Note that ssh itself works - but the tunnel doesn't. It wouldn't have to do with the fact that the tunnel is from port 143 to port 143 would it? I've also noticed the following - or should at least mention: * host1 has a private ip (192.168.4.6) but host2 has an Internet address * The TCP connection traffic goes like this: 1. SYN from host1 to host2 via ssh tunnel 2. SYN (reply) from host2 to host1 via Internet (!) no response * Until recently, neither host1 nor host2 was routing. I turned on routing, then it worked - then it stopped. I used the command: sysctl net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 (might as well support IP6 too :-) * ssh tunnel seems to allocate an IP of 192.168.4.7, but I can't see it anywhere. Not in netstat -rn nor in ifconfig -a * There doesn't seem to be any way of specifying a route via the ssh tunnel interface. ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Sunday 19 May 2002 11:24 pm, you wrote: David Douthitt wrote: On Saturday 18 May 2002 11:14 am, Stephen Lee wrote: I tunnel imap and smtp all the time except I use stunnel. Perhaps ssh -g option? Don't use that: dgd $ slogin -L 143:lena:143 -L 110:lena:110 dgd@lena I always liked the ssh description on the VNC site. Me too. Please see the More advanced use section at the bottom of the page. They have a configuration that looks like yours. They used ssh -g -L 5901:windows2:5900 linux2. This quote was troubling ...but remember that connections between snoopy and third machine will not be encrypted... (...not refering to the VNC docs) This is because the ssh tunnel goes from machine A to machine B - if you are forwarding a local port, the end can go anywhere - such as to machine C. In my case, there is no machine C - or at least, machine B and C are the same. From your original post: Perhaps -C or +C? The VNC ssh Compression section has this quote. It may apply to you because of ppp? SSH has another advantage. It can compress the data as well. This is particularly useful if the link between you and the server is a slow one, such as a modem... My impression was that VNC performed compression, not ssh - but I will look again. But that won't solve my troubles... Just another thoughtI was playing with ssh internally. I was testing another firewall. I was racking my brain until I realized that the firewall rules were blocking the RFC 1918/1627/1597 addresses. It sounds like you already took care of that issue, however. Not quite. See discussion below. Last idea...perhaps you are experiencing the reason cipe and I guess stunnel were developed: http://sites.inka.de/~bigred/devel/tcp-tcp.html. Please see the Practical experience section. The whole problem was the original incentive to start the CIPE project, because I used a PPP over SSH solution for some time and it proved to be fairly unusable. At that time it had to run over an optical link which suffered frequent packet loss, sometimes 10-20% over an extended period of time. With plain TCP, this was just bearable (because the link was not congested), but with the stacked protocols, connections would get really slow and then break very frequently. I don't think this applies - I'm running SSH over PPP, not PPP over SSH. The layers are like so: TOP TCP/IP SSH PPP Phone Here is what I see happening - and it sounds just exactly like some sort of routing problem: 1. SYN Packet is sent from host1 to host2 over an SSH tunnel (which has a PPP link in the middle) 2. SYN Reply Packet is sent from host2 to host1 over unecrypted Internet links. Also, the return SYN packet conains the internal IP of the ssh tunnel in host1 (a 192.168.4.7 address apparently). Thus the private IP packet quickly reaches a router willing to kill it or ignore it. Why is host2 routing the packet away from the ssh tunnel? Note, too, that neither of the endpoints of the ssh tunnel are the endpoints of the PPP link - and that the LRP system is providing NAT for the network behind it. Of course, using ssh across this link, the NAT is not done. However, I've had situations like this (with the same setup, but not with a PPP link) that worked just fine. Of course, that was a Linux host1 to a Linux host2 - these are FreeBSD hosts. ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Misconfigured routing (?) and ssh tunnels
On Sat, 2002-05-18 at 00:40, David Douthitt wrote: I've the following configuration: [host1/ssh][Oxygen/Masq/PPP]--[ISPDialup/PPP][host2/ssh] The forwarding is from port 110 (POP3) or 143 (IMAP) to host2. Unfortunately, host2 now seems to think that the route to host1 is over the net instead of over the ssh tunnel. What did I do wrong? I thought it was working before. I should mention that both host1 and host2 are FreeBSD 4.5 hosts I tunnel imap and smtp all the time except I use stunnel. Presumably you are pointing your host1 mail client to localhost:110 or localhost:143 and then ssh tunnelling those corresponding ports to host2:some_other_port_for poporimap? How are your ssh tunnels created? Does telnet localhost 110 result in a response by the remote pop server? Stephen ___ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html