On Wed, 12 Jul 2000, Theo Van Dinter wrote:
> On Wed, Jul 12, 2000 at 10:05:56AM -0500, [EMAIL PROTECTED] wrote:
> > Theo, sorry for not replying sooner, I've been out sick for the
> > last couple of days ...
>
> Hope you're feeling better.
Thanks, a little better now ...
>
> > Can you please explain how you are able to connect via telnet
> > (port 23) from your linux box out through your firewall, including
> > all relevant switches? It sounds like we have similar scenarios,
> > and I would like to give this a try.
>
> Sure. On the client-side, you just do "ssh remote -p 23", or in .ssh/config
> terms:
>
> Host hostname.foo.net foo.net hostname
> hostname hostname.foo.net
> port 23
> user bar
>
> This assumes that you can go out from the client to port 23 on a remote box.
> You may wish to add in the "usepriviledgedport no" option (spelling dependant
> on the SSH you use...) I don't need it on my setup, but YMMV.
>
> On the server-side, it's a little trickier, depending on your situation --
>
> 1) you can just do "sshd -p 23" if you're not running telnet, and that will
> put a standard SSH daemon on port 23.
I don't have the correct priveleges on the remote (server) side.
>
> 2) you use the "twist" feature of TCP wrappers to run telnet and ssh
> "simultaneously" (depending on who is connecting):
I definitely can't do this, unless the company that hosts my site
is willing to go through all this trouble for just me, which I kind of
doubt.
>
> You have inetd.conf setup to run telnet as usual:
>
> telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
>
> and then in the TCP wrappers config (hosts.allow) you do something like:
>
> in.telnetd : 192.168.112.0/255.255.255.0 : twist /usr/sbin/sshd -i
> in.telnetd : ALL
>
> this makes TCP wrappers allow ALL for telnet, but for
> 192.168.112.0/255.255.255.0, it will "twist" the connection to "sshd -i" and
> run it instead of in.telnetd.
>
> > but have been unsuccesful. By the way, how do I tell which ports
> > of our firewall I can connect through? Are there some commands
> > I can try that won't unnecesarily get the attention of our system
> > administrator?
>
> unless you have admin access to the firewall, you'd essentially have to
> portscan the outside box and see what you can get to. The usual ones that
> are allowed through (either directly or through a proxy) include:
>
> 23 - telnet
> 21 - FTP
> 80 - HTTP
> 443 - HTTPS
>
> If you're not running daemons on all of those ports, you can always run "sshd
> -p #" as I have above in #1. I also have some perl daemon scripts to let you
> SSH through a HTTPS and telnet proxies to port 443 and 23 respectively.
>
> > I have no control over what port sshd is running on on the remote
> > machine (machine C from my earlier post), but I do know that it is
> > running on the default SSH port of 22.
>
> If you have no admin access on C, you're kind of hosed unless you can get
> an opening in the firewall. You would have to get access to a machine
> D outside the firewall where you could SSH to using one of the above
> methods, and then SSH from D to C.
I think I am hosed, and will have to come up for a legitimate case
for having our sys. admin. "open" up or "listen" on port 22 of the
firewall. If I could only find a site related to chip design that requires
me to login via ssh, I could go to my manager and make a business case,
otherwise I'm hosed.
Thanks,
Tom
