FYI. I thought I'd share with you a problem I have found with RedHat 6.2
and 7.0 while using an SSH server with port forwarding. If anyone wants
to investigate and/or find a fix for this, I will be MORE than HAPPY
help you as I would much rather run RedHat 6.2, or ideally 7.0 (with the
latest security/bug fixes) than RH6.1 . My laptop is not well supported
with 6.1, but very well with 6.2 and even better with 7.0 .
I strongly suspect something is broken in RedHat 6.2 and 7.0 that
affects both ssh and openssh when trying port forwarding. I'm just not
deep enough to put my finger on it on my own, much less fix it.
I had been using RedHat 6.1 and an SSH server with port forwarding
successfully with ssh-1.2.27 (with port forwarding) without a glitch for
a long time now. Recently, I thought I'd give a try to the newer
versions of RedHat, 6.2 and 7.0. Although the driver base has broadened,
the features have multiplied and the apparent quality has increased with
version 6.2 of RedHat and even more with RedHat 7.0 (I still reserve
judgment for quality at this point...), I found critical (critical to
me that is) element that is broken. That is the ability to use port
forwarding with ssh-1.2.27 and SSH server with port forwarding. Both
with RedHat 6.2 (with ssh-1.2.27) and RedHat 7.0 (with openssh), I can
successfully authenticate myself and then connect to the server but I
CAN'T use the port forwarding to connect to the resources on the other
side of the server. An additional detail is that in all instances where
port forwarding did NOT work, it seemed like that application connecting
to the local port behaved like the connection was immediately terminated
by the other end, yet with netstat -a (and from the verbose output of
ssh/openssh) I could see that the other end had not terminated at all
and was expecting more data...
I have attached a transcript of my ssh session, one of my telnet session
(through port forwarding), my /etc/ssh_config (the for ssh-1.2.27),
~/.ssh/config, ~/.ssh/ssh.pac files. I checked the log of the machine I
was trying to telnet to with this failed port forwarding attempt and
only a one liner "peer died" message was present in the log.
So far I have confirmed this behavior of RH 6.1 vs 6.2 vs 7.0 on two
separate computers always using the same ssh-1.2.27 rpm, config files
(different with openssh though...), and ssh invocation method. In all my
tests, everything that is supposed to work works (classic ssh session
with another host) in all three versions of RedHat, except for that port
forwarding feature of ssh when connected to the server which ONLY works
with RedHat 6.1 .
All the people I have talked to so far are speechless when queried about
what the cause of this could be. If you do try RedHat 6.2 or RedHat 7.0
and successfully authenticate, connect to such a server AND successfully
use the port forwarding, I'D LOVE TO TALK TO YOU to find out what you
did and how you did it.
I found some people for which this worked and a lot more who experienced
the same problem. These later people as well as I would greatly
appreciate it if somebody could kindly help us fix this.
Thanks,
--
Martin Turcotte <[EMAIL PROTECTED]>
Technical Consultant, RHCE, MCSE
Internet / Linux Solutions Group
SGI Professional Services
T.: (418) 660-1798
"Linux: What you've been missing while rebooting other operating
systems..."
# This is ssh client systemwide configuration file. This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
Host *
ForwardAgent yes
ForwardX11 yes
# RhostsAuthentication yes
# RhostsRSAAuthentication yes
RSAAuthentication yes
# TISAuthentication no
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
# BatchMode no
# StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
# Port 22
Cipher 3des
# EscapeChar ~
Host sshgate.sgi.com
LocalForward 9143 169.238.226.2:143
LocalForward 9119 news.corp.sgi.com:119
LocalForward 9025 169.238.226.2:25
LocalForward 9389 ldap.corp.sgi.com:389
LocalForward 9023 169.238.226.120:23
LocalForward 9223 169.238.226.2:23
LocalForward 8080 www-proxy.corp.sgi.com:8080
ssh.pac
[mturcotte@pc-mturcotte mturcotte]$ ssh -v -l martint sshgate.sgi.com
SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 500 geteuid 0 anon 0
debug: Connecting to sshgate.sgi.com [192.82.208.210] port 22.
debug: Allocated local port 1023.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.27
debug: Local version string SSH-1.5-OpenSSH_2.2.0p1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
Warning: Permanently added 'sshgate.sgi.com,192.82.208.210' (RSA) to the list of known
hosts.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Remote: Server does not permit empty password login.
debug: Doing password authentication.
[EMAIL PROTECTED]'s password:
debug: Requesting pty.
debug: Requesting shell.
debug: Entering interactive session.
******************************************
* Silicon Graphics SSH Gateway Service *
******************************************
Copyright (c) 2000 Silicon Graphics, Inc. All rights reserved.
Unauthorized access is prohibited. All connections are logged.
Usage of this service is subject to the terms of the usage agreement at
http://network.corp.sgi.com/RemoteAccess/sshgate/agreement.cgi (internal
SGI link.) If you do not agree to these terms, disconnect now.
[mturcotte@pc-mturcotte mturcotte]$ ssh -v -l martint sshgate.sgi.com
SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /home/mturcotte/.ssh/config
debug: Applying options for sshgate.sgi.com
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 500 geteuid 0 anon 0
debug: Connecting to sshgate.sgi.com [192.82.208.210] port 22.
debug: Allocated local port 1023.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.27
debug: Local version string SSH-1.5-OpenSSH_2.2.0p1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'sshgate.sgi.com' is known and matches the RSA host key.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Remote: Server does not permit empty password login.
debug: Doing password authentication.
[EMAIL PROTECTED]'s password:
debug: Requesting pty.
debug: Connections to local port 9143 forwarded to remote address 169.238.226.2:143
debug: Local forwarding listening on 127.0.0.1 port 9143.
debug: fd 4 setting O_NONBLOCK
debug: channel 0: new [port listener]
debug: Connections to local port 9119 forwarded to remote address news.corp.sgi.com:119
debug: Local forwarding listening on 127.0.0.1 port 9119.
debug: fd 5 setting O_NONBLOCK
debug: channel 1: new [port listener]
debug: Connections to local port 9025 forwarded to remote address 169.238.226.2:25
debug: Local forwarding listening on 127.0.0.1 port 9025.
debug: fd 6 setting O_NONBLOCK
debug: channel 2: new [port listener]
debug: Connections to local port 9389 forwarded to remote address ldap.corp.sgi.com:389
debug: Local forwarding listening on 127.0.0.1 port 9389.
debug: fd 7 setting O_NONBLOCK
debug: channel 3: new [port listener]
debug: Connections to local port 9023 forwarded to remote address 169.238.226.120:23
debug: Local forwarding listening on 127.0.0.1 port 9023.
debug: fd 8 setting O_NONBLOCK
debug: channel 4: new [port listener]
debug: Connections to local port 9223 forwarded to remote address 169.238.226.2:23
debug: Local forwarding listening on 127.0.0.1 port 9223.
debug: fd 9 setting O_NONBLOCK
debug: channel 5: new [port listener]
debug: Connections to local port 8080 forwarded to remote address
www-proxy.corp.sgi.com:8080
debug: Local forwarding listening on 127.0.0.1 port 8080.
debug: fd 10 setting O_NONBLOCK
debug: channel 6: new [port listener]
debug: Requesting shell.
debug: Entering interactive session.
******************************************
* Silicon Graphics SSH Gateway Service *
******************************************
Copyright (c) 2000 Silicon Graphics, Inc. All rights reserved.
Unauthorized access is prohibited. All connections are logged.
Usage of this service is subject to the terms of the usage agreement at
http://network.corp.sgi.com/RemoteAccess/sshgate/agreement.cgi (internal
SGI link.) If you do not agree to these terms, disconnect now.
See http://network.corp.sgi.com/RemoteAccess/sshgate for instructions on
using port-forwarding clients or for more information about this service.
For support, contact [EMAIL PROTECTED] or call (650) 933-1717.
Close this window to terminate your session.
debug: Connection to port 9023 forwarding to 169.238.226.120 port 23 requested.
debug: fd 11 setting O_NONBLOCK
debug: channel 7: new [listen port 9023 for 169.238.226.120 port 23, connect from
pc-mturcotte port 1109]
debug: channel_free: channel 7: status: The following connections are open:
Received disconnect: Command terminated on signal 2.
debug: Calling cleanup 0x8051480(0x0)
debug: Calling cleanup 0x80575d0(0x0)
debug: channel_free: channel 0: status: The following connections are open:
debug: channel_free: channel 1: status: The following connections are open:
debug: channel_free: channel 2: status: The following connections are open:
debug: channel_free: channel 3: status: The following connections are open:
debug: channel_free: channel 4: status: The following connections are open:
debug: channel_free: channel 5: status: The following connections are open:
debug: channel_free: channel 6: status: The following connections are open:
debug: Calling cleanup 0x805db10(0x0)
[mturcotte@pc-mturcotte mturcotte]$
[mturcotte@pc-mturcotte mturcotte]$ telnet 127.0.0.1 9023
Trying 127.0.0.1...
Connected to pc-mturcotte (127.0.0.1).
Escape character is '^]'.
Connection closed by foreign host.
[mturcotte@pc-mturcotte mturcotte]$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 pc-mturcotte:9023 pc-mturcotte:kpop TIME_WAIT
tcp 0 0 pc-mturcotte:webcache *:* LISTEN
tcp 0 0 pc-mturcotte:9223 *:* LISTEN
tcp 0 0 pc-mturcotte:9023 *:* LISTEN
tcp 0 0 pc-mturcotte:9389 *:* LISTEN
tcp 0 0 pc-mturcotte:9025 *:* LISTEN
tcp 0 0 pc-mturcotte:9119 *:* LISTEN
tcp 0 0 pc-mturcotte:9143 *:* LISTEN
tcp 0 0 10.10.10.3:1023 sshgatesgi.com:ssh ESTABLISHED
tcp 0 0 *:X *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
udp 0 112 10.10.10.3:1027 dns2.videotron.n:domain
udp 0 0 10.10.10.3:1027 dns2.videotron.n:domain
udp 0 0 10.10.10.3:1027 dns2.videotron.n:domain
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 10885
/tmp/orbit-mturcotte/orb-2125401397214441373
unix 1 [ ] STREAM CONNECTED 10221 @000000ca
unix 1 [ ] STREAM CONNECTED 10152 @000000bb
unix 1 [ ] STREAM CONNECTED 10141 @000000ba
unix 0 [ ACC ] STREAM LISTENING 10139
/tmp/orbit-mturcotte/orb-1553663508603164236
unix 0 [ ACC ] STREAM LISTENING 839 /tmp/.font-unix/fs7100
unix 1 [ ] STREAM CONNECTED 11041 @0000015a
unix 1 [ ] STREAM CONNECTED 10882 @0000014b
unix 1 [ ] STREAM CONNECTED 10059 @000000aa
unix 1 [ ] STREAM CONNECTED 10880 @0000014a
unix 0 [ ACC ] STREAM LISTENING 9829 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 10868 @00000149
unix 1 [ ] STREAM CONNECTED 10234 @000000ce
unix 1 [ ] STREAM CONNECTED 10212 @000000c8
unix 1 [ ] STREAM CONNECTED 10180 @000000bf
unix 1 [ ] STREAM CONNECTED 10127 @000000b7
unix 1 [ ] STREAM CONNECTED 11039 @00000159
unix 1 [ ] STREAM CONNECTED 10887 @0000014c
unix 1 [ ] STREAM CONNECTED 10210 @000000c7
unix 0 [ ACC ] STREAM LISTENING 10157
/tmp/orbit-mturcotte/orb-2893477071364897185
unix 1 [ ] STREAM CONNECTED 10074 @000000ad
unix 1 [ ] STREAM CONNECTED 10051 @000000a9
unix 1 [ ] STREAM CONNECTED 10159 @000000bd
unix 1 [ ] STREAM CONNECTED 10134 @000000b9
unix 1 [ ] STREAM CONNECTED 9864 @000000a8
unix 0 [ ACC ] STREAM LISTENING 604 /var/run/pump.sock
unix 1 [ ] STREAM CONNECTED 10154 @000000bc
unix 1 [ ] STREAM CONNECTED 11080 @00000163
unix 1 [ ] STREAM CONNECTED 10240 @000000d1
unix 1 [ ] STREAM CONNECTED 10200 @000000c4
unix 1 [ ] STREAM CONNECTED 9785 @00000099
unix 1 [ ] STREAM CONNECTED 11082 @00000164
unix 0 [ ACC ] STREAM LISTENING 11074
/tmp/orbit-mturcotte/orb-10413431631199172666
unix 1 [ ] STREAM CONNECTED 10242 @000000d2
unix 1 [ ] STREAM CONNECTED 9844 @000000a5
unix 1 [ ] STREAM CONNECTED 10117 @000000b5
unix 1 [ ] STREAM CONNECTED 9842 @000000a4
unix 1 [ ] STREAM CONNECTED 10206 @000000c5
unix 0 [ ACC ] STREAM LISTENING 10204
/tmp/orbit-mturcotte/orb-9800582841827608781
unix 1 [ ] STREAM CONNECTED 10123 @000000b6
unix 1 [ ] STREAM CONNECTED 9834 @000000a2
unix 0 [ ACC ] STREAM LISTENING 861 /tmp/.X11-unix/X0
unix 0 [ ACC ] STREAM LISTENING 663 /dev/gpmctl
unix 1 [ ] STREAM CONNECTED 11072 @00000160
unix 0 [ ACC ] STREAM LISTENING 10232
/tmp/orbit-mturcotte/orb-8333271411605186304
unix 0 [ ACC ] STREAM LISTENING 9869
/tmp/.sawmill-mturcotte/localhost.localdomain:0.0
unix 1 [ ] STREAM CONNECTED 11076 @00000161
unix 0 [ ACC ] STREAM LISTENING 10077
/tmp/orbit-mturcotte/orb-17456047341984469564
unix 8 [ ] DGRAM 425 /dev/log
unix 1 [ ] STREAM CONNECTED 10274 @000000d4
unix 0 [ ACC ] STREAM LISTENING 10121
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 9788 @0000009a
unix 1 [ ] STREAM CONNECTED 11084
/tmp/orbit-mturcotte/orb-10413431631199172666
unix 1 [ ] STREAM CONNECTED 11081
/tmp/orbit-mturcotte/orb-1553663508603164236
unix 1 [ ] STREAM CONNECTED 11077
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 11073 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 11042 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 11040 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10895
unix 1 [ ] STREAM CONNECTED 10894
unix 1 [ W ] STREAM CONNECTED 10893
unix 1 [ ] STREAM CONNECTED 10892
unix 1 [ ] STREAM CONNECTED 10888
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10883 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 10881 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10869 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10275
/tmp/orbit-mturcotte/orb-2893477071364897185
unix 1 [ ] STREAM CONNECTED 10243
/tmp/orbit-mturcotte/orb-8333271411605186304
unix 1 [ ] STREAM CONNECTED 10241
/tmp/orbit-mturcotte/orb-1553663508603164236
unix 1 [ ] STREAM CONNECTED 10235
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10222 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10214
/tmp/orbit-mturcotte/orb-9800582841827608781
unix 1 [ ] STREAM CONNECTED 10211
/tmp/orbit-mturcotte/orb-1553663508603164236
unix 1 [ ] STREAM CONNECTED 10207
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10201 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10246
/tmp/orbit-mturcotte/orb-17456047341984469564
unix 1 [ ] STREAM CONNECTED 10160
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10155 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 10153 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10142
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10135 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 10128 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10125
/tmp/orbit-mturcotte/orb-8686868461009291152
unix 1 [ ] STREAM CONNECTED 10118 /tmp/.X11-unix/X0
unix 0 [ ] DGRAM 10116
unix 1 [ ] STREAM CONNECTED 10075 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 10060 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 10052 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 9865 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 9845 /tmp/.ICE-unix/1275
unix 1 [ ] STREAM CONNECTED 9843 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 9835 /tmp/.X11-unix/X0
unix 1 [ N ] STREAM CONNECTED 9789 /tmp/.font-unix/fs7100
unix 1 [ ] STREAM CONNECTED 9790 /tmp/.X11-unix/X0
unix 0 [ ] DGRAM 606
unix 0 [ ] DGRAM 572
unix 0 [ ] DGRAM 557
unix 0 [ ] DGRAM 526
unix 0 [ ] DGRAM 483
unix 0 [ ] DGRAM 452
unix 0 [ ] DGRAM 440
[root@pc-mturcotte linux]# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
[root@pc-mturcotte linux]#
11:07:39.010892 > 10.10.10.3.1023 > 192.82.208.210.ssh: P 2180637690:2180637806(116)
ack 1868167619 win 32120 <nop,nop,timestamp 646599 1517710799> (DF) [tos 0x10]
11:07:39.107673 < 192.82.208.210.ssh > 10.10.10.3.1023: P 1:21(20) ack 116 win 32120
<nop,nop,timestamp 1517722046 646599> (DF) [tos 0x10]
11:07:39.124187 > 10.10.10.3.1023 > 192.82.208.210.ssh: . 116:116(0) ack 21 win 32120
<nop,nop,timestamp 646611 1517722046> (DF) [tos 0x10]
11:07:44.102127 < arp who-has 10.10.10.3 tell 10.10.10.1
11:07:44.102152 > arp reply 10.10.10.3 (0:50:da:eb:78:7c) is-at 0:50:da:eb:78:7c
(0:60:8c:35:f1:e1)
11:07:39.010009 > 127.0.0.1.1040 > 127.0.0.1.9021: S 2313193576:2313193576(0) win
31072 <mss 3884,sackOK,timestamp 646599 0,nop,wscale 0> (DF)
11:07:39.010009 < 127.0.0.1.1040 > 127.0.0.1.9021: S 2313193576:2313193576(0) win
31072 <mss 3884,sackOK,timestamp 646599 0,nop,wscale 0> (DF)
11:07:39.010053 > 127.0.0.1.9021 > 127.0.0.1.1040: S 2299749030:2299749030(0) ack
2313193577 win 31072 <mss 3884,sackOK,timestamp 646599 646599,nop,wscale 0> (DF)
11:07:39.010053 < 127.0.0.1.9021 > 127.0.0.1.1040: S 2299749030:2299749030(0) ack
2313193577 win 31072 <mss 3884,sackOK,timestamp 646599 646599,nop,wscale 0> (DF)
11:07:39.010074 > 127.0.0.1.1040 > 127.0.0.1.9021: . 1:1(0) ack 1 win 31072
<nop,nop,timestamp 646599 646599> (DF)
11:07:39.010074 < 127.0.0.1.1040 > 127.0.0.1.9021: . 1:1(0) ack 1 win 31072
<nop,nop,timestamp 646599 646599> (DF)
11:07:39.107936 > 127.0.0.1.9021 > 127.0.0.1.1040: F 1:1(0) ack 1 win 31072
<nop,nop,timestamp 646609 646599> (DF)
11:07:39.107936 < 127.0.0.1.9021 > 127.0.0.1.1040: F 1:1(0) ack 1 win 31072
<nop,nop,timestamp 646609 646599> (DF)
11:07:39.107958 > 127.0.0.1.1040 > 127.0.0.1.9021: . 1:1(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
11:07:39.107958 < 127.0.0.1.1040 > 127.0.0.1.9021: . 1:1(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
11:07:39.109726 > 127.0.0.1.1040 > 127.0.0.1.9021: F 1:1(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
11:07:39.109726 < 127.0.0.1.1040 > 127.0.0.1.9021: F 1:1(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
11:07:39.109763 > 127.0.0.1.9021 > 127.0.0.1.1040: . 2:2(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
11:07:39.109763 < 127.0.0.1.9021 > 127.0.0.1.1040: . 2:2(0) ack 2 win 31072
<nop,nop,timestamp 646609 646609> (DF)
