SSH port forwarding vs. communication security

Started by michalkubik, April 07, 2006, 05:03:36 AM

Previous topic - Next topic
Hi, i'm getting desperate

Situation description:
I have 2 computers, they are connected over the switch .

Computer A has:
ip 192.168.0.6 name hostA
there is running SSH server
server part of my TCP/Ip application, listening on port 36000

Computer B has:
ip 192.168.0.14 name hostB
there is running SSH client
client part of my TCP/IP application, sending data on port 36000

I create on host B SSH tunnel with port forwarding by command
ssh -L 34000:hostA:36000 hostB

Afterwards i connect from my client application on ip 127.0.0.1 and port 34000
Until here everything is OK.

Problem description :
I wanted to be sure that my datas are encrypted, so i installed on hostB network monitor, called Ethereal and i can see all my datas, i mean not encrypted as they are going from 192.168.0.14 to 192.168.0.6
Could it be possible that net monitor capture data before the "get into" tunnel and they are encrypted?
Or where else could be the problem?

I also tryed to run net monitor on 3rd computer, but all computers are connected to the switch, so i can not capture communication betwean hostA and host B.

Thanks for help,
Michal

Could you please tell me the exact commands you're typing (copy and paste them if that helps) so I can see where anything might be wrong ?

All of the commands... on each host.

I just did a test and I didn't have any problems (through a tunnel and otherwise). Mind you, I use tcpdump and pipe it through grep to search for things .. but shouldn't make a difference which sniffer you use.

But if you show me the commands and on which host those commands are in, maybe we can pinpoint the problem ...

Also, what version of (I assume openssh) are you using, etc. ?

(just so we can compare better this way)
"My Terminal is my Soul"

Hi, that all commands what i'm using. Should i do something more? (At the end is screen shot of ssh in debug mode)
1 more thing, i'm using Windows XP, if it's relevant.

1st computer
hostname: rastovpc
ip: 192.168.0.6
there is running SSh server
my server TCP application is listening on port 36000

2nd computer
hostname: johe
ip: 192.168.0.14
there is running SSh client
and my TCP client application


Commands:
1st i start SSh tunnel with port forwarding
ssh -L 34000:rastovpc:36000 johe

then i connect with my client application on
ip 127.0.0.1 port 34000

and connection works, but i still can see datas in net monitor.


I ran ssh in debug mode and saved it. Maybe it can be handy too:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\Programme\OpenSSH\bin>ssh -c des -v -L 34000:rastovpc:36000 johe
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to johe [192.168.0.14] port 22.
debug1: Connection established.
debug1: identity file /home/mito/.ssh/identity type -1
debug1: identity file /home/mito/.ssh/id_rsa type 1
debug1: identity file /home/mito/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
No valid ciphers for protocol version 2 given, using defaults.
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'johe' is known and matches the RSA host key.
debug1: Found key in /home/mito/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

                           ****USAGE WARNING****

This is a private computer system....

debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mito/.ssh/identity
debug1: Offering public key: /home/mito/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Trying private key: /home/mito/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
mito@johe's password:
debug1: Authentication succeeded (password).
debug1: Connections to local port 34000 forwarded to remote address rastovpc:360
01
debug1: Local forwarding listening on 127.0.0.1 port 34000.
debug1: channel 0: new [port listener]
debug1: channel 1: new [client-session]
debug1: Entering interactive session.
Last login: Thu Apr  6 13:51:14 2006 from johe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Dokumente und Einstellungen\mito>debug1: Connection to port 34000 forwarding
to rastovpc port 36000 requested.
debug1: channel 2: new [direct-tcpip]
debug1: channel 2: free: direct-tcpip: listening port 34000 for rastovpc port 36
001, connect from 127.0.0.1 port 4637, nchannels 3


A few things to note:

1. SSH protocol version 2 does not use DES (as you'll see in that output you posted). It does use defaults, but you might want to specify say, dsa for instance. (You shouldn't have to specify it at all though, after configuring the sshd - that is, the 'sshd_config' file)

2. I suspect you don't have a tunnel properly formed.

You have typed in:

ssh -L 34000:rastovpc:36000 johe

I'd try changing it to:

ssh -L 34000:rastovpc:36000 rastovpc

Try 'netstat -a' (on the command line) to see the difference..

Do these things solve the problem, or no ?
"My Terminal is my Soul"

April 09, 2006, 09:52:34 PM #4 Last Edit: April 09, 2006, 09:55:59 PM by Metgod
Btw...

http://www.openssh.com/faq.html#2.11

But then I'm not sure of any differences in Win versus *nix (except that I have to specify '-l <user>' in the tunnel command). Willing to try to solve the problem either way though ...

"My Terminal is my Soul"

it was probably mistake to start ssh with command
ssh -l 34000:rastovpc:36000 johe

right one should be as you said
ssh -l 34000:rastovpc:36000 rastovpc

but now i can not login on server. :-(

I put public key from client this way
1. on client wrote: ssh-keygen -t rsa1
2. i copyed identity.pub on server to directory $/home/.ssh
3. on server wrote copy /b authorized_keys identity.pub

i past you here some importatant files
--------------------------------
passwd
SYSTEM:*:18:544:,S-1-5-18::
Administratoren:*:544:544:,S-1-5-32-544::
ACTUser:unused_by_nt/2000/xp:1012:513:Application Center Test Account,U-JOHE\ACTUser,S-1-5-21-1214440339-2052111302-839522115-1012:/home/ACTUser:/bin/switch
Administrator:unused_by_nt/2000/xp:500:513:U-JOHE\Administrator,S-1-5-21-1214440339-2052111302-839522115-500:/home/Administrator:/bin/switch
ASPNET:unused_by_nt/2000/xp:1008:513:aspnet_wp account,U-JOHE\ASPNET,S-1-5-21-1214440339-2052111302-839522115-1008:/home/ASPNET:/bin/switch
Gast:unused_by_nt/2000/xp:501:513:U-JOHE\Gast,S-1-5-21-1214440339-2052111302-839522115-501:/home/Gast:/bin/switch
Hilfeassistent:unused_by_nt/2000/xp:1000:513:Hilfeassistentenkonto für den Remotedesktop,U-JOHE\Hilfeassistent,S-1-5-21-1214440339-2052111302-839522115-1000:/home/Hilfeassistent:/bin/switch
IUSR_NBMKUBIK:unused_by_nt/2000/xp:1006:513:Internetgastkonto,U-JOHE\IUSR_NBMKUBIK,S-1-5-21-1214440339-2052111302-839522115-1006:/home/IUSR_NBMKUBIK:/bin/switch
IWAM_NBMKUBIK:unused_by_nt/2000/xp:1007:513:IIS-Prozesskonto starten,U-JOHE\IWAM_NBMKUBIK,S-1-5-21-1214440339-2052111302-839522115-1007:/home/IWAM_NBMKUBIK:/bin/switch
mito:unused_by_nt/2000/xp:1022:513:mito,U-JOHE\mito,S-1-5-21-1214440339-2052111302-839522115-1022:/home/mito:/bin/switch
SQLDebugger:unused_by_nt/2000/xp:1013:513:SQLDebugger,U-JOHE\SQLDebugger,S-1-5-21-1214440339-2052111302-839522115-1013:/home/SQLDebugger:/bin/switch
SUPPORT_388945a0:unused_by_nt/2000/xp:1002:513:CN=Microsoft Corporation,L=Redmond,S=Washington,C=US,U-JOHE\SUPPORT_388945a0,S-1-5-21-1214440339-2052111302-839522115-1002:/home/SUPPORT_388945a0:/bin/switch
VUSR_NBMKUBIK:unused_by_nt/2000/xp:1005:513:VSA Server Account,U-JOHE\VUSR_NBMKUBIK,S-1-5-21-1214440339-2052111302-839522115-1005:/home/VUSR_NBMKUBIK:/bin/switch
VUSR_NBMKUBIK1:unused_by_nt/2000/xp:1011:513:VUSR_NBMKUBIK1,U-JOHE\VUSR_NBMKUBIK1,S-1-5-21-1214440339-2052111302-839522115-1011:/home/VUSR_NBMKUBIK1:/bin/switch
VUSR_NBMKUBIK2:unused_by_nt/2000/xp:1016:513:VSA Server Account,U-JOHE\VUSR_NBMKUBIK2,S-1-5-21-1214440339-2052111302-839522115-1016:/home/VUSR_NBMKUBIK2:/bin/switch
VUSR_POVAHA:unused_by_nt/2000/xp:1019:513:VSA Server Account,U-JOHE\VUSR_POVAHA,S-1-5-21-1214440339-2052111302-839522115-1019:/home/VUSR_POVAHA:/bin/switch
------------------------------------------------
ssh_config
# This is ssh client systemwide configuration file.  This file provides
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking yes
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
#   Protocol 2,1
#   Cipher blowfish
#   EscapeChar ~
-----------------------------------------
debug messages from ssh

C:\Programme\OpenSSH\bin>ssh -v -L 34000:rastovpc:36000 rastovpc
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to rastovpc [192.168.0.6] port 22.
debug1: Connection established.
debug1: identity file /home/mito/.ssh/identity type 0
debug1: identity file /home/mito/.ssh/id_rsa type -1
debug1: identity file /home/mito/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'rastovpc' is known and matches the RSA host key.
debug1: Found key in /home/mito/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

                           ****USAGE WARNING****

This is a private computer system. This computer system, including all
related equipment, ...

debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mito/.ssh/id_rsa
debug1: Trying private key: /home/mito/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
mito@rastovpc's password:
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
Permission denied, please try again.
mito@rastovpc's password:
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
Permission denied, please try again.
mito@rastovpc's password:

Well..

Firstly, I'd suggest DSA over RSA if you're going to be using keys as opposed to password only.

Anyway, not sure why you couldn't log in, except for an invalid key / client+server configuration.

I do know when I use a windows client to connect to my unix server (using keys) I have to specify an option in ssh-keygen (-X) to convert the client key to be acceptable by the server. But that's not the 'ssh' client that comes with OpenSSH.

Honestly though, since I block ssh at the gateway, I just use passwords for logging in .. which is the other option (but less secure) for you ..

Here is what I do when I generate a key for ssh though:

1. Generate a key on my _client machine_
2. Copy it over to the _server_, in to directory $HOME/.ssh/ (~ usually maps to $HOME so that would work too.. at least for *nix).

3. On the server, I type in (with the same username as the key is for):

ssh-keygen -X -f ~/.ssh/identity.pub >> authorized_keys2

where identity.pub is the public key I just generated on the client and authorized_keys2 is the new file for it.

4. Configure my client to use the key I generated by the client (not the server).

5. Connect and it should work...

Any of that useful ?



"My Terminal is my Soul"

Hi,

it's working :-)

I typed in
ssh -L 34000:rastovpc:36000 rastovpc

but on local computer i logged as a: mito
but on server i don't have account mito i should log as a user mkubik.

so the right command is:
ssh -L 34000:rastovpc:36000 mkubik@rastovpc

thanks for your time and patient with me :-)

Michal

That'd also explain the login error :)

No problem about the patience. Just glad to help!
"My Terminal is my Soul"

SMF spam blocked by CleanTalk