[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1682
  • Last Modified:

SSH Port Forwarding from Ubuntu 9.1 desktop to CentOS5 server

I remotely administer a CentOS5 server from a Windows XP desktop using Putty with a public/private key combo and Webmin on the server accessed by port forwarding.
I have just installed Ubuntu 9.10 on another desktop which I want to use for the same administration processes.
I have created a new public/private key combo using the Passwords and Encryption keys application and I can connect just fine and browse the server's filesystem and transfer files in both directions.
I have been trying, from the local shell, to get the port forwarding working so that I can access Webmin.
I tried sudo ssh -R 10000:localhost:10005 username@ipaddress but it hangs and times out saying it was trying to connect to port 22.
Also sudo ssh -i ~/.ssh/privatekeyfilename -R 10000:localhost:10005 username@ipaddress brings the same result
The real problem is that I don't really understand what I am doing!
Expert advice would be hugely appreciated.
0
chrismarshall1
Asked:
chrismarshall1
1 Solution
 
Hind987Commented:
hi

The default local port for SSH is 22, Allow the public port in our local firewall
0
 
hemmiCommented:
I guess the the remove webmin server runs on port 10000
You must do
ssh -L 10005:localhost:10000 username@remote_ipaddress

After the successful login you'll be able to access webmin on the localmachine by
http(s)://localhost:10005

the 10005 is a port of your choice. the local 10005 will be forwarded to the 10000 on the remote machine
0
 
chrismarshall1Author Commented:
Hind987: I can already ssh and then sftp in both directions via port 22 so I guess it is open ok.

hemmi: I did what you recommended but it just hangs like before then times out with the message;
ssh: connect to host remote_ipaddress port 22: Connection timed out.
Do I need to add some kind of reference to my private key for that server?
Or should it be enough that I already have an ssh connection open when I enter that string in the Terminal local shell?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
vancleefCommented:
0
 
chrismarshall1Author Commented:
vancleef: I checked out that page and it made things clearer (thank you) but I still haven't solved my problem. At least I'm getting more info from the verbose option;
debug1: Reading configuration data /etc/ssh/ssh_config
That's where the first problem is - its reading /etc/ssh/ssh_config instead of ~/.ssh/ssh_config
All the settings are only correct in my own ssh_config file - not the global one.
How do I get it to read my local ssh_config file?
0
 
vancleefCommented:
First thought:

Check the permissions. It must be read/write for the user and not accessible by others.
0
 
vancleefCommented:
Second thought:

You can force it with a command line option  [-fconfig_file]
0
 
chrismarshall1Author Commented:
vancleef: Congratulations!
Permissions were ok but your second thought cracked it - although its -F rather than -f (at least on my system).
Everything worked and I got full Webmin control - thank you.
I have only one concern now; the verbose info in the Terminal window included the following;

debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:10005 forwarded to remote address localhost:10000
debug1: Local forwarding listening on ::1 port 10005.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 10005.
debug1: channel 1: new [port listener]
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: failed to open tunnel control interface: Permission denied
Tunnel device open failed.
Could not request tunnel forwarding.
debug1: channel 2: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = C
Last login: Wed Dec 30 04:30:27 2009 from my_address
[root@remote_server_name ~]# debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 3: new [direct-tcpip]
debug1: channel 3: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54500, nchannels 4
debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 3: new [direct-tcpip]
debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 4: new [direct-tcpip]
debug1: channel 3: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54501, nchannels 5
debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 3: new [direct-tcpip]
debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 5: new [direct-tcpip]
debug1: channel 4: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54502, nchannels 6
debug1: channel 3: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54503, nchannels 5
debug1: channel 5: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54504, nchannels 4
debug1: Connection to port 10005 forwarding to localhost port 10000 requested.
debug1: channel 3: new [direct-tcpip]
debug1: channel 3: free: direct-tcpip: listening port 10005 for localhost port 10000, connect from 127.0.0.1 port 54505, nchannels 4
exit

It looked to my inexperienced eye that the traffic was not tunnelled.
I was afraid that was insecure so I logged out again.
Am I right about that and should I award you the points now and open a new question about the tunnelling?
0
 
vancleefCommented:
http://www.badpenguin.co.uk/main/content/view/14/35/

To enable the tunnel device you need to add a setting to your sshd_config:    
PermitTunnel yes
If you don't do this you will get the error
"sys_tun_open: failed to open tunnel control interface: Permission denied".
0
 
chrismarshall1Author Commented:
vancleef: Well, this is weird!
Adding PermitTunnel yes to my ssh_config file produces the message 'Bad configuration option: PermitTunnel' and the connection attempt terminates.
I double-checked with the original global ssh_config file and the entry is definitely Tunnel (with no Permit).
That's what I had all along in my local ssh_config and it is uncommented followed by, on the next line, TunnelDevice any:any.
My laptop has OpenSSH 5.1(Debian-6Ubuntu2) but I don't know what version the server has.
Could there be some kind of mismatch?
0
 
vancleefCommented:
This doesn't make sense to me.  Since you said the server is CentOS, try running an "rpm -q | grep ssh" on the server to find out what is there...
0
 
chrismarshall1Author Commented:
It didn't like rpm -q | grep ssh and complained it had no arguments for rpmq.
I used Webmin to find that It is running OpenSSH_4.3.
In the sshd_config file I found the entry
#PermitTunnel no
Does that mean we have not been using Tunnels even when connecting from Putty to this machine?
0
 
vancleefCommented:
The # is a comment flag.  With the # in place, that statement is ignored.

They often include sample entries that way... and normally the entry included is the actual default. So, based on that I would suspect that tunneling is currently turned off.

However, tunneling is for your redirects, not direct connections.  Direct connections would still be encrypted.

Tunneling only refers to redirects.  Your direct connections with Putty would still be encrypted.
0
 
chrismarshall1Author Commented:
vancleef:I am going to call a halt to this now and award you the points.
You have been extremely helpful and they are well-earned and my original problem is now solved and I have complete Webmin access.
I will experiment with turning tunneling on in the ssh_config file on the server.
If I have further problems with that I think it is a separate issue and I will open a separate question with new points to award.
Happy New Year.
0
 
vancleefCommented:
Good luck and happy new year to you also.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now