[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[solved] Re: tunnel between two debian hosts not working

On Tue, 28 Jul 2009 18:07:33 +0100
Terry Browning <linux-focus@nihil.co.uk> wrote:

> Clayton wrote:
> > On Tue, 28 Jul 2009 10:42:31 +0300
> > Kosala Atapattu <kosala.atapattu@gmail.com> wrote:
> > 
> >> On Sat, Jul 25, 2009 at 5:40 PM, Clayton<ckoeni@gmail.com> wrote:
> >>> Hi openssh,
> >>>
> >>> I live in China and have a server in the US. I have been using an
> >>> SSH tunnel for web browsing to go around the censorship.
> >>>
> >>> I am able to successfully proxy through an ssh tunnel to a shell
> >>> account on a US-based hosting service where I have some websites.
> >>> However, my own server does not work. (Even odder, I swear it
> >>> worked the first day I tried it, then it stopped working without
> >>> any configuration change on either end. I challenged the provider
> >>> of my data center, and they said "we are not blocking you".)
> >>>
> >>> In the attached text file is a log of my initial connection, which
> >>> ends with
> >>>
> >>> "debug1: Entering interactive session."
> >>>
> >>> then an attempt to browse to a web site which fails with
> >>>
> >>> "channel 1: open failed: administratively prohibited: open failed"
> >>>
> >>> I repeat, the same ssh client works with another server, and even
> >>> this failing server worked the first day I tried it.
> >>>
> >>> Any clues to what may be going wrong?
> >> Are you trying to make the tunnel as root?
> > 
> > Yes, root on both ends.
> > 
> > I begin to wonder if there is something I need to turn on in the
> > firewall on the server end. (I have tried with firewall both on and
> > off....)
> What's your sshd_config on the server?
> Does it have "PermitRootLogin yes"?
> Root login is a security risk because most attackers only bother
> attacking root. Therefore many configs forbid root login.

My server sshd_config is attached, and "PermitRootLogin" is indeed
turned on. Logging in successfully has never been an issue. I believe
this is very close to the vanilla config Debian puts in at install time,
except for the top three lines.

> Could you log in as another account?

And there lies the solution. If I tunnel like this

ssh -vv -CND 1082 user@myserver.com (working now)

instead of like this

ssh -vv -CND 1082 root@myserver.com (was not working).

For some reason it is working when I go through an ordinary user
account, and does not work when I go through root, which is rather

If anyone has an explanation for why that might be, I would be very
interested to here.

Thanks for the tip that worked!!
GatewayPorts       yes
PermitTunnel       yes
AllowTcpForwarding yes

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Reply to: