[solved] Re: tunnel between two debian hosts not working
- To: debian-isp@lists.debian.org
- Subject: [solved] Re: tunnel between two debian hosts not working
- From: Clayton <ckoeni@gmail.com>
- Date: Wed, 29 Jul 2009 14:39:31 +0800
- Message-id: <[🔎] 20090729143931.9b706467.ckoeni@gmail.com>
- In-reply-to: <4A6F3055.6040806@nihil.co.uk>
- References: <20090725224052.acd5d34c.ckoeni@gmail.com> <966e88ae0907280042g2a39bad6kd5ddc3b9138b74c8@mail.gmail.com> <20090728163451.0e2829fb.ckoeni@gmail.com> <4A6F3055.6040806@nihil.co.uk>
On Tue, 28 Jul 2009 18:07:33 +0100
Terry Browning <linux-focus@nihil.co.uk> wrote:
> Clayton wrote:
> > On Tue, 28 Jul 2009 10:42:31 +0300
> > Kosala Atapattu <kosala.atapattu@gmail.com> wrote:
> >
> >> On Sat, Jul 25, 2009 at 5:40 PM, Clayton<ckoeni@gmail.com> wrote:
> >>> Hi openssh,
> >>>
> >>> I live in China and have a server in the US. I have been using an
> >>> SSH tunnel for web browsing to go around the censorship.
> >>>
> >>> I am able to successfully proxy through an ssh tunnel to a shell
> >>> account on a US-based hosting service where I have some websites.
> >>> However, my own server does not work. (Even odder, I swear it
> >>> worked the first day I tried it, then it stopped working without
> >>> any configuration change on either end. I challenged the provider
> >>> of my data center, and they said "we are not blocking you".)
> >>>
> >>> In the attached text file is a log of my initial connection, which
> >>> ends with
> >>>
> >>> "debug1: Entering interactive session."
> >>>
> >>> then an attempt to browse to a web site which fails with
> >>>
> >>> "channel 1: open failed: administratively prohibited: open failed"
> >>>
> >>> I repeat, the same ssh client works with another server, and even
> >>> this failing server worked the first day I tried it.
> >>>
> >>> Any clues to what may be going wrong?
> >> Are you trying to make the tunnel as root?
> >
> > Yes, root on both ends.
> >
> > I begin to wonder if there is something I need to turn on in the
> > firewall on the server end. (I have tried with firewall both on and
> > off....)
>
> What's your sshd_config on the server?
> Does it have "PermitRootLogin yes"?
> Root login is a security risk because most attackers only bother
> attacking root. Therefore many configs forbid root login.
My server sshd_config is attached, and "PermitRootLogin" is indeed
turned on. Logging in successfully has never been an issue. I believe
this is very close to the vanilla config Debian puts in at install time,
except for the top three lines.
> Could you log in as another account?
And there lies the solution. If I tunnel like this
ssh -vv -CND 1082 user@myserver.com (working now)
instead of like this
ssh -vv -CND 1082 root@myserver.com (was not working).
For some reason it is working when I go through an ordinary user
account, and does not work when I go through root, which is rather
counter-intuitive.
If anyone has an explanation for why that might be, I would be very
interested to here.
Thanks for the tip that worked!!
Clayton
GatewayPorts yes
PermitTunnel yes
AllowTcpForwarding yes
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Reply to: