SSH Port forwarding

03/01/2007, 10h33

Hi All,

I am running an application over telnet interface on port say 5566
So I generally connect telnet <hostname> 5566.

How to connect to the application via ssh (using ssh portforwarding.)

Thanks and Regards,
Jc

03/01/2007, 14h35

Jc wrote:
> Hi All,
>
> I am running an application over telnet interface on port say 5566
> So I generally connect telnet <hostname> 5566.
>
> How to connect to the application via ssh (using ssh portforwarding.)
>
> Thanks and Regards,
> Jc
>

ssh -L 5566:localhost:5566 userid@remotehost

telnet localhost 5566

10/01/2007, 07h38

Hi,
Thanks. It works.
But what happens is it directly logged into the remotehost which I
don't want. I want the user to get only the info through the port 5566
(ssh).
Any way?
Thanks in advance,
Jc
Chuck wrote:
> Jc wrote:
> > Hi All,
> >
> > I am running an application over telnet interface on port say 5566
> > So I generally connect telnet <hostname> 5566.
> >
> > How to connect to the application via ssh (using ssh portforwarding.)
> >
> > Thanks and Regards,
> > Jc
> >
>
> ssh -L 5566:localhost:5566 userid@remotehost
>
> telnet localhost 5566

10/01/2007, 12h51

On 9 Jan 2007 23:38:46 -0800
"Jc" <ramschitra@gmail.com> wrote:

> Hi,
> Thanks. It works.
> But what happens is it directly logged into the remotehost which I
> don't want. I want the user to get only the info through the port 5566
> (ssh).
> Any way?

It's a bit unclear what exactly you're looking for. If you want to
setup a tunnel between two systems and allow a other systems to use
that tunnel to connect, then use the -g option while forwarding. If you
instead want to use the remote host as a forwarder for the traffic into
a network it can access, then use ssh -L 5566:THIRDHOST:5566 REMOTEHOST
and then telnet localhost 5566 will work for you.

Doug

--
For UNIX, Linux and security articles
visit http://SecurityBulletins.com/

18/01/2007, 07h09

Hi,

I don't want the user to login into my host instead I want the user to
connect only the specific port. But what happens is, if I execute the
port forwarding command, the user was able to login to my host.
Hoe is can be avided.

Thanks and Regards,
Jeyachitra.
Doug Spencer wrote:
> On 9 Jan 2007 23:38:46 -0800
> "Jc" <ramschitra@gmail.com> wrote:
>
> > Hi,
> > Thanks. It works.
> > But what happens is it directly logged into the remotehost which I
> > don't want. I want the user to get only the info through the port 5566
> > (ssh).
> > Any way?
>
> It's a bit unclear what exactly you're looking for. If you want to
> setup a tunnel between two systems and allow a other systems to use
> that tunnel to connect, then use the -g option while forwarding. If you
> instead want to use the remote host as a forwarder for the traffic into
> a network it can access, then use ssh -L 5566:THIRDHOST:5566 REMOTEHOST
> and then telnet localhost 5566 will work for you.
>
> Doug
>
> --
> For UNIX, Linux and security articles
> visit http://SecurityBulletins.com/

18/01/2007, 23h52

On 2007-01-18, Jc <ramschitra@gmail.com> wrote:
> I don't want the user to login into my host instead I want the user to
> connect only the specific port. But what happens is, if I execute the
> port forwarding command, the user was able to login to my host.
> Hoe is can be avided.

If you're using OpenSSH you can set the user's shell to, eg, /bin/true.
(You will probably have to add /bin/true to /etc/shells too). The user
will need to specify -N (or its equivalent in their client) to prevent
the client from requesting a shell. This will work only with the SSHv2
protocol.

Another alternative is to make the user's shell to be a shell script
that does something like "exec sleep 300". This will work with both
versions of the ssh protocol but will leave a bunch of sleep processes
running for a while.

As far as restricting the users to a specific port, older versions of
OpenSSH could only do that if you were using pubkey authentication.
Newer versions (>=4.4) have a PermitOpen directive for this purpose.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

03/01/2007, 10h33	#1
Jc Messages: n/a Hébergeur:	SSH Port forwarding Hi All, I am running an application over telnet interface on port say 5566 So I generally connect telnet <hostname> 5566. How to connect to the application via ssh (using ssh portforwarding.) Thanks and Regards, Jc

03/01/2007, 14h35	#2
Chuck Messages: n/a Hébergeur:	Re: SSH Port forwarding Jc wrote: > Hi All, > > I am running an application over telnet interface on port say 5566 > So I generally connect telnet <hostname> 5566. > > How to connect to the application via ssh (using ssh portforwarding.) > > Thanks and Regards, > Jc > ssh -L 5566:localhost:5566 userid@remotehost telnet localhost 5566

10/01/2007, 07h38	#3
Jc Messages: n/a Hébergeur:	Re: SSH Port forwarding Hi, Thanks. It works. But what happens is it directly logged into the remotehost which I don't want. I want the user to get only the info through the port 5566 (ssh). Any way? Thanks in advance, Jc Chuck wrote: > Jc wrote: > > Hi All, > > > > I am running an application over telnet interface on port say 5566 > > So I generally connect telnet <hostname> 5566. > > > > How to connect to the application via ssh (using ssh portforwarding.) > > > > Thanks and Regards, > > Jc > > > > ssh -L 5566:localhost:5566 userid@remotehost > > telnet localhost 5566

10/01/2007, 12h51	#4
Doug Spencer Messages: n/a Hébergeur:	Re: SSH Port forwarding On 9 Jan 2007 23:38:46 -0800 "Jc" <ramschitra@gmail.com> wrote: > Hi, > Thanks. It works. > But what happens is it directly logged into the remotehost which I > don't want. I want the user to get only the info through the port 5566 > (ssh). > Any way? It's a bit unclear what exactly you're looking for. If you want to setup a tunnel between two systems and allow a other systems to use that tunnel to connect, then use the -g option while forwarding. If you instead want to use the remote host as a forwarder for the traffic into a network it can access, then use ssh -L 5566:THIRDHOST:5566 REMOTEHOST and then telnet localhost 5566 will work for you. Doug -- For UNIX, Linux and security articles visit http://SecurityBulletins.com/

18/01/2007, 07h09	#5
Jc Messages: n/a Hébergeur:	Re: SSH Port forwarding Hi, I don't want the user to login into my host instead I want the user to connect only the specific port. But what happens is, if I execute the port forwarding command, the user was able to login to my host. Hoe is can be avided. Thanks and Regards, Jeyachitra. Doug Spencer wrote: > On 9 Jan 2007 23:38:46 -0800 > "Jc" <ramschitra@gmail.com> wrote: > > > Hi, > > Thanks. It works. > > But what happens is it directly logged into the remotehost which I > > don't want. I want the user to get only the info through the port 5566 > > (ssh). > > Any way? > > It's a bit unclear what exactly you're looking for. If you want to > setup a tunnel between two systems and allow a other systems to use > that tunnel to connect, then use the -g option while forwarding. If you > instead want to use the remote host as a forwarder for the traffic into > a network it can access, then use ssh -L 5566:THIRDHOST:5566 REMOTEHOST > and then telnet localhost 5566 will work for you. > > Doug > > -- > For UNIX, Linux and security articles > visit http://SecurityBulletins.com/

18/01/2007, 23h52	#6
Darren Tucker Messages: n/a Hébergeur:	Re: SSH Port forwarding On 2007-01-18, Jc <ramschitra@gmail.com> wrote: > I don't want the user to login into my host instead I want the user to > connect only the specific port. But what happens is, if I execute the > port forwarding command, the user was able to login to my host. > Hoe is can be avided. If you're using OpenSSH you can set the user's shell to, eg, /bin/true. (You will probably have to add /bin/true to /etc/shells too). The user will need to specify -N (or its equivalent in their client) to prevent the client from requesting a shell. This will work only with the SSHv2 protocol. Another alternative is to make the user's shell to be a shell script that does something like "exec sleep 300". This will work with both versions of the ssh protocol but will leave a bunch of sleep processes running for a while. As far as restricting the users to a specific port, older versions of OpenSSH could only do that if you were using pubkey authentication. Newer versions (>=4.4) have a PermitOpen directive for this purpose. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email