Weblog entry #50 for Utumno
See all weblog entries made by Utumno.
I've got two machines, 'utumno' and 'angband'. 'Utumno' is directly connected to DSL modem and is visible from The Internets; 'angband' is not visible but it is connected to Utumno via a crossover cable so I can ssh to utumno and from there ssh to angband.
Utumno runs Debian Lenny and OpenSSH 5.1, Angband is an embedded device running DD-WRT and Dropbear 0.51
I've set up authorized keys so I can simply type
utumno@ ssh angband
and that works every single time.
Now, I want to be able to directly connect to Angband from outside, so I thought I'd set up local port forwarding with SSH:
utumno@ ssh -g -L 8022:angband:22 angband
That logs me into angband and seems to forward utumno:8022 to (I hope?) angband:22:
utumno@ netstat -aenp | grep 8022 tcp 0 0 0.0.0.0:8022 0.0.0.0:* LISTEN 0 9518994 24063/ssh
I thought now I'd be able to log directly to angband by
ssh -p 8022 utumno
but when I try
utumno@ ssh -vv -p 8022 localhost OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /root/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 8022. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host
and at the same time in angband's console ( the one that I got logged in when I forwarded the ports with ssh -g -L 8022:angband:22 angband ) the following appears
channel 2: open failed: connect failed:
I've tried to Google for 'channel 2: open failed: connect failed:' and 'ssh_exchange_identification: Connection closed by remote host', but no joy...
Comments on this Entry
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
Hmm... Ok. I've done exactly the above except for replacing 'Angband' running DD-WRT and Dropbear 0.51 with a FreeBSD machine running OpenSSH 5.1 and everything works as expected.
So seems like the poor Dropbear thing cannot handle port forwarding... Now what? iptables?
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
ssh -oProxyCommand='ssh utumno nc angband 22' angband(make sure you have netcat installed on utumno first).
This technique is often called a "jumphost", and you can make the ProxyCommand arbitrarily tricky (e.g. detect if you're on yer LAN, and if so, just netcat directly to angband instead of jumping through the ssh session). But the above is a reasonable start. Note that if you like this, you should probably put it in ~/.ssh/config so you can just type ssh angband.
PS i would avoid naming a machine after yourself: if you are utumno and your machine is also utumno, it can cause confusion.
[ Parent | Reply to this comment ]
[ Send Message | View Utumno's Scratchpad | View Weblogs ]
That's pure gold, thanks man. I had no idea about ProxyCommand.
My user at utumno is not utumno, it's 'leszek', and in angband I have to use 'root' which in turn is banned from remotely logging to utumno. So I had to slightly change your command to account for that:
ssh -oProxyCommand='ssh leszek@utumno nc angband 22' root@angband
works :)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
-o ControlMaster=no -o ControlPath=/nothere
Does this change anything?
[ Parent | Reply to this comment ]