Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH tunnels on-demand
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Mon Feb 18, 2013 12:26 pm    Post subject: SSH tunnels on-demand Reply with quote

Hi guys,

I'm facing a little problem with xinetd and ssh tunneling.

The idea is using xinetd for firing up SSH tunnels to an open server as needed. That for, xinetd is installed:
Code:
[ebuild   R    ] sys-apps/xinetd-2.3.15  USE="tcpd -perl -rpc" 0 kB


A config file named tunnel-smtp:

Code:

service tunnel-smtp
{
# This is for quick on or off of the service
        disable         = no

# The next attributes are mandatory for all services
        id              = tunnel-smtp
        type            = UNLISTED
        port            = 2525
        wait            = no
        socket_type     = stream

        user            = root
        group           = root
        server          = /usr/bin/ssh
        server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25

}



SSH Auth is done via keys (tunnel_key) and restricted at the server side

So far, the SSH tunnel executed via Shell works, but xinetd doesn't bring it up:

Code:
2013-02-18T13:00:11.505961+01:00 freya xinetd[9106]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
2013-02-18T13:00:11.505980+01:00 freya xinetd[9106]: Started working: 1 available service
2013-02-18T13:00:18.886659+01:00 freya xinetd[9106]: START: tunnel-smtp pid=9124 from=127.0.0.1
2013-02-18T13:00:18.887416+01:00 freya xinetd[9124]: FAIL: tunnel-smtp address from=127.0.0.1
2013-02-18T13:00:18.887698+01:00 freya xinetd[9106]: EXIT: tunnel-smtp status=0 pid=9124 duration=0(sec)


but nothing at the server end at the log to debug

any clues?

Cheers
Rei
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1142
Location: Austria

PostPosted: Mon Feb 18, 2013 10:06 pm    Post subject: Reply with quote

In your xinetd's tunnel-smtp configuration you have xinetd listen on 2525/tcp and in turn you want to build a tunnel using the same port, hence, listening on the very same port 2525 - this will not work. Since you seem to have more access to the SMTP server you try to connect to you could add the following in front of the corresponding line in authorized_keys:

Code:
command="nc localhost 25",no-agent-forwarding,no-pty,no-port-forwarding,no-X11-forwarding ssh-rsa...


Change tunnel-smtp's server_args to look like this:

Code:

server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet



HTH
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Mon Feb 18, 2013 10:17 pm    Post subject: Reply with quote

I don't need the same port on each end as I am planning to use a postfix relay-host from 2525 to 25...
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1142
Location: Austria

PostPosted: Tue Feb 19, 2013 5:45 am    Post subject: Reply with quote

With
Code:
 port            = 2525

and
Code:
server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25

you try to listen on 2525/tcp twice.
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Tue Feb 19, 2013 7:01 am    Post subject: Reply with quote

xinetd usually should hand things over to the ssh tunnel once the port is used - afaik.
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1142
Location: Austria

PostPosted: Tue Feb 19, 2013 9:15 am    Post subject: Reply with quote

I think using STDIN/STDOUT still applies to xinetd.
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Thu Feb 28, 2013 7:03 am    Post subject: Reply with quote

any ideas yet?
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Thu Feb 28, 2013 9:35 am    Post subject: Reply with quote

ssh -N may be?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1142
Location: Austria

PostPosted: Fri Mar 01, 2013 6:38 am    Post subject: Reply with quote

What's wrong with mine?
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Fri Mar 01, 2013 7:51 am    Post subject: Reply with quote

by the way, any reason you're not simply using iptables to DNAT and "forward" to paquets to the tcp/2525 to smtp.host.at.home:25 ?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Fri Mar 01, 2013 8:12 am    Post subject: Reply with quote

@massimo: it doesn't work


@truc:
The situation again:

[Laptop] ====> |some firewalls| ===> [SSH Host] ===> [Mailserver]

The firewalls there are (1) the company firewall and (2) mine at home - both let ssh connections to the SSH
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Fri Mar 01, 2013 9:02 am    Post subject: Reply with quote

then thanks "again" ;)

but you don't show how it doesn't work (about massimos and my suggestions) you provided some logs in your first post but none for the other suggestions, it's hard to build from there.


Also, as a side note you're using root account locally&remotely when non privileged accounts would have been sufficient(2525>1024!)
_________________
The End of the Internet!


Last edited by truc on Fri Mar 01, 2013 9:14 am; edited 1 time in total
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Fri Mar 01, 2013 9:09 am    Post subject: Reply with quote

The problem is that there are no useable logs from xinetd - same logs as in opening post. All I can do is trying with telnet on localhost:2525 and see if my SMTP server answers.

Update: No SSH Login found at ssh.host.at.internet syslog.
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Fri Mar 01, 2013 9:18 am    Post subject: Reply with quote

"No SSH Login found" 8O

what about adding some verbosity to the ssh command, we might see what's going on then?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Fri Mar 01, 2013 9:30 am    Post subject: Reply with quote

I don't get any output or log from xinetd. And with 'no ssh login found' I mean that there is no entry about an incoming ssh connection at the server. So it looks like xinetd isn't firing up the tunnel correctly
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Fri Mar 01, 2013 10:08 am    Post subject: Reply with quote

what about making the ssh connection from a script where you can redirect the stderr&stdout to a file, and calling this script with xinetd?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
massimo
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1142
Location: Austria

PostPosted: Fri Mar 01, 2013 11:32 am    Post subject: Reply with quote

Where does my suggested setup fail for your?
_________________
Hello 911? How are you?
Back to top
View user's profile Send private message
ToeiRei
Veteran
Veteran


Joined: 03 Jan 2005
Posts: 1156
Location: Austria

PostPosted: Mon Mar 04, 2013 11:29 am    Post subject: Reply with quote

Next try as nothing worked for me:

from shell, this gives us a wonderful connect:
Code:
/usr/bin/ssh -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25


(that's what you'd expect regarding your security hint, massimo)

xinetd config:
Code:
service tunnel-smtp
{
# This is for quick on or off of the service
        disable         = no

# The next attributes are mandatory for all services
        id              = tunnel-smtp
        type            = UNLISTED
        wait            = no
        socket_type     = stream
        protocol        = tcp

# External services must fill out the following
        user            = root
        server          = /usr/bin/ssh
        server_args     = -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25

# External services not listed in /etc/services must fill out the next one
        port            = 2525
        bind            = 127.0.0.1
        groups          = yes
}


still no joy with that attempt
_________________
Blog | btrfs | Please stand by - The mailer daemon is busy burning your messages in hell...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum