| View previous topic :: View next topic |
| Author |
Message |
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
 Posted: Mon Feb 18, 2013 12:26 pm Post subject: SSH tunnels on-demand |
 |
|
Hi guys,
I'm facing a little problem with xinetd and ssh tunneling.
The idea is using xinetd for firing up SSH tunnels to an open server as needed. That for, xinetd is installed:
| Code: | | [ebuild R ] sys-apps/xinetd-2.3.15 USE="tcpd -perl -rpc" 0 kB |
A config file named tunnel-smtp:
| Code: |
service tunnel-smtp
{
# This is for quick on or off of the service
disable = no
# The next attributes are mandatory for all services
id = tunnel-smtp
type = UNLISTED
port = 2525
wait = no
socket_type = stream
user = root
group = root
server = /usr/bin/ssh
server_args = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25
}
|
SSH Auth is done via keys (tunnel_key) and restricted at the server side
So far, the SSH tunnel executed via Shell works, but xinetd doesn't bring it up:
| Code: | 2013-02-18T13:00:11.505961+01:00 freya xinetd[9106]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
2013-02-18T13:00:11.505980+01:00 freya xinetd[9106]: Started working: 1 available service
2013-02-18T13:00:18.886659+01:00 freya xinetd[9106]: START: tunnel-smtp pid=9124 from=127.0.0.1
2013-02-18T13:00:18.887416+01:00 freya xinetd[9124]: FAIL: tunnel-smtp address from=127.0.0.1
2013-02-18T13:00:18.887698+01:00 freya xinetd[9106]: EXIT: tunnel-smtp status=0 pid=9124 duration=0(sec)
|
but nothing at the server end at the log to debug
any clues?
Cheers
Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
 |
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Mon Feb 18, 2013 10:06 pm Post subject: |
|
|
In your xinetd's tunnel-smtp configuration you have xinetd listen on 2525/tcp and in turn you want to build a tunnel using the same port, hence, listening on the very same port 2525 - this will not work. Since you seem to have more access to the SMTP server you try to connect to you could add the following in front of the corresponding line in authorized_keys:
| Code: | | command="nc localhost 25",no-agent-forwarding,no-pty,no-port-forwarding,no-X11-forwarding ssh-rsa... |
Change tunnel-smtp's server_args to look like this:
| Code: |
server_args = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet
|
HTH
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Mon Feb 18, 2013 10:17 pm Post subject: |
|
|
I don't need the same port on each end as I am planning to use a postfix relay-host from 2525 to 25...
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Tue Feb 19, 2013 5:45 am Post subject: |
|
|
With
and
| Code: | | server_args = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25 |
you try to listen on 2525/tcp twice.
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Tue Feb 19, 2013 7:01 am Post subject: |
|
|
xinetd usually should hand things over to the ssh tunnel once the port is used - afaik.
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Tue Feb 19, 2013 9:15 am Post subject: |
|
|
I think using STDIN/STDOUT still applies to xinetd.
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Thu Feb 28, 2013 7:03 am Post subject: |
|
|
any ideas yet?
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
|
| Back to top |
|
|
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Fri Mar 01, 2013 6:38 am Post subject: |
|
|
What's wrong with mine?
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Fri Mar 01, 2013 7:51 am Post subject: |
|
|
by the way, any reason you're not simply using iptables to DNAT and "forward" to paquets to the tcp/2525 to smtp.host.at.home:25 ?
_________________
The End of the Internet! |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Fri Mar 01, 2013 8:12 am Post subject: |
|
|
@massimo: it doesn't work
@truc:
The situation again:
[Laptop] ====> |some firewalls| ===> [SSH Host] ===> [Mailserver]
The firewalls there are (1) the company firewall and (2) mine at home - both let ssh connections to the SSH
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Fri Mar 01, 2013 9:02 am Post subject: |
|
|
then thanks "again" 
but you don't show how it doesn't work (about massimos and my suggestions) you provided some logs in your first post but none for the other suggestions, it's hard to build from there.
Also, as a side note you're using root account locally&remotely when non privileged accounts would have been sufficient(2525>1024!)
_________________
The End of the Internet!
Last edited by truc on Fri Mar 01, 2013 9:14 am; edited 1 time in total |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Fri Mar 01, 2013 9:09 am Post subject: |
|
|
The problem is that there are no useable logs from xinetd - same logs as in opening post. All I can do is trying with telnet on localhost:2525 and see if my SMTP server answers.
Update: No SSH Login found at ssh.host.at.internet syslog.
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Fri Mar 01, 2013 9:18 am Post subject: |
|
|
"No SSH Login found" 
what about adding some verbosity to the ssh command, we might see what's going on then?
_________________
The End of the Internet! |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Fri Mar 01, 2013 9:30 am Post subject: |
|
|
I don't get any output or log from xinetd. And with 'no ssh login found' I mean that there is no entry about an incoming ssh connection at the server. So it looks like xinetd isn't firing up the tunnel correctly
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Fri Mar 01, 2013 10:08 am Post subject: |
|
|
what about making the ssh connection from a script where you can redirect the stderr&stdout to a file, and calling this script with xinetd?
_________________
The End of the Internet! |
|
| Back to top |
|
|
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Fri Mar 01, 2013 11:32 am Post subject: |
|
|
Where does my suggested setup fail for your?
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Mon Mar 04, 2013 11:29 am Post subject: |
|
|
Next try as nothing worked for me:
from shell, this gives us a wonderful connect:
| Code: | | /usr/bin/ssh -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25 |
(that's what you'd expect regarding your security hint, massimo)
xinetd config:
| Code: | service tunnel-smtp
{
# This is for quick on or off of the service
disable = no
# The next attributes are mandatory for all services
id = tunnel-smtp
type = UNLISTED
wait = no
socket_type = stream
protocol = tcp
# External services must fill out the following
user = root
server = /usr/bin/ssh
server_args = -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25
# External services not listed in /etc/services must fill out the next one
port = 2525
bind = 127.0.0.1
groups = yes
}
|
still no joy with that attempt
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
|
Networking & Security
