Date: Tue, 4 Jul 2000 22:31:21 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: freebsd-questions@freebsd.org Subject: TCP/IP forwarding in SSH2 - testing? Message-ID: <Pine.BSF.4.21.0007042201370.97889-100000@ren.sasknow.com>
next in thread | raw e-mail | index | archive | help
Hey all...
I've recently begun implementing SSHv2 as a VPN solution with a few remote
users (employees). I've installed ssh2 from ports under FreeBSD 3.4, and
verified that logins (with password authentication) work fine from a
variety of hosts. (Previously, I ran ssh 1.27).
Now, I have attempted to set up port forwarding from remote hosts. I
think I may have set it up correctly, but I have no adequate way to verify
that packets are actually being transmitted encrypted. In fact, from what
I can tell, forwarded ports are being sent in the clear.
For example, for testing purposes, I have tried to forward telnet port 23.
(Yes, I know forwarding telnet is redundant, but telnet keeps a session
open long enough so that someone (me) running an interactive packet
sniffer can do an adequate job of viewing traffic. Again, this is for
testing purposes. My ultimate goal is to forward POP, IMAP, SMTP, etc).
On the client system (which happens to be a Windows 98 machine running SSH
Secure Shell (from www.ssh.com)), I have configured an incoming port
(listen on 12912 (unbound non-firewalled port), destination host:
ssh/telnet server, destination port: 23)
When I attempt to telnet to the remote server on port 12912 WITHOUT first
logging in with ssh, I receive the expected host not found message, as
there is no service running on port 12912 of the remote system.
But, when I authenticate with the remote server over SSH, and forward the
port as described above, I can now start a telnet session to the remote
server on port 12912 (i.e., ``telnet remote.server.com 12912''), and
everything appears to look like a normal telnet session.
When I run a packet sniffer on the remote server, though, I see that,
indeed, a session on port 22 (ssh) has been created, and it has been
encrypted up the wazoo. After starting the telnet session on port 12912,
I also see sessions on the telnet port (23) and the selected port 12912
have been created. In particular:
("client.host.com" is the address of the user running ssh client)
("remote.server.com" is the freebsd server running sshd and telnet server)
The following sessions will be created:
client.host.com:<random source port> -> remote.server.com:22 (SSH)
client.host.com:<random source port> -> remote.server.com:12912
client.host.com:<random source port> -> remote.server.com:23
If I look at incoming packets on port 12912 or 23, everything appears as
clear-text. Meaning, I can see login name, password, shell commands,
everything, as the user types it. Perhaps this is the result of viewing
things "inside the box" after SSH has its way with the data.
If I watch packets on port 22, NOTHING appears to come in when data is
being transmitted on a forwarded port. (this is the part that REALLY
worries me).
If I block port 23 on the system's firewall, attempted telnet sessions to
port 12912 fail (host not found).
Therefore, I have two questions:
a) Have I done something wrong, here, wrt. forwarding ports?
b) Besides connecting another machine with a network analyser to the
same ethernet segment that the server lives on, what is the
recommended way to verify that forwarded ports are actually
being encrypted in transit? I need to do this from the host
with the ssh server and telnet daemon running.
Thanks!
- Ryan Thompson
--
Ryan Thompson <ryan@sasknow.com>
Systems Administrator, Accounts
Phone: +1 (306) 664-1161
SaskNow Technologies http://www.sasknow.com
#106-380 3120 8th St E Saskatoon, SK S7H 0W2
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007042201370.97889-100000>