Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: ssh X-forwarding and remote forwarding behind proxy
Special Forums Cybersecurity ssh X-forwarding and remote forwarding behind proxy Post 302250787 by vampirodolce on Friday 24th of October 2008 08:49:39 AM
Old 10-24-2008
ssh X-forwarding and remote forwarding behind proxy
Hi,
from my workplace we use a proxy to connect to the outside world, including external ssh servers.
The problem is that the server is seeing the connection coming from the proxy and knows nothing about the client behind it. The ssh connection itself works fine, but x-forwarding does not work as expected. In my opinion this is because the server is trying to use the display of the proxy and not the one of the client.
Same issue with remote port forwarding, when someone uses the remote port I think the ssh server forwards the request to the proxy and not to the real client.

I have found two workarounds to solve the x-forwarding issue:
-create a VPN between the client and the server, and do the x-forwarding inside the VPN (which is similar to a LAN)
-install a VNC server on the ssh server, a VNC client on the ssh client and do a local port forwarding, then connect to localhost:xxxx

I'm sure the VPN solution will fix the remote forwarding as well, but... is there a way to get around these issues without using other software, maybe some kind of environment variables to set in OpenSSH?
Thanks.
 

10 More Discussions You Might Find Interesting

1. OS X (Apple)

ssh forwarding to X11

Hi, I have issues with running graphical interfaces on my computer being remotely logged into a network via the -X option of ssh. My .cshrc shows DISPLAY=hostname:0 and I think there should be a different number instead of the 0. I changed the ssh_config file already to 'X11 forwarding yes', which... (0 Replies)
Discussion started by: ginese
0 Replies

2. UNIX for Advanced & Expert Users

Problem with OpenSSH Remote Port Forwarding with Bind_address

As in the ssh(1) man page: -R bind_address:]port:host:hostport .......By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address `*', indicates... (2 Replies)
Discussion started by: ahmad.zuhd
2 Replies

3. Shell Programming and Scripting

SSH Tunnel Forwarding with no shell

Hi Experts, I am trying to have the SSH tunnel Remote forwarding command in a shell script. I should be able to do 2 tasks, but unable to get that going. 1) I have 3 servers Server 1, Server 2, Server 3. I have my Database running on Server 1 and my script running on Server 2 which should... (0 Replies)
Discussion started by: Scriptingglitch
0 Replies

4. UNIX for Dummies Questions & Answers

SSH port forwarding/tunneling

So this seems like something that should be simple...but I can't quite seem to get it up and running. I have a machine, .107 with a GUI on port 8443. The problem is that I can't connect directly to .107 from my laptop. Now I have another machine, .69 that can connect to .107. So shouldn't I be able... (4 Replies)
Discussion started by: DeCoTwc
4 Replies

5. AIX

Forwarding AIX syslog/errorlog to remote SQL DB

Due to a project I'm currently tasked with I'm spending my time trying to find a way to forward the syslog to a remote, in this case Red Hat, server and squeezing it into a SQL DB. Rsyslog is doing this job quite nicely for most of our test-servers, but I couldn't find any reliable information on... (1 Reply)
Discussion started by: Skleindl
1 Replies

6. UNIX for Advanced & Expert Users

SSH X forwarding question

Hi, Local PC - Ubuntu 11.04 desktop Remote PC - Debian 6.0 desktop My problem is 2 desktops, remote and local, are displayed on the same workplace on local PC. It would be quite confusing. Is there any way to display each desktop on one workplace(on its own workplace) OR displaying both... (0 Replies)
Discussion started by: satimis
0 Replies

7. Cybersecurity

X forwarding vs Remote DISPLAY

Hello, I have a question about X forwarding. I was told that we can't X forwarding anymore, do to a security checklist. Example: bitlord@server1# ssh -X server2 So we have to use the DISPLAY variable now. I thought this was less secure? Example: bitlord@server1# xhost + server2 server1... (0 Replies)
Discussion started by: bitlord
0 Replies

8. IP Networking

Ftp over SSH port forwarding

Hi, I'm trying to connect ftp over ssh port forwarding to a sever(UnixC) behind FireWall(F/W). here's my env and question. UnixA(SSH Client) ----F/W ---- UnixB(SSH Svr) ---- UnixC (FTP, 21) UnixA wants to connect ftp service of UnixC via SSH port forwarding on UnixB. Unix A,... (3 Replies)
Discussion started by: hanyunq
3 Replies

9. Shell Programming and Scripting

SSH forwarding based on ports

Hi guys, I'm trying to set up an Ubuntu VPN server that will forward an ssh connection automatically as a proxy to two separate LAN hosts. What I'm looking at doing is making SSH listen on two ports (if that is possible) and get some kind of script, preferably something in bash, that will listen... (2 Replies)
Discussion started by: 3therk1ll
2 Replies

10. Shell Programming and Scripting

Ssh agent forwarding in script did not work

Sorry for the wrong question. (2 Replies)
Discussion started by: hce
2 Replies

LEARN ABOUT DEBIAN

connect-tunnel

CONNECT-TUNNEL(1p)					User Contributed Perl Documentation					CONNECT-TUNNEL(1p)

NAME

       connect-tunnel - Create CONNECT tunnels through HTTP proxies

SYNOPSIS

       connect-tunnel [ -Lv ] [ -A user:pass ] [ -P proxy:port ]
		      [ -C controlport ] [ -T port:host:hostport ]

DESCRIPTION

       connect-tunnel sets up tunneled connections to external hosts by redirecting connections to local ports towards thoses hosts/ports through
       a HTTP proxy.

       connect-tunnel makes use of the HTTP "CONNECT" method to ask the proxy to create a tunnel to an outside server. Be aware that some proxies
       are set up to deny outside tunnels (either to ports other than 443 or outside a specified set of outside hosts).

OPTIONS

       The program follows the usual GNU command line syntax, with long options starting with two dashes.

       -A, --proxy-authentication user:password
	   Proxy authentication information.

	   Please note that all the authentication schemes supported by "LWP::UserAgent" are supported (we use an "LWP::UserAgent" internally to
	   contact the proxy).

       -C, --control-port controlport
	   The port to which one can connect to issue control commands to connect-tunnel.

	   See "CONTROL CONNECTIONS" for more details about the available commands.

       -L, --local-only
	   Create the tunnels so that they will only listen on "localhost".  Thus, only connections originating from the machine that runs
	   connect-tunnel will be accepted.

	   That was the default behaviour in connect-tunnel version 0.02.

       -P, --proxy proxy[:port]
	   The proxy is required to connect the tunnels.  If no port is given, 8080 is used by default.

	   See also "ENVIRONMENT VARIABLES".

       -T, --tunnel port:host:hostport
	   Specifies that the given port on the local host is to be forwarded to the given host and hostport on the remote side. This works by
	   allocating a socket to listen to port on the local side, and whenever a connection is made to this port, connect-tunnel forwards it to
	   the proxy (with the credentials, if required), which in turn forwards it to the final destination.

	   Note that this does not imply the use of any cryptographic system (SSL or any other). This is a simple TCP redirection. The security if
	   any, is the one provided by the protocol used to connect to the destination through connect-tunnel.

	   On Unix systems, only root can forward privileged ports.

	   Note that you can setup tunnels to multiple destinations, by using the --tunnel option several times.

       -U, --user-agent string
	   Specify User-Agent value to send in HTTP requests.  The default is to send "connect-tunnel/version".

       -v, --verbose
	   Verbose output.

	   This option can be used several times for more verbose output.

EXAMPLES

       To connect to a SSH server running on "ssh.example.com", on port 443, through the proxy "proxy.company.com", running on port 8080, use the
       following command:

	   connect-tunnel -P proxy.company.com:8080 -T 22:ssh.example.com:443

       And now point your favorite ssh client to the machine running connect-tunnel.

       You can also emulate a "standard" user-agent:

	   connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
			  -P proxy.company.com:8080 -T 22:ssh.example.com:443

       connect-tunnel can easily use your proxy credentials to connect outside:

	   connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
			  -P proxy.company.com:8080 -T 22:ssh.example.com:443
			  -A book:s3kr3t

       But if you don't want anybody else to connect to your tunnels and through the proxy with your credentials, use the --local-only option:

	connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
		       -P proxy.company.com:8080 -T 22:ssh.example.com:443
		       -A book:s3kr3t -L

       If you have several destinations, there is no need to run several instances of connect-tunnel:

	connect-tunnel -U "Mozilla/4.03 [en] (X11; I; Linux 2.1.89 i586)"
		       -P proxy.company.com:8080 -A book:s3kr3t -L
		       -T 22:ssh.example.com:443
		       -T 222:ssh2.example.com:443

       But naturally, you will need to correctly set up the ports in your clients.

       Mmm, such a long command line would perfectly fit in an alias or a .BAT file. ";-)"

ENVIRONMENT VARIABLES

       The environment variable "HTTP_PROXY" can be used to provide a proxy definition.

       The environment variable is overriden by the --proxy option, if passed to connect-tunnel.

AUTHOR

       Philippe "BooK" Bruhat, "<book@cpan.org>".

       I seem to have re-invented a well-known wheel with that script, but at least, I hope I have added a few interesting options to it.

SCRIPT HISTORY

       The first version of the script was a quick hack that let me go through a corporate proxy.

       Version 0.02 and version 0.03 were released on CPAN in 2003.

       Version 0.04 sits half-finished in a CVS repository at home: I couldn't decypher the spaghetti of my data structures any more. ":-("

       Version 0.05 (and higher) are based on "Net::Proxy", and included with the "Net::Proxy" distribution.

       Even though it's not rocket science, connect-tunnel has been cited in at least one academic works:

       o   HTTP Tunnels Through Proxies, Daniel Alman

	   Available at SANS InfoSec Reading Room: Covert Channels <http://www.sans.org/rr/whitepapers/covert/>

	   Direct link: <http://www.sans.org/rr/whitepapers/covert/1202.php>

COPYRIGHT

       Copyright 2003-2007, Philippe Bruhat. All rights reserved.

LICENSE

       This module is free software; you can redistribute it or modify it under the same terms as Perl itself.

perl v5.10.1							    2009-10-18							CONNECT-TUNNEL(1p)
All times are GMT -4. The time now is 03:26 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy