[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSH-port forwarding from mac/pc

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: SSH-port forwarding from mac/pc
From: Karen A Swanberg <swanberg_(_at_)_tc_(_dot_)_umn_(_dot_)_edu>
Date: Tue, 22 May 2001 09:42:48 -0500 (CDT)
(This was posted originally to a different forum, which is where the
quoted sections come from, and why I explain the openbsd-specific ftpd
flags)

I've been working on getting ssh port-forwarded ftp to my openbsd file
server, and am not having any luck. With the exact same setup I am able to
connect to my irix boxes, and a SunOS 5.6 machine elsewhere where I have
an account. And the problems are manifesting (with different symptoms of
course) on both macs (using MacSSH and Fetch, as outlined in
http://www.sas.upenn.edu/biology/computing/instructions/security/portforwarding)  
and PC's (using ttssh.exe and ws_ftp_le, as outlined in
http://www.geo.umn.edu/computer/ssh_win.html).

So what am I doing incorrectly?

I'm running OpenBSD 2.8 on an intel box. I am aware of some of the
security concerns with doing ssh forwarding from macs and pc's, and will
set up ipf later to deal with some of them.  Also, this box is running
Samba (2.0.8, upgrading soon), amanda (2.4.2p2) and netatalk (1.5pre6, CVS
updated). All running with tcp_wrapper support, and soon ipf.


I'm starting the default openbsd ftpd from rc.conf with this:

# Set to NO if ftpd is running out of inetd
ftpd_flags=-DPUd         # for non-inetd use: "-D"

where -P should enable the PORTS stuff (more below) and U logs connections
to utmp, so they show up on 'who.' And -d is debugging messages.

>1) You'll want to set ipf or tcpd to allow connections to port 21 only
>from 127.0.0.1 or from your FTP server's IP.  The ssh-forwarded
>connection will appear to come from the server itself. 
    
Ok, hosts.allow has  
ftpd: 127.0.0.1 and 
ftpd: X.X.X.128/255.255.255.192 

-which is my lab subnet, and only has about 15 machines on it. I'll
play with ipf later. This subnet also contains the server.

>2) Your FTP server must be set up to allow PORT commands back to clients
that it hasn't previously seen a connection from.  This is because you
can't use passive FTP, because you're not port-forwarding the data ports. 
So the end result is that when you run Fetch on your Mac, it will tell the
server to open ports back to the Mac's IP address (not the server's).  The
other end result is that your data transfers aren't encrypted (but your
logins are).

How do I enable PORTS as you say? The man page for ftpd says that it should
be the -P flag,  "Permit illegal port numbers or addresses for PORT command
initiated connects." More on this below, but it seems pretty clear that
this is where my problems lie.

I've set up MacSSH and Fetch (or ttssh and ws_ftp le) up as the upenn page
says, except in fetch I use "Localhost" where the website says the client
name. But when I try to connect, fetch says "connecting" indefinitely, and
when I stop the attempt, I get this error on the mac client: 

do_tcpid_eof, shutdown () failed, (errno = 9): Bad file descriptor

and on the server console I get this:

epidote sshd[30630]: Did not receive ident string from X.X.X.142. 
(.142 is the file server)
                                                      
My logs say this:

epidote sshd[1101]: Accepted password for swanberg from X.X.X.130 port
49160 ssh2 [this is my ssh tunnel connection]
epidote sshd[31116]: Did not receive ident string from X.X.X.142.


When I do it from a PC, this is what I get in my logs:

epidote sshd[3518]: Accepted password for swanberg from X.X.X.144 
        port 1021 (this is my ssh-tunnel connection)
epidote ftpd[32483]: <--- 220
epidote ftpd[32483]: epidote.geo.umn.edu FTP server (Version 6.5/OpenBSD) 
        ready.
epidote ftpd[32483]: command: USER swanberg
epidote ftpd[32483]: <--- 331
epidote ftpd[32483]: Password required for swanberg.
epidote ftpd[32483]: command: PASS  ???
epidote ftpd[32483]: <--- 230-
epidote ftpd[32483]: OpenBSD 2.8 (compile) #0: Tue Mar  6 09:36:32 CST 2001
epidote ftpd[32483]: <--- 230-
        [echos my MOTD]
epidote ftpd[32483]: User swanberg logged in.
epidote ftpd[32483]: command: CWD /home/swanberg
epidote ftpd[32483]: <--- 250
epidote ftpd[32483]: CWD command successful.
epidote ftpd[32483]: command: PWD
epidote ftpd[32483]: <--- 257
epidote ftpd[32483]: "/home/swanberg" is current directory.
epidote ftpd[32483]: command: PASV
epidote ftpd[32483]: <--- 227
epidote ftpd[32483]: Entering Passive Mode (X,X,X,142,164,86)
epidote ftpd[32483]: command: LIST
epidote ftpd[32483]: <--- 435 
epidote ftpd[32483]: Can't build data connection: No such file or
        directory. 
epidote ftpd[32483]: command: QUIT

And the PC client says this: 

LIST
435 Can't build directory data connection: no such file or directory.
! Retrieve of folder listing failed (4)


I've tried it both with Passive on and off, and still can't get in.

Now, should I be telling ftpd and the clients to use specific ports for the
data channel? I can do this on the Mac, I haven't checked on the windows
client. 
                                                          
The -h flag for ftpd say this: "The server will use data ports in the high
port range for passive connections.  This range is defined by
the IPPORT_HIFIRSTAUTO and IPPORT_HILASTAUTO defines in
<netinet/in.h>.  In OpenBSD they are set to 49152 and 65535
respectively."

Again, so I can set these manually, is it necesary? I suppose it would be
useful for ipf, though.


>3) There's nothing to stop someone from leaving themselves logged in all
day and thus acting as an open FTP server with a nice locally-encrypted
channel to the real FTP server.  Yes, MacSSH defaults to not allowing
this, but you don't have control over your clients.  And with FTP and only
the control connection, this is perhaps less of an issue than with some
other protocol (but it's nevertheless an issue).
  
As I said, this works fine when I try to connect to different unices, so it
seems pretty obvious that it's something set on my OpenBSD box.

If the default openbsd daemon won't allow this behavior, which ftpd do
people recommend? I've heard good things about ncFtpd, but others question
it because it's only available in Binary, and some have used ProFTD, but
say that it takes a lot of work to be acceptably secure.


Once I do get and ftpd up, setting tcpd and/or ipf to only accept ftp
connections from the server IP address or 127.0.0.1 should limit the ftpd
connections to the the ssh-wrapped ones, right? Seems pretty obvious, I
just want to make absolutely sure.


*                                                     *
Karen Swanberg              |                         
Network Admin.              |               GNUmusk, an 
Dept. of Geology/Geophysics |        opensource cologne
206 Pillsbury Hall          |                         
310 Pillsbury Ave. SE       |       Old geeks never die                    
University of Mn            |          They just revert
Minneapolis, MN 55455       |              to cleartext
(612) 624-6541              |                         
*                                                     *
Prev by Date: firewall lockup (arpresolve: can't allocate llinfo)
Next by Date: soundcard problem
Previous by thread: Re: firewall lockup (arpresolve: can't allocate llinfo)
Next by thread: soundcard problem
Index(es):
- Date
- Thread
Visit your host, monkey.org