HPE Community
Operating System - HP-UX
1752284 Members
4547 Online
108786 Solutions
New Discussion юеВ

Re: How to tunnel swagentd through ssh?

 
Armin Kunaschik
Esteemed Contributor

тАО10-15-2008 04:48 AM

тАО10-15-2008 04:48 AM

How to tunnel swagentd through ssh?

Hi guys,

I want to temporarily tunnel the swagentd port 2121 from my install server into our DMZ onto a single host.
I can't forward port 2121 since it is blocked by swagentd on the target machine and necessary for software installation.

So this is what I did:
1. setup the ssh tunnel
- ssh remote_host -R 2122:localhost:2121
- this creates a tunnel from remote_host:2121 to the ssh (admin) host's port 2121
2. configure /var/adm/sw/defaults
add the line: rpc_binding_info=ncacn_ip_tcp:[2122]

But I can't even get a simple swlist working.
The remote_host complains about missing permissions:
# swlist -l depot @ localhost
# Initializing...
ERROR: "localhost: ": You do not have permission for this operation.
The depot owner, system administrator, or alternate root owner
may need to use the "swreg" or "swacl" command to give you
permission. Or, to manage applications designed and packaged
for nonprivileged mode, see the "run_as_superuser" option in
the "sd" man page.

On the admin host I find in /var/adm/sw/swagentd.log the lines:
ERROR: Cannot authenticate local principal "root".
ERROR: Access denied to list socs on host. No user authenticated.

I'm not very familiar with swacl, I tried a view combinations without knowing exactly what I'm doing.
Anybody ran into this? Or any ideas how to setup the tunnel a different way?

Thanks,
Armin
And now for something completely different...
0 Kudos
7 REPLIES 7
Tim Nelson
Honored Contributor

тАО10-15-2008 05:50 AM

тАО10-15-2008 05:50 AM

Re: How to tunnel swagentd through ssh?

Please post your "swacl -l host" and "swacl -l root" output.

By default the swacl permissions are wide open so unless you changed them or ran bastille they should be good to go for anyone to access(which BTW is a security issue).



0 Kudos
Armin Kunaschik
Esteemed Contributor

тАО10-15-2008 05:59 AM

тАО10-15-2008 05:59 AM

Re: How to tunnel swagentd through ssh?

I changed the swacl back to the original after trying a view things.
Currently it looks like default:

# swacl -l host|grep -v ^#
any_other:-r--t

# swacl -l root|grep -v ^#
object_owner:crwit
any_other:-r---
And now for something completely different...
0 Kudos
Tim Nelson
Honored Contributor

тАО10-15-2008 08:45 AM

тАО10-15-2008 08:45 AM

Re: How to tunnel swagentd through ssh?

Then the swacl permissions are not stopping you. There is some other reason. e.g. your ssh tunnel is fowling up the works.

Get things working without the tunnel first. Then at least it would not be the appilcation configuration that is wasting your time.

0 Kudos
Armin Kunaschik
Esteemed Contributor

тАО10-15-2008 11:53 PM

тАО10-15-2008 11:53 PM

Re: How to tunnel swagentd through ssh?

The tunnel is working! I have the same setup with a cvs running and it's working fine.
Every time I try the swlist on the admin server the error line appears. This proves to me that it's working, otherwise the error message looks different e.g. connection refused.
For testing I changed the swagentd port on the server too and tried the swlist with the same options from an internal host. It's working fine.

So from my point of view the problem is represented by the first error line: Cannot authenticate local principal "root".

Anybody knows how root is authenticated here?
Do I need some more connections/ports to tunnel? E.g. some RPC ports?
Is there a (real) description of the swagentd funtion? The man-page and the online documentation are not really helpfull in this case.

Armin
And now for something completely different...
0 Kudos
Armin Kunaschik
Esteemed Contributor

тАО10-16-2008 12:11 AM

тАО10-16-2008 12:11 AM

Re: How to tunnel swagentd through ssh?

I tried another thing. I tunneled the swagentd port to an internal machine.
The results and error messages are the same.

So the questions stay the same: How is root authenticated? Can this be faked? Maybe by tunneling other ports?
And now for something completely different...
0 Kudos
Tim Nelson
Honored Contributor

тАО10-16-2008 05:14 AM

тАО10-16-2008 05:14 AM

Re: How to tunnel swagentd through ssh?

My only other suggestion would be to run wireshark and capture the packets to see what swagentd is doing while authenticating when not running through a tunnel. This may lead you to something.

Otherwise you may just be the only one doing this and have to blaze your own trail. But please post your findings, it may help someone in the future.



0 Kudos
Armin Kunaschik
Esteemed Contributor

тАО01-13-2009 09:15 AM

тАО01-13-2009 09:15 AM

Re: How to tunnel swagentd through ssh?

I found http://docs.hp.com/en/SD/fwcookbook.html . There is also described why it'll probably never be possible to tunnel swagentd though ssh... it's the part with dynamic DEC/RPC port assignment.
I'll try to get the mentioned ports through the firewall.
And now for something completely different...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.