Security
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH and ftp port forwarding, interesting situation....

SOLVED
Go to solution
Michael Brookes
Occasional Advisor

SSH and ftp port forwarding, interesting situation....

Hello all

Here's my setup

Compaq Tru64 UNIX V5.1A (Rev. 1885) box with SSH 3.2 Server and an FTP server on it.
&
Windows NT4 Sp6 with OpenSSH v3.5p1-3.

I need to use standard FTP but through a tunnel so I setup a port forwarding rule on the windows client like this:

> ssh -L 21:127.0.0.1:21 user@remotehost

I then log in with my user account details successfully (I assume this means the tunnel is successfully built)

I then open another DOS prompt and ftp using the following commands

> ftp
> open 127.0.0.1
>
>

Again this appears to happen successfully, but when I enter the 'ls' command it gives the following error:

200 PORT command successful.
425 Can't build data connection: Connection refused.

This exact procedure worked last week but suddenly stopped working as of monday morning.

I have read in other forums about setting up a passive FTP session but when i enter the command 'passive' or 'pasv' at the DOS prompt I just get invalid command.

Another question....

Using the procedure above am I right in thinking that only the control connection (port 21) is being encrypted? If so, how would I go about tunneling both connection (control and data)?

Any ideas would be greatly appreciated

Regards

Michael Brookes
18 REPLIES
Nicolas Dumeige
Esteemed Contributor

Re: SSH and ftp port forwarding, interesting situation....

Does it work when you use passive connexion ?
FTP> passive
All different, all Unix
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Nicolas

Thanks for your reply, but as stated in my original message the commands 'passive' when issued at the FTP prompt just returns the error message 'invalid command'

remember I'm using a DOS client to connect to localhost which has port 21 forwarded to port 21 of the SSH server.

Regards

Michael Brookes
Nicolas Dumeige
Esteemed Contributor

Re: SSH and ftp port forwarding, interesting situation....

Sorry, I'll clean my glasses :)

Have you consider using another ftp client that support passive mode ?

The connection is denied by a firewall ?
I suppose you see no connection on the port 22 on the remote sever.

Do you get more information with the debug|verbose option ?


All different, all Unix
Paul Moore_3
Advisor
Solution

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

There are two problems that I can see from your posting. The first is that the NT command line ftp client does not support passive FTP; see MS knowledge base article 283679 (http://support.microsoft.com/?id=283679). The second is that you are only setting up port forwarding for the control channel of the FTP session. If you want to secure both the control and data channels you are going to have to establish another ssh port forward; which is going to be tricky.

Is there some reason why you can't use sftp? It was created to solve the problem of FTP'ing over SSH.
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Thanks for your replies,

sftp can't really be used as a VB6 program is used to FTP, so I need the new secure method to be transparent to the user.

Only having the control connection encrypted is fine as the data is of no worth.
I have a new problem though...

I changed the sshd2_config file in /etc/ssh2 to: AllowedAuthentication publickey (before it was password)

It now says permission denied (publickey)

Can anyone tell me where exactly my SSH client needs to put its public key on the Unix server, i've tried in the knownhosts directory but to no avail.

Thanks again

Michael Brookes
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hello - me again!

Below is the dump of messages when connecting to the Tru64 unix box with ssh.
At the root of drive C there is a .ssh directory which has a knownhosts file in (the sshd public key) and my private/public key pair called id_dsa and id_dsa.pub respectively.

OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type -1
debug1: identity file /cygdrive/c/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version 3.2.0 SSH Secure Sh
ell Tru64 UNIX
debug1: no match: 3.2.0 SSH Secure Shell Tru64 UNIX
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'remotehost' is known and matches the DSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/identity
debug1: Trying private key: /cygdrive/c/.ssh/id_rsa
debug1: Offering public key: /cygdrive/c/.ssh/id_dsa
debug1: Authentications that can continue:
debug1: Next authentication method: publickey
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
debug1: Next authentication method: password
BROO0027@remotehost password:
debug1: Authentications that can continue:
Permission denied ().
debug1: Calling cleanup 0x41c120(0x0)

The password I'm entering is correct for my user account on the unix box, but says permission denied three times before exiting the process.
I created the key pair using OpenSSH on the client and used the -e argument with the ssh-keygen command to convert the keys to IETF SECSH format.

Again, any ideas would be greatly appreciated

Michael Brookes
Paul Moore_3
Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

I'm not sure if you looked at the Tru64 SSH documentation, but if you haven't I recommend that you take a quick look at it. You can find a copy online here:

* http://h30097.www3.hp.com/docs/ssh

If you skip to section 3.6.2 in the Installation and Administration guide you will find instructions on configuring SSH public key authentication on Tru64. If you run into any problems feel free to post a follow-up and I'll do my best to help you out.

In regards to your last posting about not being able to use your password; you need to make sure that 'password' is still one of the 'AllowedAuthentications'. You might want to change your /etc/ssh2/sshd2_config file to have an entry similar to this:

* AllowedAuthentications publickey,password

Let us know if this doesn't work.
Nicolas Dumeige
Esteemed Contributor

Re: SSH and ftp port forwarding, interesting situation....

"The password I'm entering is correct for my user account on the unix box"

Is it the Unix password or the ssh passphrase that is asked ?

Have you set a passphrase ?
All different, all Unix
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hello again

I have followed every step of section 3.6.2 in the SSH guide, but I am getting the same permission denied error. I think I know what the problem is though.

OpenSSH is creating the directory .ssh at the root of C:\ with the file knowhosts containing the fingerprint of the Unix SSH Server public key. However my public key is in %HOME\.ssh2, along with the identification file. When I try to create the tunnel with -v the message looks like OpenSSH is looking in the wrong directory (C:\.ssh). For example:

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/identity
debug1: Trying private key: /cygdrive/c/.ssh/id_rsa
debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Does anyone know how to make OpenSSH look into the %HOME\.ssh2 directory rather than the one it creates itself?

Many thanks in advance

Michael Brookes
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Me again!

An update to my situation...

I have followed section 3.6.2 EXACTLY, so here's my setup:

Client: %HOME/.ssh2/identification file contains 'IdKey id_dsa'
%HOME/.ssh2/ contains id_dsa and id_dsa.pub

Server:
%HOME/.ssh2/authorization/authorization file contains 'Key id_dsa.pub'

When i connect to the ssh server this is the output:

C:\.ssh>ssh -v user@remotehost
OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type -1
debug1: identity file /cygdrive/c/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version 3.2.0 SSH Secure Sh
ell Tru64 UNIX
debug1: no match: 3.2.0 SSH Secure Shell Tru64 UNIX
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'ens046' is known and matches the DSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/identity
debug1: Trying private key: /cygdrive/c/.ssh/id_rsa
debug1: Offering public key: /cygdrive/c/.ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
debug1: Calling cleanup 0x41c120(0x0)

What this output is telling me is that openSSH is looking in the wrong directory for the keys to offer. But I copy my keys from my %HOME\.ssh2 folder to c:\.ssh folder and the verbose output is still the same.

Does anyone know what is happening when it says 'offering public' and then authentication fails? My public key has been copied to the server in %HOME/.ssh2/

Thanks again

Michael Brookes

Paul Moore_3
Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

To answer your first question; if you look at the OpenSSH documentation for 'ssh_config(5)' which you can find here, http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current,
it explains the 'IdentityFile' options which should allow you to specify your own location for the identity file.

In response to your second question, what format are your public keys? The SSH implementation on Tru64 can not read the OpenSSH format public keys, you need to convert them first. Follow these instructions:

1) Create a keypair using ssh-keygen

openssh# ssh-keygen -t [dsa|rsa]

2) Convert the OpenSSH public key format to the SSH.com public key format

openssh# ssh-keygen -e -f ~/.ssh/id_[dsa|rsa].pub > id_[dsa|rsa]_sshfmt.pub

3) Transfer the converted public key to ~/.ssh2 on the Tru64 machine

4) Tell the Tru64 machine about the new public key

tru64# echo "Key id_[dsa|rsa]_sshfmt.pub" >> ~/.ssh2/authorization

Let us know if this solves your problems.
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Thanks for the reply Paul

I tried exactly what you said but to no avail. The debug output from ssh when I try to connect is:

OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Connecting to remotehost port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type -1
debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 3.2.0 SSH Secure Sh
ell Tru64 UNIX
debug1: no match: 3.2.0 SSH Secure Shell Tru64 UNIX
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'remoteuser' is known and matches the DSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/identity
debug1: Trying private key: /cygdrive/c/.ssh/id_rsa
debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
debug1: Calling cleanup 0x41c120(0x0)

It looks like converting the public key works a treat, but still I get permission denied. I've transferred the new public key, the authorization file is in .ssh2 directory of my user directory (should there be an authorization directory too?), and the identification file is in .ssh dir of client.

This is really quite frustrating, but I'm thinking it's a wider problem because I've changed the sshd2_config to just password authentication and also get permission denied.

Is there anything else I could try before I have to get the super user to re-install - which is unlikely to happen!

Thanks again
Paul Moore_3
Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

I understand your confusion, but hang in there - we'll get it working! Just for clarification, if you enable password authentication you still get permission denied errors? Can you login via other means such as telnet or rlogin?
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Paul, thanks again for your reply

I can log into the Unix box with telnet and ftp no problem. I have just installed SSH.com's SSH client, and here is my setup once and for all!

On the server side I have...
1 - /.ssh2 directory containing...
-> random_seed
-> id_dsa_pub_2048_a.pub (client pubkey)
-> a directory called authorization
with a file called authorization in it, containing the text "Key id_dsa_2048_a.pub"

On the client side I have...
1 - C:\WINNT\Profiles\username\Application Data\SSH directory containing the following files:
-> id_dsa_2048_a.pub
-> id_dsa_22048_a
-> identification
{containing "IdKey id_dsa_2048_a"}

When I connect to my host this is the output from ssh2...

debug: Ssh2: User config file not found, using defaults. (Looked for 'C:/WINNT/P
rofiles/broo0027/Application Data/SSH/ssh2_config')
debug: Connecting to remotehost, port 22... (SOCKS not used)
debug: SshProtoTransport: My version: SSH-1.99-4.0.4.13 SSH Secure Shell Windows
Client
debug: client supports 4 auth methods: 'gssapi,publickey,keyboard-interactive,pa
ssword'
debug: Ssh2Common: local ip = localip, local port = 4090
debug: Ssh2Common: remote ip = remoteip, remote port = 22
debug: SshProtoConnection: Wrapping...
debug: Remote version: SSH-2.0-3.2.0 SSH Secure Shell Tru64 UNIX
debug: Major: 3 Minor: 2 Revision: 0
debug: SshProtoTransport: Remote version has confused cert hash scheme (use conf
ig option Cert.RSA.Compat.HashScheme to change the hash, by default using md5 (w
orks for most, but not all, cases).).
debug: SshProtoTransport: lang s to c: `', lang c to s: `'
debug: SshProtoTransport: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression
none
debug: SshProtoTransport: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression
none
debug: Ssh2Client: Keys match.
debug: Remote host key found from database.
debug: Ssh2Common: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common: Received SSH_CROSS_ALGORITHMS packet from connection protocol
.
debug: server offers auth methods 'publickey'.
debug: Ssh2AuthPubKeyClient: Starting pubkey auth...
debug: Ssh2AuthPubKeyClient: Agent is not running.
debug: Ssh2AuthPubKeyClient: Got 0 keys from the agent.
debug: SshUnixUserFiles: Using 'C:/WINNT/Profiles/broo0027/Application Data/SSH/
identification' as identity file.
debug: Ssh2AuthPubKeyClient: adding keyfile "C:/WINNT/Profiles/broo0027/Applicat
ion Data/SSH/id_dsa_2048_a" to candidates
debug: Ssh2AuthPubKeyClient: Trying 1 key candidates.
debug: server offers auth methods 'publickey'.
debug: Ssh2AuthPubKeyClient: All keys declined by server, disabling method.
debug: SshProtoAuthClient: Method 'publickey' disabled.
debug: server offers auth methods 'publickey'.
debug: Ssh2Common: DISCONNECT received: No further authentication methods availa
ble.
warning: Authentication failed.
Disconnected (local); no more authentication methods available (No further authe
ntication methods available.).
debug: Ssh2Common: Destroying SshCommon object.
debug: SshProtoConnection: Destroying SshConn object.

It seems as though the server is being offered my public key but declining it, could this be a problem with the server trying to compare the client's public key on the client and the client's public key on the server, which it could be not finding?

Again any thoughts are most welcome.

Michael Brookes
Paul Moore_3
Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

Yes, the server is rejecting your public key for some reason and since the only authentication method the server is configured to accept is 'publickey' it is denying you access. I think the problem is that the authorization file is in the wrong place.

On the server you should have an authorization in the '${HOME}/.ssh2' directory - i.e. the file '${HOME}/.ssh2/authorization' should exist.

Hopefully this should take care of it.
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hello again Paul,

Thanks for your last reply, it fixed that problem and now I can setup my port forwarded ftp connection, but a problem has arisen (which I was encountering before my tunnel stopped working)

I set the tunnel up by issuing the following command..

> ssh2 -L 21:127.0.0.1:21 user@remotehost

This executes successfully.

Then I open a new command prompt and issue the following statements...

> ftp
> open 127.0.0.1
> username
> password

At this point I have logged in successfully, but then I issue the following command...

ftp> dir
200 PORT command successful.
425 Can't build data connection: Connection refused.

I have read in various places about how using a passive connection would resolve this, but NT4 DOS does not support the commands 'passive' or 'PASV'.

Any ideas would be gratefully appreciated

Michael Brookes
Paul Moore_3
Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hi Michael,

I'm glad to see we are making progress. The reason the file listing is failing is because it uses the FTP data channel instead of the FTP control channel. Since the client is running in active mode the server is trying to open a TCP session between port it's port 20 and the remote ip/port given to it from the client. I suspect what is happening on the windows client is that since it is connected to 127.0.0.1 it is telling the Tru64 server to start a data channel with 127.0.0.1/port which of course won't work because there is no redirection happening on that ip/port.

You can try to issue your own PORT command in the FTP client but I am not sure how that will work.

Let us know.
Michael Brookes
Occasional Advisor

Re: SSH and ftp port forwarding, interesting situation....

Hello again!

Many thanks to all who posted messages to this thread. My situation would have progressed much slower without your insightful replies. However, there is one last question which potentially could knock the nail in this thread's coffin. Here goes...

My tunnel is setup correctly, but still getting data connection refused when using local port forwarding. I now understand what FTP is doing which leads me to believe I need to use a passive connection so ssh on the client-side can dynamically port forward the data channel to the ssh server - ftp server resides on same machine :)

But DOS on NT4 Sp6 does not support the passive command. When I type remotehelp in an ftp session I see commands PORT and PASV are supported. What do I need to do in order to get a passive connection from NT4 to Tru64?

A sidenote: In the documentation for SSH it has an article describing how it can dynamically setup remote port forwarding on an acive ftp session. How is this possible!?! I attach the document to this post.

The SSH version I using now is from SSH.com but it is not an evaluation version, it's the non-commercial version of SSH Secure Shell for Workstations 3.2.

For the last time I hope I will be most grateful for any ideas or advice.

Thanks again

Michael Brookes