Chad Perrin: SOB

15 November 2008

sshd_config: GatewayPorts for error-free proxy

Filed under: Geek,Security — apotheon @ 01:27

Note to self:

When using SSH as a secure proxy for Web browsing and IMs, to protect myself from eavesdroppers on public wireless networks, make sure you have the following two options set in the sshd_config file on the system you’re using as the remote proxy:

AllowTcpForwarding yes
GatewayPorts       yes

The AllowTcpForwarding option should be “yes” by default (as is the case with FreeBSD), anyway. GatewayPorts, on the other hand, is “no” by default. When GatewayPorts is set to “no”, you’ll probably be able to do (almost?) all your Web browsing and IMing through the proxy, but you’ll get error messages in the terminal emulator window you’re using for the SSH connection that look something like this:

channel 6: open failed: administratively prohibited: open failed
channel 8: open failed: administratively prohibited: open failed
channel 14: open failed: administratively prohibited: open failed
channel 15: open failed: administratively prohibited: open failed
channel 21: open failed: administratively prohibited: open failed
channel 21: open failed: administratively prohibited: open failed
channel 12: open failed: administratively prohibited: open failed
channel 31: open failed: administratively prohibited: open failed
channel 8: open failed: administratively prohibited: open failed
channel 26: open failed: administratively prohibited: open failed
channel 16: open failed: administratively prohibited: open failed
channel 16: open failed: administratively prohibited: open failed
channel 10: open failed: administratively prohibited: open failed
channel 11: open failed: administratively prohibited: open failed
channel 10: open failed: administratively prohibited: open failed

In other news — if anyone knows why I can’t get freebsd.org to load when I’m using an SSH SOCKS proxy, please tell me. I haven’t figured that one out yet. I know changing the UseDNS option’s setting on the server doesn’t fix the problem, even though that seems like the obvious answer.

EDIT:

Actually, you might still get those administratively prohibited errors even with the GatewayPorts options set. C’est la vie.

2 Comments

  1. Good Morning to you Chad- You tweaked my interest a bit with this one. So… It looks like a simple fix, you’re just missing a file, a Library actually, in Ruby. The search results I found will explain it. Samstag, 15. November 2008

    BSD and SOCKS— Source: http://www.koders.com/?s=BSD+SOCKS&scope=V4LCL23SUQVNE2QVXN3M1AXS7E

    Results 1-4 of about 4 results found for ‘BSD SOCKS’ in 0.06 seconds

    socks5.rb

    This source file is distributed as part of the Net::SSH Secure Shell Client library for Ruby. This file (and the library as a whole) may be used only as allowed by either the BSD license, or the Ruby license (or, by association with the Ruby license, the GPL). See the “doc” subdirectory of the Net::SSH distribution for the texts of these licenses.

    Language: Ruby (c) 2004, Jamis Buck (jgb3@email.byu.edu) LOC: 101 RubyForge : Net::SSH (project search) : …/lib/net/ssh/proxy/socks5.rb

    socks4.rb

    This source file is distributed as part of the Net::SSH Secure Shell Client library for Ruby. This file (and the library as a whole) may be used only as allowed by either the BSD license, or the Ruby license (or, by association with the Ruby license, the GPL). See the “doc” subdirectory of the Net::SSH distribution for the texts of these licenses.

    Language: Ruby (c) 2004, Jamis Buck (jgb3@email.byu.edu) LOC: 44 RubyForge : Net::SSH (project search) : …/lib/net/ssh/proxy/socks4.rb

    tc_socks4.rb

    This source file is distributed as part of the Net::SSH Secure Shell Client library for Ruby. This file (and the library as a whole) may be used only as allowed by either the BSD license, or the Ruby license (or, by association with the Ruby license, the GPL). See the “doc” subdirectory of the Net::SSH distribution for the texts of these licenses.

    Language: Ruby (c) 2004, Jamis Buck (jgb3@email.byu.edu) LOC: 96 RubyForge : Net::SSH (project search) : …/net-ssh/net-ssh/test/proxy/tc_socks4.rb

    tc_socks5.rb

    This source file is distributed as part of the Net::SSH Secure Shell Client library for Ruby. This file (and the library as a whole) may be used only as allowed by either the BSD license, or the Ruby license (or, by association with the Ruby license, the GPL). See the “doc” subdirectory of the Net::SSH distribution for the texts of these licenses.

    Language: Ruby (c) 2004, Jamis Buck (jgb3@email.byu.edu) LOC: 151 RubyForge : Net::SSH (project search) : …/net-ssh/net-ssh/test/proxy/tc_socks5.rb


    Make sense to you? It looks easy to me.
    I was going to send this as an e-mail, but it looks like I lost your e-mail address, besides, I now have a new one (e-mail address) as well. (Please take note) Enjoy your weekend. -d

    Comment by dawgit (D. Taylor) — 15 November 2008 @ 02:52

  2. I took the liberty of ignoring/deleting the previous broken posts that appeared in moderation and fixing the URL in this one so it would display properly. You basically ran afoul of Markdown syntax, which I have enabled for this WordPress install to make formatting posts and comments easier.

    If you ever want to email me and don’t have my address handy, try the contact page link near the top of the site’s right-hand column.

    I only skimmed what you posted here, so far, because I’m busy multitasking right now, but I suspect what you provided is not actually the answer to my problem, since I’m dealing with OpenSSH, not with the Ruby SSH library. In fact, I really don’t see how Ruby fits into this at all. I’m just using the basic OpenSSH client to establish a SOCKS proxy connection to as server, and pointing Firefox at that proxy. That’s it.

    Comment by apotheon — 15 November 2008 @ 03:57

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License