-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, Apologies if this is off-topic... please feel free to redirect me! I'm having a problem tunelling through SSH from my Windoze machine at work to my Linux machine at home. My work machine is a laptop, so I tested the whole thing at home without any problems. I.e. the laptop can connect to my SuSE 8.2 desktop using port forwarding with no probs at all. I use PuTTY on the Windoze machine to SSH to the Linux box, start a VNC server, then connect VNC Viewer on Windows to the localhost. When I try it from work, I SSH to my Linux box ok, start a VNC server ok and can do a "straight" VNC into the linux box. However, if I try to use the VNC viewer to set up a connection to localhost on the Windoze machine (to use port forwarding) nothing happens and if I look in PuTTY's event log it has the error "server refused forwarded connection". Now, I have tried numerous things to get this to work. It can't be the firewall, as I have tried doing this with the firewall stopped and have checked the work firewall and can see the connection going through. I am fairly sure it's not SSH as I ran sshd -de and saw an error "channel1 connection refused" when I tried to use the port forwarding. I have also tried running VNC server with the --localhost option set but still no joy. SO, I'm left totally stumped. I'm using sshd and vncserver on my linux box, straight from the SuSE 8.2 build (unless they've been auto-updated by YOU). The only thing I can think of is that VNC server is refusing loopback connections from sshd, but then why does it work if I do it at home, when the laptop is on the local subnet?! Anybody got any ideas? Thanks for any advice, Cheers, Neil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/1jSQ2h6w8BNEwKYRAvQDAJ9il2lB3oOxcQTzQ8m9cla9GNU1rACcC97S pl/eRDFS2DeTfL/9Q48Lr+E= =n0RV -----END PGP SIGNATURE-----
* Neil Anderson
I SSH to my Linux box ok, start a VNC server ok and can do a "straight" VNC into the linux box. However, if I try to use the VNC viewer to set up a connection to localhost on the Windoze machine (to use port forwarding) nothing happens and if I look in PuTTY's event log it has the error "server refused forwarded connection".
Just some ideas: 1.) The server's /etc/ssh/sshd_config doesn't contain "AllowTcpForwarding=no", does it? 2.) Are there any "no-port-forwarding" or "permitopen" options in your ~/.ssh/authorized_keys ? 3.) Are you forwarding to the right port? "lsof -Pai -c Xvnc" and "netstat -ptan|grep Xvnc" can find out the port of the vncserver, like "*:5901 (LISTEN)" or "0.0.0.0:5901" (mind the ip address before the colon: it must be wildcard or localhost) 4.) Are you forwarding to the right host? Try 127.0.0.1 instead of "localhost" or any hostname. 5.) Can you locally connect to the vncserver? Check with "nc -v localhost 5901" or "telnet localhost 5901" from the server's shell. It must print a line starting with "RFB". 6.) Is the server's /etc/hosts missing the line "127.0.0.1 localhost"? 7.) If this all doesn't help, I'd next try to trace the server's loopback interface by running "tcpdump -i lo port 5901" as root. -- Johannes Franken Professional unix/network development mailto:jfranken@jfranken.de http://www.jfranken.de/
Johannes Franken wrote:
* Neil Anderson
[2003-12-09 21:46 +0100]: I SSH to my Linux box ok, start a VNC server ok and can do a "straight" VNC into the linux box. However, if I try to use the VNC viewer to set up a connection to localhost on the Windoze machine (to use port forwarding) nothing happens and if I look in PuTTY's event log it has the error "server refused forwarded connection".
Just some ideas:
1.) The server's /etc/ssh/sshd_config doesn't contain "AllowTcpForwarding=no", does it?
Nope - my sshd config didn't have anything about TCP forwarding in it so I explicitly enabled it with AllowTcpForwarding=yes
2.) Are there any "no-port-forwarding" or "permitopen" options in your ~/.ssh/authorized_keys ?
There is no authorized_keys file (aha?)
3.) Are you forwarding to the right port? "lsof -Pai -c Xvnc" and "netstat -ptan|grep Xvnc" can find out the port of the vncserver, like "*:5901 (LISTEN)" or "0.0.0.0:5901" (mind the ip address before the colon: it must be wildcard or localhost)
Yes I am sure it is the right port that is being forwarded - I am forwarding the client port 5901 to server port 5904 where the vnc server is intialised on display 4
4.) Are you forwarding to the right host? Try 127.0.0.1 instead of "localhost" or any hostname.
I'm fairly sure I have tried this, but I'll try again
5.) Can you locally connect to the vncserver? Check with "nc -v localhost 5901" or "telnet localhost 5901" from the server's shell. It must print a line starting with "RFB".
Yes, this works ok
6.) Is the server's /etc/hosts missing the line "127.0.0.1 localhost"?
No, this line is present
7.) If this all doesn't help, I'd next try to trace the server's loopback interface by running "tcpdump -i lo port 5901" as root.
Yeh, am swiftly reaching the conclusion that I'll have to do a packet sniff on the server to see what's going on. I still don't understand why it works on the LAN but not over the internet! Thanks for you suggestions - much appreciated, Neil
Have just tried a packet sniff with tcpdump. No results for a sniff on
the loopback interface, but results on eth0! So ssh seems to be the
problem.
output:
login as: <username>
<username>@<ip address>'s password:
Last login: Fri Dec 12 09:36:54 2003 from <remote ip>
Have a lot of fun...
Directory: /home/<username>
Have a lot of fun...
Directory: /home/<username>
Fri Dec 12 10:18:48 GMT 2003
ferrret /home/<username>> lsof -Pai -c Xvnc
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Xvnc 3133 <username> 0u IPv4 22463 TCP *:6004 (LISTEN)
Xvnc 3133 <username> 3u IPv4 22484 TCP *:5904 (LISTEN)
Xvnc 3133 <username> 4u IPv4 22485 TCP *:5804 (LISTEN)
ferrret /home/<username>> netstat -ptan | grep Xvnc
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:5804 0.0.0.0:*
LISTEN 3133/Xvnc
tcp 0 0 0.0.0.0:5904 0.0.0.0:*
LISTEN 3133/Xvnc
tcp 0 0 0.0.0.0:6004 0.0.0.0:*
LISTEN 3133/Xvnc
ferrret /home/<username>> tcpdump port 5904
tcpdump: no suitable device found
ferrret /home/<username>> su
Password:
ferrret:/home/<username> # tcpdump port 5904
tcpdump: listening on eth0
10:23:22.086336 <host>.<net>.samd > <router>.5904: S
632357250:632357250(0) win 5840
Johannes Franken wrote:
* Neil Anderson
[2003-12-09 21:46 +0100]: I SSH to my Linux box ok, start a VNC server ok and can do a "straight" VNC into the linux box. However, if I try to use the VNC viewer to set up a connection to localhost on the Windoze machine (to use port forwarding) nothing happens and if I look in PuTTY's event log it has the error "server refused forwarded connection".
Just some ideas:
1.) The server's /etc/ssh/sshd_config doesn't contain "AllowTcpForwarding=no", does it?
Nope - my sshd config didn't have anything about TCP forwarding in it so I explicitly enabled it with AllowTcpForwarding=yes
2.) Are there any "no-port-forwarding" or "permitopen" options in your ~/.ssh/authorized_keys ?
There is no authorized_keys file (aha?)
3.) Are you forwarding to the right port? "lsof -Pai -c Xvnc" and "netstat -ptan|grep Xvnc" can find out the port of the vncserver, like "*:5901 (LISTEN)" or "0.0.0.0:5901" (mind the ip address before the colon: it must be wildcard or localhost)
Yes I am sure it is the right port that is being forwarded - I am forwarding the client port 5901 to server port 5904 where the vnc server is intialised on display 4
4.) Are you forwarding to the right host? Try 127.0.0.1 instead of "localhost" or any hostname.
I'm fairly sure I have tried this, but I'll try again
5.) Can you locally connect to the vncserver? Check with "nc -v localhost 5901" or "telnet localhost 5901" from the server's shell. It must print a line starting with "RFB".
Yes, this works ok
6.) Is the server's /etc/hosts missing the line "127.0.0.1 localhost"?
No, this line is present
7.) If this all doesn't help, I'd next try to trace the server's loopback interface by running "tcpdump -i lo port 5901" as root.
Yeh, am swiftly reaching the conclusion that I'll have to do a packet sniff on the server to see what's going on. I still don't understand why it works on the LAN but not over the internet!
Thanks for you suggestions - much appreciated, Neil
Hi !
Have just tried a packet sniff with tcpdump. No results for a sniff on the loopback interface, but results on eth0! So ssh seems to be the problem.
--> Just an idea: What exactly is the SSH command you use ? It should be something like ssh -L5904:localhost:5904 user@host.net to forward port 5904 from your client to the localhost/loopback interface on the remote host where your VNC server is running. Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
D'OH!!! Because I was using PuTTY I wasn't entering th commands manually, and in my own (bizarre) way of logic, I had decided to put the remote address in there. So... we have a word in Scotland that describes what I am - haddy: a smoked haddock of very little brain. Thanks very much, that's it working :-[ Cheers, Neil Armin Schoech wrote:
Hi !
Have just tried a packet sniff with tcpdump. No results for a sniff on the loopback interface, but results on eth0! So ssh seems to be the problem.
--> Just an idea: What exactly is the SSH command you use ? It should be something like ssh -L5904:localhost:5904 user@host.net
to forward port 5904 from your client to the localhost/loopback interface on the remote host where your VNC server is running.
Armin
participants (3)
-
Armin Schoech
-
Johannes Franken
-
Neil Anderson