openssh-3.5p1-107 tunneling problems
good day all ... i upgraded to the openssh-3.5p1-107 rpms over the weekend and now i've a problem with tunneling. i use an ssh tunnel to make irc connections, now when i make an irc connection over the tunnel i connect as user root instead of as the user i make the tunnel with: ssh 6669:irc.freenode.net:6667 michael@host.domain.org then i run the irc client on the localhost and connect as usual, however, whois looks like this: [irc_nick] (root@ip.host.domain.org) : My Full Name both the localhost and the remote host are at openssh-3.5p1-107 and this somewhat bad behavior began after the upgrade. the sshd_config is the stock that came with the rpm. am i missing something? -- michael
ssh 6669:irc.freenode.net:6667 michael@host.domain.org
then i run the irc client on the localhost and connect as usual, however, whois looks like this:
[irc_nick] (root@ip.host.domain.org) : My Full Name
both the localhost and the remote host are at openssh-3.5p1-107 and this somewhat bad behavior began after the upgrade. the sshd_config is the stock that came with the rpm. am i missing something?
Do the following: host host.domain.org host <resulting IP address from above> The result of which is most likely ip.host.domain.org, because host.domain.org's IP address does not reverse-resolve to host.domain.org, but to ip.host.domain.org. If I misunderstood the problem and "ip." means there is an ip address in the hostname, then this looks like a nameserver zonefile problem (trailing "." missing, zone file corrupt). That should turn out by resolving the IP addresses, though. It doesn't look like ssh/openssh is responsible for the strange things you see...
-- michael
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // Nail here | SuSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - -
roman ... the hostnames/ips are not my issue, my issue is that when i ssh thru the tunnel, it does not change the uid of the user i ssh as back to the users uid, it stays as roots uid, thus i end up on irc as root user. that is a problem with the current version of openssh. -- michael Roman Drahtmueller schrieb am Dienstag, den 23. September 2003:
Do the following:
host host.domain.org host <resulting IP address from above>
The result of which is most likely ip.host.domain.org, because host.domain.org's IP address does not reverse-resolve to host.domain.org, but to ip.host.domain.org.
Hi Michael,
i upgraded to the openssh-3.5p1-107 rpms over the weekend and now i've a problem with tunneling. i use an ssh tunnel to make irc connections, now when i make an irc connection over the tunnel i connect as user root instead of as the user i make the tunnel with:
ssh 6669:irc.freenode.net:6667 michael@host.domain.org
the sshd_config is the stock that came with the rpm. am i missing something?
--> I think you have just discovered that sshd is no longer running with priviledge separation. Have you compared the new sshd_config file form the rpm to the old one ? If priviledge separation is enabled, the main sshd daemon will fork a process running under the UID of the user logging in and this process will take care of the tunneling. But the default with the new rpm is that priviledge separation is disabled, i.d. the process handling the socket and taking care of the tunneling is running as root. This would explain your observation. Have you tried to switch on priviledge separation in sshd_config, then restart the server and do the same test ? What does it say now ? HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Moin Armin! yes, that was it. thanks for the help! -- michael Armin Schoech schrieb am Mittwoch, den 24. September 2003:
Hi Michael,
i upgraded to the openssh-3.5p1-107 rpms over the weekend and now i've a problem with tunneling. i use an ssh tunnel to make irc connections, now when i make an irc connection over the tunnel i connect as user root instead of as the user i make the tunnel with:
ssh 6669:irc.freenode.net:6667 michael@host.domain.org
the sshd_config is the stock that came with the rpm. am i missing something?
On Wednesday 24 September 2003 04:00, Armin Schoech wrote:
But the default with the new rpm is that priviledge separation is disabled, i.d. the process handling the socket and taking care of the tunneling is running as root.
Was this designed this way? and Is there a reason for it? It looks like a major security screw-up to me... -- _____________________________________ John Andersen
participants (4)
-
Armin Schoech -
John Andersen -
Michael Galloway -
Roman Drahtmueller