ssh tunnel problems

Sat Jun 21 23:34:11 UTC 2008

On Sun, 2008-06-22 at 02:55 +0930, Tim wrote:
> On Sat, 2008-06-21 at 10:22 -0400, Rick Bilonick wrote:
> > [chippy at localhost ~]$ ssh server at localhost -p 5000 -v
> > OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug1: Connecting to localhost [127.0.0.1] port 5000.
> > debug1: connect to address 127.0.0.1 port 5000: Connection refused
> > ssh: connect to host localhost port 5000: Connection refused
> > 
> > I'm using "localhost" because I was following an example. I guess I
> > could substitute an IP for localhost. Isn't "localhost" just another
> > name for the local computer? So on the first use of ssh, localhost
> > refers to the server and on the second use of ssh, it refers to the
> > home computer. At least, that's what I believe.
> 
> "localhost" is how a computer refers to itself.  Just the same as a
> group of people in a room will all think of themselves as "myself" or
> "I".  While correct, they could only ever converse about themselves, not
> anyone else in the room.  Trying to network between different computers
> all going by the same hostname is going to twist your brain around in
> circles.
> 
> If you do try "ssh server at localhost" you're going to try and connect to
> the SSH daemon on the same machine that you're typing on, which may or
> may not actually connect.  But you're certainly not going to connect to
> another machine, using that address.
> 
> If you don't have unique hostnames that are resolveable on your LAN
> (i.e. everyone knows the name and IP of *all* hosts on the LAN), then
> use numerical IP addresses.
> 
> Again, don't fall down the "looking in the mirror" trap by trying to
> connect to 127.0.0.1.  That's the numerical address for a machine to
> refer to itself.
> 
> You're playing with the local loopback device.  127.0.0.1 is the
> traditional IP address for it, and localhost is the traditional hostname
> for it.
> 
> -- 
> [tim at localhost ~]$ uname -r
> 2.6.25.6-55.fc9.i686
> 
> Don't send private replies to my address, the mailbox is ignored.  I
> read messages from the public lists.
> 

OK, apparently the example I followed from a website was not completely
correct.

So after trying a bunch of things, I did get this to work from my home
computer to my ISP's server. Here is what I did:

> ssh -R 4022:home:22 myaccnt at my.isp.net

where "home" is actually the IP of my home network (instead of using
"localhost" which definitely does NOT work). This asked me for my
password and it connected.

To see if the port was set up, I then did (on my.isp.net):

> netstat -an | grep 4022

and it shows that it is listening on port 4022.

So then from my.isp.net I did:

> ssh -p 4022 me at localhost

where "me" is the user on my home computer. Note that "localhost" must
be used here so I can use the port that I set up. This asks me for my
password and I connect and see files on my home computer (from being
logged in on the isp's server).

So I know that in principle this can work.

So I went back to my office and set up a connection from work to my home
computer:

> ssh -R 3022:work:22 me at home

where "work" is my work server's IP and "home" is my home computer's IP.
This asks me for my password and I connect and can see files, etc. I did
the "netstat -an | grep 3022" and it shows that it's listening on port
3022.

So then from my home computer I do:

> ssh -v -p 3022 abc at localhost

where "abc" is my user account on the work server and get:

OpenSSH_4.7p1, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 3022.
debug1: Connection established.
debug1: identity file /home/me/.ssh/identity type -1
debug1: identity file /home/me/.ssh/id_rsa type -1
debug1: identity file /home/me/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

It never asks for my password.

So it works from home to isp, but for some reason does NOT work from
work to home.

What on the work server could be preventing the reverse tunnel from
working? On the server I do use hosts.allow to only allow ssh from my
home computer. Could this possibly prevent the reverse tunnel from
working? Or is the problem on my home computer?

Thanks to everyone who replied with suggestions and questions. At least
I'm making some progress.

Rick B.