VKontakte.DJ
forum traveling
 

Celestial Software

...better by design

Home Support SSH Client Forums
Welcome, Guest
Please Login or Register.    Lost Password?
ssh -N mode e.g. connect but only forward ports ?? (1 viewing) (1) Guest
Go to bottom Favoured: 0
TOPIC: ssh -N mode e.g. connect but only forward ports ??
#2388
ssh -N mode e.g. connect but only forward ports ?? 14 Years, 3 Months ago  
Just tried AbsoluteTelnet and I think it's missing a very important feature ... a ssh -N mode. There are situations where your login server isn't going to give you a login prompt after entering the password as all your doing through SSH is tunneling ports.

AbsoluteTelnet isn't the only SSH client I've discovered tonight that I believe is missing a ssh -N mode .. or did I miss something ?
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2389
Re:ssh -N mode e.g. connect but only forward ports ?? 14 Years, 3 Months ago  
You're right. AbsoluteTelnet's roots as a terminal emulator assume that you're using it for terminal emulation purposes. I can see there may be a need for a non-terminal port-forwarding-only kind of functionality.

Would you be willing to give a beta a try?
bpence (Admin)
Admin
Posts: 1404
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#2390
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 3 Months ago  
Sure I'll try a BETA.
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2394
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 2 Months ago  
Sean,

I've got something here for you to try....

www.celestialsoftware.net/telnet/AbsoluteTelnet8.22.exe

It doesn't add an 'option' per-se to connect without a shell. It attempts to load a shell if it can, but gracefully handles conditions where it can't.

If you're using it primarily for port forwarding, you might want to check out the port forwarding monitor on Option->SSH2 Info. You can see what forwardings are configured, their status, and whether there are errors, etc...

Brian
bpence (Admin)
Admin
Posts: 1404
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#2395
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 2 Months ago  
I just tried it. I connects but appears to immediately get dropped as on local Windows instance shows my connection to the remote server in a TIME_WAIT state.

The AT window says it connected but it doesn't receive an error saying it got dropped.
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2396
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 2 Months ago  
Oh and I can't get to "SSH Info" as its greyed out ... another indicator the connection got dropped.
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2397
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 2 Months ago  
Can you tell me how your ssh server is configured to disallow shell access? I'm using OpenSSH with the no-pty option on the PublicKey authentication option.

Do you have access to the server configuration?

Can you give me a screenshot of the screen after login?

Brian
bpence (Admin)
Admin
Posts: 1404
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#2400
Re:ssh -N mode e.g. connect but only forward ports 14 Years, 2 Months ago  
I'm not using the no-pty option because, as I understand what it does, it doesn't prevent non-interactive commands from running ... again as I understand it. I want literally NO commands to be possible through the login.

This specific SSH daemon is configured in a sparse-root zone on a Sun T5120 running Solaris 10 U8. The primary changes the sshd_config file are:

Port 2222
AllowTcpForwarding yes
X11Forwarding no
PermitRootLogin no

Everything else is in the default configuration values. The other aspect to this is my login user is called "lockuser". This users default login is /bin/false.

So logging into this user with ssh without the -N switch and you get immediately dropped after password authentication. Try to run any command and nothing happens.
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2401
Re:ssh -N mode e.g. connect but only forward ports ?? 14 Years, 2 Months ago  
Gotcha.

The problem with this is that when /bin/false runs and exits, Absolute assumes the session is over and time to disconnect. Version 8.22 will work with the no-pty option, but not with the /bin/false method.

I've made another update that actually includes an option similar to the -N option. Download 8.24 from the link below and look at the Options->Properties->Connection-SSH2 page. There is a new button on there for 'Options'. There is an option to turn off the shell, which should leave only port forwarding enabled.

www.celestialsoftware.net/telnet/AbsoluteTelnet8.24.exe
bpence (Admin)
Admin
Posts: 1404
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#2402
Re:ssh -N mode e.g. connect but only forward ports ?? 14 Years, 2 Months ago  
Tried it and it appears to work fine. I like the status message in the window saying that only port-forwarding is enabled.

Is there a limit to the number of port forwards you can configure ? I'm not asking for any crazy numbers. I have between 13 and 20 forwards I need all at once.

You might be able to help me with the no-pty stuff. I tried putting this in the lockuser .ssh/authorized_keys file:

from="*.*",no-pty

And I tested the AbsoluteTelnet 8.22 version. It still disconnected immediately after password auth. I've never used the no-pty options before so curious if I set it up right for this test.
swoneill (User)
Fresh Boarder
Posts: 6
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#2403
Re:ssh -N mode e.g. connect but only forward ports ?? 14 Years, 2 Months ago  
There is no limit to the number of port forwardings you can use.

The no-pty option is used in conjunction with PublicKey authentication. You can specify restrictions on a key by key basis in the authorized_keys file. So, you would need to have a keypair either generated by Absolute or ssh-keygen, and the entry in authorized_keys would look something like this:

no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAIEApu..............

These are options and restrictions place on individual login keys, not the login user like the "/bin/false" shell method. This could allow you , for example, to have one set of keys that allows tty access for this user and another set of keys that doesn't.

Read the sshd man page section entitled "AUTHORIZED_KEYS FILE FORMAT" for a complete description of this and other options.

You're right, though, about noninteractive commands. no-pty only restricts allocation of interactive shells. Noninteractive commands could still be executed by a client. Replacing the shell seems to be the only way to eliminate *all* command access. However, this also restricts SFTP, which also runs in a shell. However, there are ways around that if you're interested in discussing those.

Brian
bpence (Admin)
Admin
Posts: 1404
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
Go to top