Forum

ssh -N mode e.g. co...
 
Notifications
Clear all

ssh -N mode e.g. connect but only forward ports ??

0 Posts
2 Users
0 Reactions
389 Views
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Just tried AbsoluteTelnet and I think it's missing a very important feature ... a ssh -N mode. There are situations where your login server isn't going to give you a login prompt after entering the password as all your doing through SSH is tunneling ports.

AbsoluteTelnet isn't the only SSH client I've discovered tonight that I believe is missing a ssh -N mode .. or did I miss something ?


   
ReplyQuote
(@bpence)
Member Admin
Joined: 1 year ago
Posts: 1375
 

You're right. AbsoluteTelnet's roots as a terminal emulator assume that you're using it for terminal emulation purposes. I can see there may be a need for a non-terminal port-forwarding-only kind of functionality.

Would you be willing to give a beta a try?


   
ReplyQuote
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Sure I'll try a BETA.


   
ReplyQuote
(@bpence)
Member Admin
Joined: 1 year ago
Posts: 1375
 

Sean, I've got something here for you to try....

<old link removed> Please download version 8.22 or newer.

It doesn't add an 'option' per-se to connect without a shell. It attempts to load a shell if it can, but gracefully handles conditions where it can't. If you're using it primarily for port forwarding, you might want to check out the port forwarding monitor on Option->SSH2 Info. You can see what forwardings are configured, their status, and whether there are errors, etc... Brian

This post was modified 6 months ago by bpence

   
ReplyQuote
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

I just tried it. I connects but appears to immediately get dropped as on local Windows instance shows my connection to the remote server in a TIME_WAIT state.

The AT window says it connected but it doesn't receive an error saying it got dropped.


   
ReplyQuote
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Oh and I can't get to "SSH Info" as its greyed out ... another indicator the connection got dropped.


   
ReplyQuote
(@bpence)
Member Admin
Joined: 1 year ago
Posts: 1375
 

Can you tell me how your ssh server is configured to disallow shell access? I'm using OpenSSH with the no-pty option on the PublicKey authentication option.

Do you have access to the server configuration?

Can you give me a screenshot of the screen after login?

Brian


   
ReplyQuote
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

I'm not using the no-pty option because, as I understand what it does, it doesn't prevent non-interactive commands from running ... again as I understand it. I want literally NO commands to be possible through the login.

This specific SSH daemon is configured in a sparse-root zone on a Sun T5120 running Solaris 10 U8. The primary changes the sshd_config file are:

Port 2222
AllowTcpForwarding yes
X11Forwarding no
PermitRootLogin no

Everything else is in the default configuration values. The other aspect to this is my login user is called "lockuser". This users default login is /bin/false.

So logging into this user with ssh without the -N switch and you get immediately dropped after password authentication. Try to run any command and nothing happens.


   
ReplyQuote
(@bpence)
Member Admin
Joined: 1 year ago
Posts: 1375
 

Gotcha. The problem with this is that when /bin/false runs and exits, Absolute assumes the session is over and time to disconnect. Version 8.22 will work with the no-pty option, but not with the /bin/false method. I've made another update that actually includes an option similar to the -N option. Download 8.24 from the link below and look at the Options->Properties->Connection-SSH2 page. There is a new button on there for 'Options'. There is an option to turn off the shell, which should leave only port forwarding enabled.

<old link removed> Please download version 8.24 or newer.

 

This post was modified 6 months ago 2 times by bpence

   
ReplyQuote
 Sean
(@swoneill)
Active Member
Joined: 15 years ago
Posts: 6
Topic starter  

Tried it and it appears to work fine. I like the status message in the window saying that only port-forwarding is enabled.

Is there a limit to the number of port forwards you can configure ? I'm not asking for any crazy numbers. I have between 13 and 20 forwards I need all at once.

You might be able to help me with the no-pty stuff. I tried putting this in the lockuser .ssh/authorized_keys file:

from="*.*",no-pty

And I tested the AbsoluteTelnet 8.22 version. It still disconnected immediately after password auth. I've never used the no-pty options before so curious if I set it up right for this test.


   
ReplyQuote
(@bpence)
Member Admin
Joined: 1 year ago
Posts: 1375
 

There is no limit to the number of port forwardings you can use.

The no-pty option is used in conjunction with PublicKey authentication. You can specify restrictions on a key by key basis in the authorized_keys file. So, you would need to have a keypair either generated by Absolute or ssh-keygen, and the entry in authorized_keys would look something like this:

no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABEQAAAIEApu..............

These are options and restrictions place on individual login keys, not the login user like the "/bin/false" shell method. This could allow you , for example, to have one set of keys that allows tty access for this user and another set of keys that doesn't.

Read the sshd man page section entitled "AUTHORIZED_KEYS FILE FORMAT" for a complete description of this and other options.

You're right, though, about noninteractive commands. no-pty only restricts allocation of interactive shells. Noninteractive commands could still be executed by a client. Replacing the shell seems to be the only way to eliminate *all* command access. However, this also restricts SFTP, which also runs in a shell. However, there are ways around that if you're interested in discussing those.

Brian


   
ReplyQuote
Share: