SSH port fowarding test
with SSH V1.2.27

Last update: 2001/5/30
Since 2001/5/29
Shigeo.Yashiro @kek.jp

Test is done with SSH Version 1.2.26 & SSH Version 1.2.27 environment.

  1. -L port fowarding.
    1. ftp via port-fowarding
      Configuration
      1. Local host (suppose hostname is lune)
          "sshdfwd-12345: localhost" in hosts.allow file.
          Not depends on "AllowTcpForwarding" in /etc/sshd_config
      2. Remote host (suppose hostname is soleil)
          "in.ftpd: localhost soleil soleil.kek.jp" in hosts.allow file.
          Not depends on "AllowTcpForwarding" in /etc/sshd_config
      Execution
      1. from localhost, make port.
          lune$ ssh -L 12345:soleil:21 soleil
          yashiro@soleil's password:
          :
          soleil$
      2. from another terminal of localhost
          $ftp localhost 12345
          Connected to localhost.
          220 soleil FTP server (SunOS 4.1) ready.
          Name (localhost:yashiro):
          331 Password required for yashiro.
          Password: Enter soleil's password
          230 User yashiro logged in.
          ftp> pass
          Passive mode on.
          ftp> ls

    2. -L port fowarding (case 1)
        lune$ ssh -L 12345:soleil:21 soleil
      Refer to "1.ftp via port-fowarding".

    3. -L port fowarding (case 2)
      Configuration
      1. Local host (suppose hostname is lune)
          "sshdfwd-12345: localhost" in hosts.allow file.
          Not depends on "AllowTcpForwarding" in /etc/sshd_config
      2. Remote host (suppose hostname is soleil)
          "in.ftpd: localhost soleil soleil.kek.jp" in hosts.allow file.
          Not depends on "AllowTcpForwarding" in /etc/sshd_config
      Execution
      1. from localhost, make port.
          lune$ ssh -L 12345:soleil:21 etoile
          yashiro@etoile's password:
          :
          etoile$
      2. from another terminal of localhost
          $ftp localhost 12345
          Connected to localhost.
          220 soleil FTP server (SunOS 4.1) ready.
          Name (localhost:yashiro):
          331 Password required for yashiro.
          Password: Enter soleil's password
          230 User yashiro logged in.
          ftp>
      Comment
        Connection between lune and etoile is encripted by SSH. On the other hand, connection between etoile and soleil is regacy unsecure ftp.

    4. Errors
      1. If port-fowarding is not allowed by TCP wrappers
        Following error message will be issued when "ftp localhost 12345" is entered.
          Fwd connection from localhost to local port sshdfwd-12345 refused by tcp_wrappers.
      2. If ftp from localhost is not allowed by TCP wrappers
          lune% ftp localhost 12345
          Connected to localhost.
          421 Service not available, remote server has closed connection
          ftp>
      3. If ftp is not allowed in /etc/inetd.conf
          Same as above.


  2. How "AllowTcpForwarding no" works.
    1. "AllowTcpForwarding no" is a parameter to control -R port.
      If it is put in etoile:/etc/sshd_config denys the following accesses.
      1. Denys -R port fowarding.
          lune$ ssh -R 12345:soleil:21 etoile
          yashiro@etoile's password:
          :
          etoile$ ftp localhost 12345
          ftp: connect: Connection refused
          ftp>

    2. This parameter does not deny -L port fowarding.