Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Patch Extends Tunneling Under OpenBSD

Posted by timothy on from the open-open dept.

Jonatan Wallmander writes "We've written a small howto as well as produced a simple patch for OpenSSH that improves tunneling functionality in the ssh client on the OpenBSD platform (this should be OK on other platforms with some tweaking). It's a simple hack but works very good for us. We can have different IPs on the same BSD machine tunnel different hosts ... Without the patch you can only have one tunnel per BSD machine since it listens on INADDR_ANY.. Now all my computers on the LAN can access remote servers securely as if they were in the same room provided by a single BSD server. :)"

3 of 38 comments (clear)

  1. Small error in the examples... by Gruturo · · Score: 3, Informative

    I don't wish to be pedantic, and it doesn't compromise the understandability of the article, but in the drawing under chapter 3 (The basic solution), the "brown" OpenBSD file server is available to the Windows PC as .200, and NOT .5 as suggested.
    The green OpenBSD box just does a simple port forwarding (from its own 139 to port 139 on 127.0.0.1 seen from the other endpoint's perspective) and makes it available non-loopback-only via the "-g" option (which btw won't work if you don't have "GatewayPorts yes" in your sshd_config file, and the last time I checked this was not exactly well documented). Therefore, 192.168.0.200:139 (actually 0.0.0.0:139, esp. without this patch :-) ) gets mapped to 127.0.0.1:139 (but on the OTHER end of the tunnel - thus the brown box).

    The next example is correct (and shows the use of the patch).

    Just my 0.02

    --

    Vacuum cleaners suck. Kings rule.
  2. Re:Null encryption? by sedawkgrep · · Score: 3, Informative

    While I haven't done this in YEARS, I think you need to add a Ciphers line to /etc/ssh/sshd_config that contains 'none'. Be sure to include all the ciphers you may want to use because this list is exclusionary.

    Otherwise, you can always use blowfish, rc4, or even AES (I think...) as they are all *MUCH* faster than 3des.

    sedawkgrep

    --
    Is that a salami in my pants or am I just happy to be me?
  3. Re:Null encryption? by Euphonious+Coward · · Score: 3, Informative
    Thanks, I had tried that. I have a Ciphers line in my /etc/ssh/sshd_config already, so it will default to aes128-cbc, fall back to blowfish-cbc, and finally 3des-cbc. When I add "none" or "null", sshd complains when it reads the file: Bad SSH2 cipher spec.

    I wonder if a plaintext cipher would compromise authentication. (Not that it matters in this case.)