Slashdot Mirror
OpenSSH Patch Extends Tunneling Under OpenBSD
Jonatan Wallmander writes "We've written a small howto as well as produced a simple patch for OpenSSH that improves tunneling functionality in the ssh client on the OpenBSD platform (this should be OK on other platforms with some tweaking). It's a simple hack but works very good for us. We can have different IPs on the same BSD machine tunnel different hosts ... Without the patch you can only have one tunnel per BSD machine since it listens on INADDR_ANY.. Now all my computers on the LAN can access remote servers securely as if they were in the same room provided by a single BSD server. :)"
I got educated on an earlier Slashdot story of how (a) how nice and easy it was to set up an encrypted tunnel using ssh instead of IPSec or a weird proprietary VPN product, (b) how TCP over TCP is a fundamentally bad idea and people were compensating by periodically restarting the tunnel service afresh to work around it.
How's the performance of this setup and does it address any of those problems?
"Provided by the management for your protection."
I don't wish to be pedantic, and it doesn't compromise the understandability of the article, but in the drawing under chapter 3 (The basic solution), the "brown" OpenBSD file server is available to the Windows PC as .200, and NOT .5 as suggested. :-) ) gets mapped to 127.0.0.1:139 (but on the OTHER end of the tunnel - thus the brown box).
The green OpenBSD box just does a simple port forwarding (from its own 139 to port 139 on 127.0.0.1 seen from the other endpoint's perspective) and makes it available non-loopback-only via the "-g" option (which btw won't work if you don't have "GatewayPorts yes" in your sshd_config file, and the last time I checked this was not exactly well documented). Therefore, 192.168.0.200:139 (actually 0.0.0.0:139, esp. without this patch
The next example is correct (and shows the use of the patch).
Just my 0.02
Vacuum cleaners suck. Kings rule.
While I haven't done this in YEARS, I think you need to add a Ciphers line to /etc/ssh/sshd_config that contains 'none'. Be sure to include all the ciphers you may want to use because this list is exclusionary.
Otherwise, you can always use blowfish, rc4, or even AES (I think...) as they are all *MUCH* faster than 3des.
sedawkgrep
Is that a salami in my pants or am I just happy to be me?
TCP over TCP is a fundamentally bad idea
There may be some theoretical basis to this mantra, but in the real world it doesn't apply. I develop a product that uses TCP/TCP communications and it transfers hundreds of gigs a week from dozens of sites without any performance problems.
I think the way the real world works around the theoretical problems is that it's not really possible to maintain a TCP connection on the 'net for a long period of time unless you control the entire path. In my case, customer sites are always rebooting their routers, NAT boxes, etc. and connections rarely last longer than a day, often only several hours.
Fortunately, Unix has nice mechanisms for keeping things up, i.e. inittab.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Thanks for the tip. You learn something every day on this board!
Method of processing duck feet
I wonder if a plaintext cipher would compromise authentication. (Not that it matters in this case.)