Monday, November 5, 2012

SSH Forwarding

When Sun first produced systems, the common way for users to move around a network and to distribute workload was to leverage the Berkeley "r" tools, such as "rsh", "rlogin", "rexec", etc. under Solaris. As academics became professional, security concerns over passwords being passed in the clear were raised and SSH was born. SSH was built with a compatible superset to "rsh", but this was later removed with the second version of the protocol. This document discusses the implementation
of SSH under Solaris.

Global Configurations:
SSH uses several global configuration files, one for the client, and another for the server. Each of these config files document the default compiler flags under Solaris. The "ssh" client global configuration file can be tailored on a per-user basis while the "sshd" server global configuration file is managed at the global level.

SSH Server Daemon
Under Solaris 10, related OS's, and above - SSHD is started through the services infrastructure.

sunserver/user$ svcs ssh
STATE          STIME    FMRI
online         Aug_17   svc:/network/ssh:default
There are built-in compiled defaults and global defaults which are reviewed, upon startup, and connection.

The following error may occur due to incorrect configurations:

channel 5: open failed: administratively prohibited: open failed
Under Solaris 10, forwarding agent is disabled as a compile flag, and is documented in the global configuration file. If one makes a connection via SSH, and proxies a port - an error message will be produced upon the first connection attempt to the proxied port.

To allow for the port forwarding, edit the configuration file "/etc/ssh/sshd_config".

AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
Restart the "sshd" service, the administrative message disappears.

sunserver/root# svcadm restart ssh

No comments: