Solaris 10: SSH and Forwarding HTTP
When Sun first produced systems, the common way for users to move around a network and to distribute workload was to leverage the Berkeley "r" tools, such as "rsh", "rlogin", "rexec", etc. under Solaris. As academics became professional, security concerns over passwords being passed in the clear were raised and SSH was born. SSH was built with a compatible superset to "rsh", but this was later removed with the second version of the protocol. This document discusses the implementation of SSH under Solaris.
SSH uses several global configuration files, one for the client, and another for the server. Each of these config files document the default compiler flags under Solaris. The "ssh" client global configuration file can be tailored on a per-user basis while the "sshd" server global configuration file is managed at the global level.
SSH Server Daemon
Under Solaris 10, related OS's, and above - SSHD is started through the services infrastructure.
sunserver/user$ svcs sshThere are built-in compiled defaults and global defaults which are reviewed, upon startup, and connection.
STATE STIME FMRI
online Aug_17 svc:/network/ssh:default
Start a Session with X and HTTP Forwarding
For demonstration purposes, there may be the need to temporarily open an X Console (to install an Oracle Database) and forward HTTP ports (to test an application) on a platform in a DMZ. The sample command may look like this:
sunclient/user$ ssh user@sunserver -b 10.1.2.3 \Since the ports to be forwarded are over 1024, there is no requirement for special "root" permissions. The proxied HTTPD connections can be observed.
-L 58080:127.0.0.1:58080 -L 8080:127.0.0.1:8080 -g
sunclient/user$ netstat -an grep 8080To perform a basic test of the forwarded HTTP port, the classic "telnet" can be used on the command line, but the connection is closed.
*.58080 *.* 0 0 49152 0 LISTEN
*.8080 *.* 0 0 49152 0 LISTEN
sunclient/user$ telnet localhost 58080Note, the error on the remote side.
Connected to localhost.
Escape character is '^]'.
Connection to localhost closed by foreign host.
channel 5: open failed: administratively prohibited: open failedThis is a configuration issue.
Global SSHD Configuration
Under Solaris 10, forwarding agent is disabled as a compile flag, and is documented in the global configuration file. If one makes a connection via SSH, and proxies a port - an error message will be produced upon the first connection attempt to the proxied port.
To allow for the port forwarding, edit the configuration file "/etc/ssh/sshd_config".
AllowTcpForwarding yesYou will need to restart the "sshd" service, the administrative message disappears.
sunserver/root# svcadm restart ssh
Your port HTTP and X Windows Port Forwarding will now work for ad-hoc tasks.