Wednesday, December 21, 2011

Solaris 10: SSH and Forwarding HTTP


Solaris 10: SSH and Forwarding HTTP

Abstract:
When Sun first produced systems, the common way for users to move around a network and to distribute workload was to leverage the Berkeley "r" tools, such as "rsh", "rlogin", "rexec", etc. under Solaris. As academics became professional, security concerns over passwords being passed in the clear were raised and SSH was born. SSH was built with a compatible superset to "rsh", but this was later removed with the second version of the protocol. This document discusses the implementation of SSH under Solaris.

Global Configurations

SSH uses several global configuration files, one for the client, and another for the server. Each of these config files document the default compiler flags under Solaris. The "ssh" client global configuration file can be tailored on a per-user basis while the "sshd" server global configuration file is managed at the global level.

SSH Server Daemon

Under Solaris 10, related OS's, and above - SSHD is started through the services infrastructure.

sunserver/user$ svcs ssh
STATE STIME FMRI
online Aug_17 svc:/network/ssh:default
There are built-in compiled defaults and global defaults which are reviewed, upon startup, and connection.

Start a Session with X and HTTP Forwarding

For demonstration purposes, there may be the need to temporarily open an X Console (to install an Oracle Database) and forward HTTP ports (to test an application) on a platform in a DMZ. The sample command may look like this:

sunclient/user$ ssh user@sunserver -b 10.1.2.3 \
-L 58080:127.0.0.1:58080 -L 8080:127.0.0.1:8080 -g
Since the ports to be forwarded are over 1024, there is no requirement for special "root" permissions. The proxied HTTPD connections can be observed.

sunclient/user$ netstat -an  grep 8080
*.58080 *.* 0 0 49152 0 LISTEN
*.8080 *.* 0 0 49152 0 LISTEN
To perform a basic test of the forwarded HTTP port, the classic "telnet" can be used on the command line, but the connection is closed.

sunclient/user$ telnet localhost 58080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection to localhost closed by foreign host.
Note, the error on the remote side.

channel 5: open failed: administratively prohibited: open failed
This is a configuration issue.

Global SSHD Configuration

Under Solaris 10, forwarding agent is disabled as a compile flag, and is documented in the global configuration file. If one makes a connection via SSH, and proxies a port - an error message will be produced upon the first connection attempt to the proxied port.

To allow for the port forwarding, edit the configuration file "/etc/ssh/sshd_config".

AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
You will need to restart the "sshd" service, the administrative message disappears.

sunserver/root# svcadm restart ssh

Your port HTTP and X Windows Port Forwarding will now work for ad-hoc tasks.


No comments:

Post a Comment