openssh unix dev - Apr 2008 - OpenSSH_4.7p1, reverse shell

Greetings,

I am using OpenSSH 4.7 and trying to use a middle machine to do reverse
shell. The error I run into is the destination says getsockopt TCP_NODELAY:
Connection reset by peer.

The setup:

3 machines (we can call them A,B,C) with QNX Neutrino

I would like machine C to be the destination. So we have A can talk to B,
and B can talk to C, but A can not talk to C directly.

What I am trying:

On C: ssh -N -R 10000:localhost:22 root at machineB

On B: running sshd

On A: ssh root at machineB -p 10000
>From my understanding when A connect to B it will forward all to port 10000
which has access to port 22 on C.

When I run the "On A" command I receive the error "getsockopt
TCP_NODELAY:
Connection reset by peer" on machine C and
"ssh_exchange_identification:
Connection closed by remote host" from machine A. I can SSH on A to B
without using the -p just fine. My sshd_config is below:

Many thanks for any suggestions you may have.

--H


#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/openssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/openssh/ssh_host_rsa_key
HostKey /etc/openssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    /root/.ssh/authorized_keys2

# For this to work you will also need host keys in
/etc/openssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via
challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

AllowTcpForwarding yes
GatewayPorts yes
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
KeepAlive yes
UseLogin yes
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes
ClientAliveInterval 0
ClientAliveCountMax 99999
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem    sftp    /opt/libexec/sftp-server

Hayder Mouhammed wrote:
> What I am trying:
> 
> On C: ssh -N -R 10000:localhost:22 root at machineB
> On B: running sshd
> On A: ssh root at machineB -p 10000
A useful tool to double check where ports are open for listening is
'netstat'.  Try this to see all listening connections:

  netstat -na | grep LISTEN

  netstat -na | grep :10000

Try that on all of the involved systems and verify where you are
listening.  That can clear up a lot of confusion.

The next thing to look for when trying to connect remotely is what IP
address the listening port is bound.  This is controlled by
GatewayPorts=yes and I see that you set it in your sshd configuration.
Did you restart the daemon after changes to make sure they could take
effect?
127.0.0.1 only accepts connections from the loopback interface.
0.0.0.0 accepts connections from any network interface.  Any specific
IP address would be assocated with that specific network device.

After this I would simply 'connect'[*], or 'telnet' if that
isn't
available, to the port and verify that you are getting an ssh banner.

On C:
  connect localhost 22

On B:
  connect localhost 10000

On A:
  connect B 10000

If the port is open and available but still blocked then I would look
for a firewall that is blocking the connection.

Bob

[*] http://www.meadowy.org/~gotoh/projects/connect