search for: connect_to

I just want to make sure I'm interpreting this correctly. In 5.0 channel_connect_to would only return the requested socket. You'd then need to use this socket to create the channel with with channel_new. In 5.1 channel_connect_to doesn't return the socket but rolls in channel_new and now returns the channel directly. The usage of channel_new hasn't changed though,...

...hen I write data to the tunnel, the ssh client failed to forward the data to the localhost. The debug is below: debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 131072 max 32768 debug1: client_request_forwarded_tcpip: listen localhost port 20000, originator 127.0.0.1 port 36478 connect_to localhost: unknown host (No such file or directory) debug1: failure forwarded-tcpip The code relevant is here: 3133 /* Return CONNECTING channel to remote host, port */ 3134 static Channel * 3135 connect_to(const char *host, u_short port, char *ctype, char *rname) 3136 { 3137 struct addrinfo...

...n. Some servers have a local LAN (provided by the cloud provider itself) which is always something in 10.0.0.0/8. So that won't collide with the tincs, which are always in something in 172.16.0.0/12. From how I understood tinc, it will "magically find" routes to other tinc nodes. The connect_to's are always specified with their static public IPs. After that, I found that tinc uses the private networks provided by the cloud provider as well as routes over the public internet (as in magically finds its shortest route). By server nodes you mean connect_to's? Or generally all tinc no...

...x 7791feb..6e46229 100644 --- a/channels.c +++ b/channels.c @@ -172,6 +172,7 @@ static void port_open_helper(Channel *c, char *rtype); /* non-blocking connect helpers */ static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); +static int connect_to_helper(const char *host, u_short port, struct channel_connect *cctx); /* -- channel core */ @@ -209,6 +210,7 @@ channel_lookup(int id) case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC: case SSH_CHANNEL_OPENING: case SSH_CHANN...

...urrently launches ssh with a hostname of: somehost.`id>/tmp/whoami`.example.com With a vanilla SSH configuration this is ok since SSH errors out with "host not found." However, with a special SSH configuration, a website can execute an arbitrary command: ``` Host * ProxyCommand connect_to %r %h ``` What happened: `id>/tmp/whoami` was executed. What should have happened instead: 1) SSH passes %r/%h as an argument to the ProxyCommand without shell interpolation 2) %h should be validated to adhere to valid punycode 3) Introduce a SafeProxyCommand that only allows safe characte...

...s dont collide. Web is in a logical group / local subnet / in its own VPC with other instances (more webworkers and loadbalancers and things like that). Gateway and Backup are together in their own VPC with other instances (like a gitlab and what not). I'm using Ansible to roll out tinc. The connect_to's always have static public IPs in their tinc host config files, while others may only have private IPs there, for example: root at backup-1:~# cat /etc/tinc/tiutl/hosts/monitoring_1 Address = 10.0.0.102 Do you think that could be the cause for the problem..? As said, the tincs themselves a...

...ip link set tiutl up ip address add 172.16.0.11/24 dev tiutl                     <- works ip route add 172.16.1.0/24 via 172.16.0.5 dev tiutl    <- doesn't work ## The backup servers tinc.conf root at backup-1:~# cat /etc/tinc/tiutl/hosts/gateway_1 Address = 40.10.70.200  # the pubilc connect_to IP Port = 655 Subnet = 172.16.0.5/32 Subnet = 172.16.1.0/24 -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- ## From backup, when I try to ping the "gateway" server in the "tiutl" tinc network, this works: root at backup-1:~# ping -c 1 172.16.0.5 PING 172.16.0.5...

...ip link set tiutl up ip address add 172.16.0.11/24 dev tiutl                     <- works ip route add 172.16.1.0/24 via 172.16.0.5 dev tiutl    <- doesn't work ## The backup servers tinc.conf root at backup-1:~# cat /etc/tinc/tiutl/hosts/gateway_1 Address = 40.10.70.200  # the pubilc connect_to IP Port = 655 Subnet = 172.16.0.5/32 Subnet = 172.16.1.0/24 -----BEGIN RSA PUBLIC KEY----- -----END RSA PUBLIC KEY----- ## From backup, when I try to ping the "gateway" server in the "tiutl" tinc network, this works: root at backup-1:~# ping -c 1 172.16.0.5 PING 172.16.0.5...

...course. The server error, when forwarding from the client '143:localhost:143' and connecting to localhost 143 is: debug1: server_input_channel_open: ctype direct-tcpip rchan 1 win 20480 max 2048 debug1: server_request_direct_tcpip: originator 127.0.0.1 port 1340, target 127.0.0.1 port 143 connect_to 127.0.0.1: unknown host (Address family for hostname not supported) debug1: server_input_channel_open: failure direct-tcpip The problem is that the connecting clients might not know a thing about IPv6, so it wouldn't even be possible to forward something like '143/::127.0.0.1/143', I s...

>> The setup looks like this: >> web <- tinc "tiosp" -> gateway <- tinc "tiutl" -> backup Which lan ips do all your computers have? network addess will be fine. ALBI...

...or commercial that will set the source IP addresses to what the ssh server reports? Either through being a VPN, emulating a NIC/network interface, or playing with raw sockets/socket options, or something else? For OpenSSH this is a feature request. I also dug around in the source of OpenSSH, "connect_to" function in channels.c is what I think creates the connection on the ssh client to the destination in a remote forward. It uses Berkeley Sockets. Perhaps there should be a option to use raw sockets and spoof the source IP to what the ssh server passed to the ssh client, or set "ip_nonloc...

...urrently launches ssh with a hostname of: somehost.`id>/tmp/whoami`.example.com With a vanilla SSH configuration this is ok since SSH errors out with "host not found." However, with a special SSH configuration, a website can execute an arbitrary command: ``` Host * ProxyCommand connect_to %r %h ``` What happened: `id>/tmp/whoami` was executed. What should have happened instead: 1) SSH passes %r/%h as an argument to the ProxyCommand without shell interpolation 2) %h should be validated to adhere to valid punycode 3) Introduce a SafeProxyCommand that only allows safe characte...

...Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: stig at venaas.com In connect_to() in channels.c there is a loop trying to connect to each address returned by getaddrinfo() until connect() is successful or EINPROGRESS is returned. The socket is non-blocking so unless something immediately fails, EINPROGRESS is returned and we happily leave the loop. Then when we later attempt t...

...th port forwarding on Mac OS X (10.2 and 10.3). When I forward a port to localhost, as in ssh -R 40404:localhost:40404 somehost ...and the remote system makes a connection on this port, I get the message getsockopt TCP_NODELAY: Connection reset by peer I have tracked this down to the loop in connect_to that gets a list of addresses from getaddrinfo and tries them one after another. When "localhost" is the host name. getaddrinfo returns an IPv6 address, followed by an IPv4 address. The loop is designed to try connections until it finds one that works. Unfortunately, on my system,...

.../net/ssh/session.rb:129:in `initialize'' /usr/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh.rb:47:in `start'' /usr/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/ssh.rb:31:in `connect'' /usr/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:25:in `connect_to'' /usr/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:397:in `establish_connections'' /usr/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:396:in `establish_connections'' /usr/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:...

....0.9/lib/net/ssh.rb:47:in `new'' c:/ruby/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh.rb:47:in `start'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/ssh.rb:31:in `connect'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:25:in `connect_to'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:397:in `establish_connections'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:396:in `each'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:396:in...

...*rname) > { > int i; > > for (i = 0; i < num_permitted_opens; i++) { > if (permitted_opens[i].host_to_connect != NULL && > port_match(permitted_opens[i].listen_port, listen_port)) { > return connect_to( > permitted_opens[i].host_to_connect, > permitted_opens[i].port_to_connect, ctype, rname); > } > } > error("WARNING: Server requests forwarding for unknown listen_port %d", >...

....0.9/lib/net/ssh.rb:47:in `new'' c:/ruby/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh.rb:47:in `start'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/ssh.rb:31:in `connect'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:25:in `connect_to'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:397:in `establish_connections'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:396:in `each'' c:/ruby/lib/ruby/gems/1.8/gems/capistrano-1.1.0/lib/capistrano/actor.rb:396:in...

...connections are open: #2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1) #3 direct-tcpip: listening port 9999 for www.google.com port 443, connect from \ 127.0.0.1 port 24731 to 127.0.0.1 port 9999 (t4 r1 i0/0 o0/0 fd 10/10 cc -1) ~~~ part of auth.log: ~~~ Nov 23 19:24:04 gw sshd[20891]: error: connect_to wiki.brq.example.com: unknown host \ (no address associated with name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~ my sshd_config part: ~~~ Match Address 192.168.1.0/24,192.168.2.0/24,192.168.254.0/24,2xx.0.0.0/8,2001:470:xxxx \ ::/64 U...

...ing listening on path %s.", fwd->listen_path); + debug("Local forwarding listening on path %s.", listen_path); + free(listen_path); /* Allocate a channel number for the socket. */ c = channel_new("unix listener", type, sock, sock, -1, @@ -3825,9 +3896,12 @@ channel_connect_to_port(const char *host, u_short port, char *ctype, /* Check if connecting to that path is permitted and connect. */ Channel * -channel_connect_to_path(const char *path, char *ctype, char *rname) +channel_connect_to_path(const char *path, char *ctype, char *rname, + struct ForwardOptions *fwd_o...