Core 147 - sshd forwarding

1

Hi,

i’m using the ssh for remote administration.

on core 144 everything went well, now on core 147 the forwarding fails:

Received request from xxx.xxx.xxx.xxx port 25013 to connect to host xxx.xxxxxx.xxxx port 3389, but the request was denied.

I think my settings in /etc/ssh/sshd_config are valid:

AllowTcpForwarding yes
AllowAgentForwarding yes
PermitOpen any

What am i missing?

Greetz

2

Hi,

Have you ever solved the issues ?

3

So do I … but have no idea how.
It just started working after a number of reboots.
PermitOpen - commented out.

4

It’s strange, because i was trying a lot and finally it’s working.

If i look at my config, i think it should not work. I’m crossing the fingers and let it go…

Here’s my sshd_config so far:

OpenSSH server configuration file for IPFire

The full documentation is available at: sshd_config(5) - OpenBSD manual pages

Only allow version 2 of SSH protocol

Protocol 2

Listen on port 22 by default

Port 222

Listen on every interface and IPv4 only

AddressFamily inet
ListenAddress 0.0.0.0

Limit authentication timeout to 30 seconds

LoginGraceTime 30s

Limit maximum instanctes to prevent DoS

MaxStartups 5

Only allow safe crypto algorithms (may break some very outdated clients)

See also: Secure Secure Shell

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Only allow cryptographically safe SSH host keys (adjust paths if needed)

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key

Only allow login via public key by default

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

Permit root login as there is no other user in IPFire 2.x

PermitRootLogin yes

Ignore user ~/.ssh/known_hosts file

IgnoreUserKnownHosts yes

Do not allow any kind of forwarding (provides only low security);

some of them might need to be re-enabled if SSH server is a jump platform

AllowTcpForwarding yes
AllowAgentForwarding yes
#PermitOpen any

Fix port forwarding???

#X11Forwarding no
#PermitTunnel yes
#GatewayPorts yes

Detect broken sessions by sending keep-alive messages to clients via SSH connection

ClientAliveInterval 10

Close unresponsive SSH sessions which fail to answer keep-alive

ClientAliveCountMax 6

Add support for SFTP

Subsystem sftp /usr/lib/openssh/sftp-server

EOF

Greetz

5

I just updated to core 151. The same issue here.

No Port forwarding after Update.

Commenting “permitopen none” and restarting the sshd does not solve this. But after reboot the Port forwarding works as expected.

Greetz

6

Yes, it seems rebooting is a point.

7

Rebooting is annoying and it feels so windows-like lol

Greetz

8

Rebooting sometimes is needed for install something new or upgrade something running, which may be critical to other processes and iterations.
Reboot is texted as requested when necessary at core upgrades…

9

Thats right. But changing some sshd config values should never cause a reboot to work!

10

In any distro installation or compiled installation you may be right. But it’s possible that you don’t have the full grasp of how IPFire works.

11

Yes you are right! I am an idiot. Thanks to show me the light.