backwards zebedee or ssh
Glenn Newell
gnewell "at" synopsys.COM
Thu, 08 Jun 2000 18:59:17 +0000
David + Chuck,
Thanks to both of you for responding.
To clarify, in my situation, I don't need the server (outside the firewall) to signal the client (inside the
firewall). This is for a help desk type setup, so there will be someone asking for help (inside the firewall)
who can start up a vncserver and an ssh or zebedee client, which will make the connection through the firewall
to the ssh2d or zebedee server. Then the help desk can use a vnc client to connect to the ssh2d/zebedee -s server.
I can see how running zebedee -s in a "make one connection and quit mode" along with one and only one
redirect port would really enhance security. I just need the tunnel to work backwards (vnc server listen
port at the zebedee client reflected through the tunnel so vnc clients can connect at the zebedee server).
The help desk could email a configuration file (or just verbally tell the customer):
port for zebedee to connect on
port for vnc server to be redirected to
Chuck, if you turn it around so the server connects to the client I'm worried I wouldn't have the -r capability
(to restrict redirect ports) on the client piece (since it now works only on the server. Again, can't we
just turn the direction of port redirect around, without changing the direction of connection from the client
to server?
Rgds,
Glenn
>Date: Wed, 7 Jun 2000 14:03:10 -0400
>From: "Habermann, David (DA)" <habermann "at" dow.com>
>Subject: RE: backwards zebedee or ssh
>
>Glenn:
>
>You are correct that zebedee does not have any reverse functionality. The server does not maintain any connection with the client other than those representing tunneled user connections, so there would not be any possibility for the server (outside) to signal the client (inside) that it wants a new connection to be created. I've thought about this possibility also and would like to have something to do this. However, to the best of my knowledge, there is no SSHD that runs under Win95/98.
>
>One nice thing that zebedee just implemented (version 2.0 released 6/5/00) is a switch causing the zebedee client to listen for connections only from the localhost. This would probably really help your security concern if we could figure out how to have zebedee do what you are asking. My scenario (if I got around to doing some coding) would be to have a "server initiated connection" like VNC has and a "Client listening mode" like VNC has. Also, a single "permanent connection" would have to be set up for control messages (so that the server could get a message from the client that a new request has come in for a tunnel from x to y).
>
>Sorry if the mental clarity of my message is not too good, I seem a little foggy today.
>
>Dave
>Date: Wed, 7 Jun 2000 14:00:20 -0400 (EDT)
>From: Charles Hines <hines "at" gderome.com>
>Subject: Re: backwards zebedee or ssh
>
>
>I've actually been meaning to contribute a patch to the author of Zebedee to
>basically do what you want (reverse the connection sequence so the client
>waits for the server to connect to it) to be able to connect to a VNC session
>at work from my home system, but haven't had a chance to do it yet.
>
>It shouldn't be too difficult to do, but it hasn't been urgent enough for me
>to rearrange some priorities to actually have time to work on it yet. After I
>finially get into my new house and get my cable modem though...then it'll be
>more of a priority for me.
>
>Hm...one other thing I was waiting for though was for Zebedee v2.0 to come out
>because when I spoke with the author last he said he was trying to finish up
>the documentation for it and I didn't want to have to redo the patch entirely.
>And now I see that it just did arrive on the web site! Guess I'll have to
>grab it and see about coming up with those changes now, unless of course
>someone else beats me to it (wink, wink, nudge, nudge). :)
>
>Chuck
>
>- --
>Charles K. Hines <ckh "at" requesttech.com> <hines "at" gderome.com>
>Principal Scientist at ReQuest Technologies Inc (http://www.ReQuestTech.com/)
>Martial Arts Instructor [Modern Arnis and Balintawak Escrima]
>
> "Go back to sleep, Chuck. You're just havin' a nightmare
> -- of course, we ARE still in Hell." (Gary Larson)
>Date: Wed, 07 Jun 2000 10:17:16 -0700
>From: Glenn Newell <gnewell "at" synopsys.COM>
>Subject: backwards zebedee or ssh
>
>Lot of discussion in yesterday's vnc-list-digest about using
>zebedee through a firewall that doesn't allow inbound connections.
>
>All the discussion seems to be around running a VNC server outside the firewall
>and a VNC client inside.
>
>What about the other way around? Given your typical firewall, and no way to make
>changes, it is possible to do by running ssh in sort of a "backwards" mode.
>In other words put the ssh2d server on the outside of the firewall, and have the
>user behind the firewall run the ssh2 client:
>
> ssh2 -p 80 -R 50123:host.customer.com:59xx ssh2dhost.ourdomain.com -l username
>
>Since the firewall is most likely open for web browsing, the ssh2 -p 80 gets them
>through it. The -R 50123:host.customer.com:5901 forwards the vnc server listen port,
>running on host.customer.com:5901 to our ssh2dhost.ourdomain.com:50123 where we
>can connect to it with a VNC client.
>
>O.K. that all works, but the problem is another person could come along and do:
>
> ssh2 -p 80 -L 59xx:ssh2dhost.ourdomain.com:50123 ssh2dhost.ourdomain.com -l username
>
>and attempt to connect to the 1st users VNC server, and this violates our security requirements.
>There doesn't seem to be any way to tell ssh2d to accept client -R requests but deny client -L
>requests, hence my search for another tunneling program, such as zebedee.
>
>Hope all that was clear.
>
>am I correct in that zebedee will not do the above? It doesn't seem to have the equivalent of "-R" on
>the client side.
>
>Rgds,
>Glenn
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------