SSH – Troubleshooting Remote Forward Success but Test from Remote Site Not Working

linuxport-forwardingsshssh-tunnel

Took me a while to figure this out, but finally got remote port forwarding to work with ssh as follows:

ssh -N -i /etc/ssh/id_rsa [email protected] -R 8080:localhost:80 -C -v

The local server uses a private key to connect to the remote server which has a public key configured. Able to authenticate successfully, no errors in the log. The last line that ssh prints is:

debug1: remote forward success for: listen 8080, connect localhost:80

I tried testing this from my public site, as follows:

However, nothing happens – still see this line:

debug1: remote forward success for: listen 8080, connect localhost:80

If I test locally on the remote server using http://127.0.0.1:8080, it works fine.

NOTE: The following is set in sshd_config on the remote server:

AllowTcpForwarding yes
GatewayPorts yes

Not sure what I am missing…

Best Answer

Quote from man ssh

By default, TCP listening sockets on the server will be bound to the loopback interface only.This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specify‐ ing a remote bind_address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

Related Solutions

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

It's pretty non-standard to use initd to start anything on a Mac. Instead, launchd is used, kicking off sshd in an ad hoc fashion (ie, it doesn't run as a typical server daemon until there's knock on the door). I suspect that your use of Linux-centric Webmin to manage ssh is contributing to the problem, since Webmin doesn't know a whole lot about launchd.

First, make sure the ssh launchd item is configured to load, just to eliminate the obvious.

sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

This is akin to ticking the box on Server Admin.app in the Settings options to enable SSH. Check syslog to see if launchctl is complaining about something.

It's unclear why you would want Webmin to handle SSH, but Apple's default configuration might be illuminating.

There's a launchd item in /System/Library/LaunchDaemons called sshd.plist. This XML file indicates that /usr/libexec/sshd-keygen-wrapper is used as the "program" that actually kicks off /usr/sbin/sshd using the -i flag. (The sshd-keygen-wrapper program is a shell script to first set up initial rsa and dsa keys in empty user home dirs.) The sshd-keygen-wrapper, however, also kicks off sshd like exec /usr/sbin/sshd $@ and is a trusted/whitelisted program as far as the socket firewall is concerned.

You might also want to grab the default /etc/sshd_config from backup or another machine to eliminate that as a variable in troubleshooting.

SSH Tunnel Not Working As Expected

So the issue was a few things.

The web application is running over SSL so I had to do port 443 instead of 80
For whatever reason, you can't forward 443 to a different local port. So I had to forward to 443.

The final command looked like this:

sudo ssh gdboling@<public_ip> -N -L 443:<private_host>:443

Best Answer

Related Solutions

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

SSH Tunnel Not Working As Expected

Related Topic