Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

SSH Tunneling with Panther Server System
SSH Tunneling with Panther can sometimes be tricky. I was trying, without success, to get this hint working with my personal mail server, which is running on OS X Panther Server. The only difference is that I was using IMAP (port 143) instead of POP (port 110), but that's not important, I only mention it because IMAP is so much better than POP, in my opinion, and everyone should use IMAP when they have the option :).

Anyway, no matter what I did, I kept seeing the error open failed: administratively prohibited: open failed. Extensive Googling did not find a solution, except for one reference which finally turned out to be the correct solution for me. Most of my Googling talked about firewalls or incorrect host or IP addresses or etc.

But here's the tip that worked for me. As root, I edited the file sshd_config, located in /private/etc/ on my Panther Server machine (the one running my mail server). Note: sshd_config, not ssh_config. I added the following line:
  AllowTcpForwarding yes
After restarting my server, following the directions in the above hint worked like a charm, and I was able to retrieve and send mail from my laptop via SSH Tunnels. I then installed and configured SSH Tunnel Manager on my laptop to open tunnels for ports 55143/143 (IMAP) and 5525/25 (SMTP) when I logged in, and now it's completely transparent! I no longer have to worry about anyone sniffing for my password when using an open network at a coffee shop or whatever.

For some reason, the AllowTcpForwarding option is not listed in Panther's sshd_config file. Furthermore, other references to this option indicated that yes is the default value. However, this appears not to be the case for OS X Panther Server. I hope this hint helps save someone the time and aggravation that I spent.
    •    
  • Currently 3.75 / 5
  You rated: 4 / 5 (4 votes cast)
 
[18,647 views]  

SSH Tunneling with Panther Server | 13 comments | Create New Account
Click here to return to the 'SSH Tunneling with Panther Server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
SSH Tunneling with Panther Server
Authored by: raider on Nov 09, '04 11:20:30AM

Hey, other stuff aside, this hint is worth it just for the link to "SSH Tunnel Manager". One question, you say you set it up to automate the tunnel - do you use passwords with your ssh, and if so - can you store them in the keychain or something to automate?



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: jtratcliff on Nov 09, '04 03:10:31PM

check out SSHKeychain.... I just started using it. Seems pretty good. It's a GUI to ssh-agent that stores you ssh pass phrase in the keychain.

http://www.sshkeychain.org



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: raider on Nov 10, '04 08:34:20PM
I might be doing something wrong.... I set up the tunnel in SSHKeychain. It connects fine, only it pops up a window asking me for the password (the ssh password for the tunnel). Any time I connect to the tunnel it pops up the dialog asking me for the password.

In the SSHKeychain FAQ it says I should check the "store password in keychain" check box, but there is no such checkbox when it is asking me for the password...

Am I missing something obvious? Other than that the tunnel works fine... Just won't store the ssh password in my keychain.

[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: iRideSnow on Nov 09, '04 03:31:49PM

As the other poster stated, you could use something like the SSHKeyChain app. However, I have public-private key pairs set up without passphrases. Yes, I realize this is less secure if someone were to steal my laptop. Of course, the moment I noticed my laptop was missing, I'd be deleting those private keys on my server.

Rob



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: jtratcliff on Nov 09, '04 09:49:43PM

Yeah I used to simply use key pairs w/ no pass phrases... I couldn't get myself to figure out ssh-agent. Plus without passphrases, it was just plain easy to connect.

Then one of our boxen got pwned... even though it looked like a script kiddie who got lucky and only did some warez trading, I figured I'd better delete and regenerate my keys. I had a bunch so it was a royal pain. Now I have many fewer machines set up w/ key pairs. I try to use just one as my main connection point and its keys are passphrased...

Using SSHkeychain is so painless that it's worth it. You start your ssh connection and the keychain password prompt pops up, give your keychain password and all your subsequent ssh connections use the agent so it's indistinguishable from the blank passphrase method.

The keychain does time out after awhile, though. So if you try to start a new ssh connection after the timeout, it prompts you again.

Not much added hassle for a bit more security.



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: aixccapt99 on Nov 09, '04 11:38:01AM

Any reason you didn't just use IMAP and Authenticated SMTP over SSL? Port blocking?



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: imacusr on Nov 09, '04 02:23:06PM

I know at our workplace, the SSL (and clear) IMAP ports are blocked, but ssh isn't. Could be a similar setup for the original poster, I suppose.

Otherwise I would agree that SSL is the way to go, if it's available. (Or perhaps Kerberos, if your mail server is an OS X Server box.)



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: iRideSnow on Nov 09, '04 03:50:09PM

I run my own server and don't have any SSL certs set up or anything. Nor would I want to pay for them. I only briefly looked into SSL, so maybe there's a way to do it without certificates or with free ones or whatever.

I used to use the built-in CRAM-MD5 authentication, but my G5's video card crashed several months ago and I had to send it to Apple for repairs. During that time, I put my mail server on a backup machine (an old TiBook running the same version of Panther Server). When I got the G5 back and restored everything, CRAM-MD5 authentication would no longer work! No clue what happened. I tried re-creating my account, but it didn't help. It's very strange.

As for Kerberos, I'd love to use it. But I tried setting it up and gave up in frustration. I don't know if it's a DNS issue or what, but the Kerberos service (KDC I think?) just won't start on my machine. I'm so NOT a SysAdmin, which is why I laid out the extra bucks for Panther Server. I wanted the Server Admin and Workgroup Manager tools to help me set things up and keep them running.



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: timhaigh on Nov 09, '04 01:25:06PM

SSH tunnelling has not been problem for me at all in 10.3 from the CLI. So I don't need this hint.

Here are some examples of the tunneling that works fine for me in 10.3

ssh user@server -L 4010:localhost:4000

ssh user@server -L 5010:192.168.0.1:5000



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: iRideSnow on Nov 09, '04 03:53:12PM

I don't know. Maybe it's because I'm forwarding admin level (< 1024) port numbers. All I know is that I had to explicily specify AllowTcpForwarding in my server's sshd_config file before it would work. </shrug>

Rob



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: mjones1040 on Nov 09, '04 07:05:21PM

Same here. I have not had this problem. However, I think I did have to open a port in the firewall, but I don't recall. It has been a while since I needed this.



[ Reply to This | # ]
SSH Tunneling with Panther Server
Authored by: victory on Nov 09, '04 07:40:05PM
I think the original poster was describing how he needed to configure an SSH server for tunneling, not the ssh client which requires no such configuration (just proper use of the cmd-line switches as shown in your examples).

Most OpenSSH-based sshd servers now come wiht port-forwarding disabled by default (i.e. the 'AllowTcpForwarding' entry in /etc/sshd_config is set to 'no', commented out, or absent entirely). No doubt this is to prevent potential abuse or unintended side-effects.

...

BTW, just a common reminder to anyone enabling SSH port-forwarding on their servers:

While SSH with tunneling is a great tool for securing plaintext protocols (FTP, POP, IMAP, etc) and incredibly useful for doing remote admin, just remember that if you, the admin can do it this, then generally any user on your server whom you give SSH-access to can also see hosts on your internal network. And since all traffic is tunneled inside an SSH session, the content of these remote connections effectively bypasses any firewalls or content filters that are in place.

Finally, if you plan to enable tunneling/port-forwarding on your SSH server, NEVER create 'anonymous' or 'public' SSH-enabled accounts. This leaves your server open to a class of exploits known as 'port bouncing'. Basically this involves an unauthorized party (which could be inside or outside your network) using your SSH server to 'bounce' their traffic across your firewall for them.

Sadly, it's the port-fowarding feature of SSH2 servers that causes a lot of netadmins block all SSH2/port 22 access on their firewalls entirely.

[ Reply to This | # ]

SSH Tunneling with Panther Server
Authored by: iRideSnow on Nov 09, '04 11:20:00PM
Victory is correct. I only had to do this on my server (which is running Panther server), not on my client.

Also, thanks for pointing out the security ramifications of allowing port forwarding. For what it's worth, if you do a man sshd_config, it says this about the AllowTcpForwarding directive:

AllowTcpForwarding: Specifies whether TCP forwarding is permitted. The default is ``yes''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
My server only has accounts for a few trusted friends, and they have limited access rights, so I'm not TOO worried about any of them taking advantage of me or my server.

What I found odd is that I did have to explicitly allow port forwarding, even though the man page says it's allowed by default. Maybe Apple changed the defaults, as I know they've done for other things as well. It was kind of annoying though that the default sshd_config file didn't even have AllowTcpForwarding listed so you could at least know what it's currently set to. Strange.

[ Reply to This | # ]