sshd forwarding problems after latest update

Issues related to configuring your network
Post Reply
silvio
Posts: 49
Joined: 2008/11/10 13:06:03
Contact:

sshd forwarding problems after latest update

Post by silvio » 2020/11/06 20:43:31

Hi,

we use autossh tunnels for some user to connect to or MySQL server.
The system ist running since ~2years without any greater problems but today a user send my an info that he can not connect to the MySQL server.

First idea was that the autossh tunnel was not running but it was.
After some checks i found this in the logs:

refused local port forward: originator ::1 port 40398, target localhost port 3306

looks strange for my because we changed nothing on clients on server side (except the update).
First try was to enable AllowTcpForwarding in the sshd_config ... changed nothing.
Second try, temp. disable SELinux ... nothing changed.
temp. disable firewalld ... nothing

The autossh call we use is:
autossh -2 -fN -M ${AUTOSSH_PORT} -L 3406:localhost:3306 ${ID}@${HOST}

It looks like that every local forward from sshd is blocked because i can see also the monitoring ports from autossh are blocked.

Does someone know that changed in the last update, i found nothing what sounds like my problem.

Packages:
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-4.el7.x86_64
autossh-1.4g-1.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
kernel-3.10.0-1160.2.2.el7.x86_64

Thanks in advance

Silvio

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: sshd forwarding problems after latest update

Post by aks » 2020/11/08 19:03:04

Not an answer, but you've got localhost (::1) saying it won't forward from IPv6 to "localhost" (could be ipv4 or ipv6 depending, localhost6 usued to be the defacto standard for IPv6, perhaps longer ago than I think it is).
Honstly, I can't remember if autossh actually does <recieve> <-> <localhost> <-> <localhost> <-> <forward> or not.
Translated as <my network> <-> <localhost> <-> <decide the remote network and send to that interface via a loopback> <-> <forward>
Perhaps check who is listening where (as in interface wise)? Especially along the IPv6 interfaces.
But yeah, it sounds/feels like a default has changed (did you check the release notes?)

silvio
Posts: 49
Joined: 2008/11/10 13:06:03
Contact:

Re: sshd forwarding problems after latest update

Post by silvio » 2020/11/09 07:03:43

Thanks for the idea, the mesaage was also strange for me beacuse i connected over IPv4 and get an IPv6 error ...

But i found another solution:
If you read the man for sshd_config you can find:
"AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The available options are yes (the default) or all to allow TCP forwarding, no to prevent all TCP forwarding, local to allow local (from the perspective of ssh(1)) for‐warding only or remote to allow remote forwarding only. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders."

If i set ist to "yes" i will get the error BUT if i set AllowTcpForwarding to "local" it works ...

I think this is strange because "yes" means allow ALL forwarding.

Silvio

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: sshd forwarding problems after latest update

Post by aks » 2020/11/10 19:19:25

If you are connecting over IPv4 and get an IPv6 error, then you are connecting over IPv6, period.

And no, local is not the same as all - local is local,

But at least you got there....

silvio
Posts: 49
Joined: 2008/11/10 13:06:03
Contact:

Re: sshd forwarding problems after latest update

Post by silvio » 2020/11/13 13:22:13

Hi Aks,

the system has no IPV6 address and IPV6 ist disabled on the system:
/etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

and this makes me wondering about the IPv6 error.

With "all" and "local" did i mean, my thinking was that "ALL" includes "local" also. With this thinking i was wondering why it works with a exclusive local.

Silvio

User avatar
TrevorH
Forum Moderator
Posts: 29902
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: sshd forwarding problems after latest update

Post by TrevorH » 2020/11/13 19:44:32

There are known problems with disabling ipv6 with various packages including sshd and postfix. It's not recommended to disable ipv6 at all.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 3172
Joined: 2007/12/11 08:17:33
Location: Finland

Re: sshd forwarding problems after latest update

Post by jlehtone » 2020/11/16 10:45:03

Note:
ifup-scripts of CentOS 7 do not dereference variable NETWORKING_IPV6.
Documentation of CentOS 6 was updated in 2014 to say that NETWORKING_IPV6 is no longer used there.
https://access.redhat.com/errata/RHBA-2014:1448

The least of IPV6 that you can trivially have with NetworkManager is to set ipv6.method ignore for connection.
That is equivalent of IPV6INIT=no in initscript-syntax.
Each interface will still have link-local IPV6 address. (the inet6 fe80::...)

silvio
Posts: 49
Joined: 2008/11/10 13:06:03
Contact:

Re: sshd forwarding problems after latest update

Post by silvio » 2020/11/16 14:54:03

Hi Trevor and Jlethone,

thanks for the infos that was new for me.
@Trevor, what is with "disable all unused services"?
@Jlethone, we use systemd-networkd but i think this will be the same ...

I will do it on my todo list.

Silvio

Post Reply

Return to “CentOS 7 - Networking Support”