Forum » Support and Bug Reports »

connect via tunnel to a server: how does it work?

Advertisement

TalaatHarb
Joined:
Posts:
6

connect via tunnel to a server: how does it work?

Hello,

around April 2018 I learned about the feature in advanced setting to connect through another host to my destination host via advanced settings: "Environment: SCP/Shell" and "Connection: Tunnel"
Together with "Integration: Applications" "Automatically open a new sessions in PuTTY"
this is the best thing i encountered since a long time :-) and use it regularly.

But, not always I do want to open a WinSCP session, instead just the remote shell via a tunnel.
Does someone know how I can achieve this with PuTTY (preferred) or maybe another tool? I guess the magic behind WinSCPs tunneling feature is done by ssh...

Any help appreciated, regards

Reply with quote

Advertisement

TalaatHarb
Joined:
Posts:
6

tried, but

Hi,

thanks for the reply. I have the feeling I am pretty close to a solution...

I tried using the example for puttys proxy setting w/o success, so I tried to get the connection running with plink: 


$ plink.exe -ssh -agent -A user@jumphost -P 22 -nc  server:22
user@jumphost password:
Access granted. Press Return to begin session.
SSH-2.0-OpenSSH_7.4

and I never reach the destination server.
The authentication on the server is done by a key that is forwarded from the jumphost.

Using putty I am not prompted for the password on the jumphost and after replying to 

proxy: If you trust this host, enter "y" to add the key to
proxy: PuTTY's cache and carry on connecting.
proxy: If you want to carry on connecting just once, without
proxy: adding the key to the cache, enter "n".
proxy: If you do not trust this host, press Return to abandon the
proxy: connection.

with 'n' or 'y' nothing happens.

Can you please give me further advice.
Regards

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: tried, but

TalaatHarb wrote:

I tried using the example for puttys proxy setting w/o success
We will need more information about that.

so I tried to get the connection running with plink: 


$ plink.exe -ssh -agent -A user@jumphost -P 22 -nc  server:22
user@jumphost password:
Access granted. Press Return to begin session.
SSH-2.0-OpenSSH_7.4

and I never reach the destination server.
That's actually the expected behaviour. You cannot interactively use Plink executed with -nc. That can only be used by other applications.

Reply with quote

TalaatHarb
Joined:
Posts:
6

more info

Hi,

I use putty puttycac-64bit-0.73.zip from https://github.com/NoMoreFood/putty-cac/releases
Currently I connect to the jumphost. On the first connect a key is added to pageant.
From the jumphost I connect to the destination 
ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=180 -o ServerAliveCountMax=3 user@host


Because I have many hosts behind the jumphost I'd prefer to create sessions in putty that automagically use the jumphost.....
Thank you for helping



So far I tried:


my session is shown in attachment s1.
A connecton should be opened to the destination machine which is behind a jumphost.

the proxy settings are shown in s2.
For proxyhost name i have entered the ip of the jumphost.
The proxy command is 
plink.exe %user@%proxyhost -P %proxyport  -nc %host:%port

When I open the connection, the output in the session window is: 
Starting local proxy command: plink.exe user@10.26.238.34 -P 22  -nc 10.82.126.13:22
proxy: The server's host key is not cached in the registry. You
proxy: have no guarantee that the server is the computer you
proxy: think it is.
proxy: The server's rsa2 key fingerprint is:
proxy: ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04
proxy: If you trust this host, enter "y" to add the key to
proxy: PuTTY's cache and carry on connecting.
proxy: If you want to carry on connecting just once, without
proxy: adding the key to the cache, enter "n".
proxy: If you do not trust this host, press Return to abandon the
proxy: connection.

The same output is written to putty.log


I am not asked for my password on the jumphost.
Why do I get the warning about the serers host key?

Description: proxy settings

s2.png

Description: session settings

s1.png

Reply with quote

Advertisement

Guest

answer

Hi,

at first execution of plink I get: 

$ plink.exe a138949@10.26.238.34
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's rsa2 key fingerprint is:
ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y

...and then I am prompted for the password and can login.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: answer

at first execution of plink I get:

...

...and then I am prompted for the password and can login.
OK, and once you have done that, does the tunnel work or not?

Reply with quote

TalaatHarb
Joined:
Posts:
6

Re: answer

martin wrote:

does the tunnel work or not?

sorry, I don't understand...
The ssh connection to the jumphost is established, I am logged on into the jumphost.
Windows netstat shows me the connection established.

If I understand it correctly, with the above command only the connection to the jumphost is estabished. How should I open the tunnel? Via command line ("-nc") or via another PuTTY session?

Using the settings posted as above as screen shots I get 
proxy: Access denied"

regards

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: answer

Once you have connected once to jump box, and confirmed the host key, PuTTY should have cached it.
Now, if you use the local proxy command, it should not fail anymore due to the unverified host key.

Reply with quote

TalaatHarb
Joined:
Posts:
6

...damn

Hi,

after adding "-v" to the plink I see that the server refuses my key. 

Starting local proxy command: plink -v -agent -ssh -A user@10.26.238.34 -P 22 -nc 10.82.126.13:22
proxy: Looking up host "10.26.238.34" for SSH connection
proxy: Connecting to 10.26.238.34 port 22
proxy: We claim version: SSH-2.0-PuTTY_Release_0.73
proxy: Remote version: SSH-2.0-OpenSSH_5.3
proxy: We believe remote version has SSH-2 channel request bug
proxy: Using SSH protocol version 2
proxy: No GSSAPI security context available
proxy: Doing Diffie-Hellman group exchange
proxy: Doing Diffie-Hellman key exchange using 4096-bit modulus and hash SHA-256 (unaccelerated) with a server-supplied group
proxy: Host key fingerprint is:
proxy: ssh-rsa 2048 7b:b3:4b:52:23:b0:5b:ff:97:94:b4:17:cb:d0:0a:04
proxy: Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
proxy: Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
proxy: Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
proxy: Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
proxy: Pageant is running. Requesting keys.
proxy: Pageant has 1 SSH-2 keys
proxy: Using username "user".
proxy: Trying Pageant key #0
proxy: Server refused our key
proxy: Sent password
proxy: Password authentication failed
proxy: Access denied

...and the authentication with password is not working.

If call plink from the comand line, behaviour is the same: the password is requested and accepted: 
Sent password
Access granted
Access granted. Press Return to begin session.
Opening connection to 10.82.126.13:22 for main channel
Opened main channel
SSH-2.0-OpenSSH_7.4
[/code]


The PuTTY connection does not prompt for the password; I assume the one in the settings is used. I do not understand, why the password authentication fails.
If I duplicate the session to the jumphost (which I established in first place to get the key), I am always prompted for the password.

The plink call accecpts the password...

Now I am clueless, where to look to get this working.

Thank you very much for your help so far...If you have an idea, please let me know.



...and of course the connection to the destination server via WinSCP tunnel feature works w/o problems. Magic...


Regards

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: ...damn

Sorry I'm lost.

after adding "-v" to the plink I see that the server refuses my key.
What key? Does that key work anywhere?

...and the authentication with password is not working.
What password? I do not see you specify password anywhere.

If call plink from the comand line, behaviour is the same
Same as what?

The PuTTY connection does not prompt for the password; I assume the one in the settings is used
What settings? PuTTY does not have any setting for a password. What does the event log say about the authentication?

Reply with quote

TalaatHarb
Joined:
Posts:
6

explanation and a solution - sort of.

Hi Martin,

I'll try to explain better.
A friend who is a lot smarter than me gave me a hint what is not working and then I found out at least a partial "solution".

Answer #1
When I connect to the jumphost, a key is added to pageant.
This is the key that allows me to ssh to remote servers. So it is working there.
It is also used when I connect via WinSCP.

Note: I realize now, that on every new session to the jumphost I have to enter my password.
For connection to the jumphost no key is used...I have to check why.

Answer #2
Yes, I do not enter a password. But as I realized now, a password is somewhere requested.
But I am not prompted, because plink, called by PuTTY, does not know how to ask me.
In the verbose output I see some password is sent.

Answer #3:
The behaviour with direct plink call is that the verbose output is the same, i.e. the keys are tried but none is accepted.
The difference is, that plink interactively called, requests my password for the jumphost and the connection is established


Answer #4:

I thought the password in PuTTYs proxy settings is the one being used.




Partial Solution:
After I go the hint to check where the password is requested I came across plink option "-pw %pass ".
With this option in the local proxy command and the password in the password field the connection through the proxy works.



Hooray!

I do not like to enter the password in the proxy settings, I would like to get key authentication working.
But now, at least, I have something that works.

Thank you for your help,
regards

Reply with quote

Advertisement

You can post new topics in this forum

Documentation

Support

Associations

Follow Us