# SSH tunnels on-demand

## ToeiRei

Hi guys,

I'm facing a little problem with xinetd and ssh tunneling.

The idea is using xinetd for firing up SSH tunnels to an open server as needed. That for, xinetd is installed:

```
[ebuild   R    ] sys-apps/xinetd-2.3.15  USE="tcpd -perl -rpc" 0 kB
```

A config file named tunnel-smtp:

```

service tunnel-smtp

{

# This is for quick on or off of the service

        disable         = no

# The next attributes are mandatory for all services

        id              = tunnel-smtp

        type            = UNLISTED

        port            = 2525

        wait            = no

        socket_type     = stream

        user            = root

        group           = root

        server          = /usr/bin/ssh

        server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25

}

```

SSH Auth is done via keys (tunnel_key) and restricted at the server side

So far, the SSH tunnel executed via Shell works, but xinetd doesn't bring it up:

```
2013-02-18T13:00:11.505961+01:00 freya xinetd[9106]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.

2013-02-18T13:00:11.505980+01:00 freya xinetd[9106]: Started working: 1 available service

2013-02-18T13:00:18.886659+01:00 freya xinetd[9106]: START: tunnel-smtp pid=9124 from=127.0.0.1

2013-02-18T13:00:18.887416+01:00 freya xinetd[9124]: FAIL: tunnel-smtp address from=127.0.0.1

2013-02-18T13:00:18.887698+01:00 freya xinetd[9106]: EXIT: tunnel-smtp status=0 pid=9124 duration=0(sec)

```

but nothing at the server end at the log to debug

any clues?

Cheers

Rei

----------

## massimo

In your xinetd's tunnel-smtp configuration you have xinetd listen on 2525/tcp and in turn you want to build a tunnel using the same port, hence, listening on the very same port 2525 - this will not work. Since you seem to have more access to the SMTP server you try to connect to you could add the following in front of the corresponding line in authorized_keys:

```
command="nc localhost 25",no-agent-forwarding,no-pty,no-port-forwarding,no-X11-forwarding ssh-rsa...
```

Change tunnel-smtp's server_args to look like this:

```

server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet

```

HTH

----------

## ToeiRei

I don't need the same port on each end as I am planning to use a postfix relay-host from 2525 to 25...

----------

## massimo

With

```
 port            = 2525 
```

and

```
server_args     = -q -T -i /root/.ssh/tunnel_key root@ssh.host.at.internet -L 2525:smtp.host.at.home:25
```

you try to listen on 2525/tcp twice.

----------

## ToeiRei

xinetd usually should hand things over to the ssh tunnel once the port is used - afaik.

----------

## massimo

I think using STDIN/STDOUT still applies to xinetd.

----------

## ToeiRei

any ideas yet?

----------

## truc

ssh -N may be?

----------

## massimo

What's wrong with mine?

----------

## truc

by the way, any reason you're not simply using iptables to DNAT and "forward" to paquets to the tcp/2525 to smtp.host.at.home:25 ?

----------

## ToeiRei

@massimo: it doesn't work

@truc:

The situation again:

[Laptop] ====> |some firewalls| ===> [SSH Host] ===> [Mailserver]

The firewalls there are (1) the company firewall and (2) mine at home - both let ssh connections to the SSH

----------

## truc

then thanks "again"  :Wink: 

but you don't show how it doesn't work (about massimos and my suggestions) you provided some logs in your first post but none for the other suggestions, it's hard to build from there.

Also, as a side note you're using root account locally&remotely when non privileged accounts would have been sufficient(2525>1024!)

----------

## ToeiRei

The problem is that there are no useable logs from xinetd - same logs as in opening post. All I can do is trying with telnet on localhost:2525 and see if my SMTP server answers.

Update: No SSH Login found at ssh.host.at.internet syslog.

----------

## truc

"No SSH Login found"   :Shocked: 

what about adding some verbosity to the ssh command, we might see what's going on then?

----------

## ToeiRei

I don't get any output or log from xinetd. And with 'no ssh login found' I mean that there is no entry about an incoming ssh connection at the server. So it looks like xinetd isn't firing up the tunnel correctly

----------

## truc

what about making the ssh connection from a script where you can redirect the stderr&stdout to a file, and calling this script with xinetd?

----------

## massimo

Where does my suggested setup fail for your?

----------

## ToeiRei

Next try as nothing worked for me:

from shell, this gives us a wonderful connect:

```
/usr/bin/ssh -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25
```

(that's what you'd expect regarding your security hint, massimo)

xinetd config:

```
service tunnel-smtp

{

# This is for quick on or off of the service

        disable         = no

# The next attributes are mandatory for all services

        id              = tunnel-smtp

        type            = UNLISTED

        wait            = no

        socket_type     = stream

        protocol        = tcp

# External services must fill out the following

        user            = root

        server          = /usr/bin/ssh

        server_args     = -q -T -i /root/.ssh/tunnel_key root@internet.host nc mailserver 25

# External services not listed in /etc/services must fill out the next one

        port            = 2525

        bind            = 127.0.0.1

        groups          = yes

}

```

still no joy with that attempt

----------

