# SSH tunnels- forwarded connection refused by server [SOLVED]

## gazR

OK, Ive been following the various threads on VNC and have managed to get me remote machine to be able to access my home desktop over VNC using tightVNC.

Now I'm trying to secure things by using an SSH tunnel, however when ever I try to connect the vncviewer I get 'Forwarded connection refused by server' in the logs.

vncviewer is running on a win2k box and I'm using Putty as the ssh client.

This is my sshd_config

```

#   $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)

# and session processing. Depending on your PAM configuration, this may

# bypass the setting of 'PasswordAuthentication'

#UsePAM yes

AllowTcpForwarding yes

#GatewayPorts yes

#X11Forwarding yes

#X11DisplayOffset 1

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

```

everything works fine if I setup a local tunnel on my gentoo box using

```

ssh -L 9000:localhost:5952 localhost -C -2

```

 and the connect using

```

vncviewer localhost:52

```

But as soon as I try the to initialise the ssh connection from my win2k box, the forwarded connection gets refused.  Any ideas anyone? this has been driving me mad for the last 3 days  :Sad: Last edited by gazR on Mon Jan 12, 2004 11:33 am; edited 1 time in total

----------

## dma

It is easier to use the tunneling on the PuTTY side.  That's what I'm doing now.

Connection -> SSH -> Tunnels

Add new forwarded port.

Source port (9000?) is the port PuTTY will listen on in windows.

Destination will be localhost:destport (localhost:5952?), and you should select Local.

You can also use hosts other than localhost in order to securely connect to hosts on the inside of a private network.  I'm currently using Windows' Remote Desktop this way to type this message.  One must first log in before the tunnels will work!  Other than the AllowTcpForwarding line in the config file, the server needs no additional configuration.  As long as your putty window is open, the tunnel is open.

I'm not sure how to restrict port forwarding abilities to only users in a certain group.  Even users with restrictive shells would still be able to use forwarding.

----------

## sschlueter

 *gazR wrote:*   

> 
> 
> everything works fine if I setup a local tunnel on my gentoo box using
> 
> ```
> ...

 

Though I'm not quite sure if I understand correctly what you did, you are not using the tunnel if you connect to port 5952. You would use the tunnel if you connected to port 9000.

----------

## gazR

sorry, am half asleep and have tried soo many combinations....  :Sad: 

instead of 

vncviewer localhost:52

I should have typed

vncviewer localhost::9000

just to test port forwarding locally to see if that worked, basic problem seems to be it works fine locally but when I use Putty (on windows) to setup the port forwarding I get the error

----------

## gazR

OK, vnc is definatley working, sshd is working (I can log onto ssh), sshd_config contains the line 'AllowTcpForwarding yes' but when I try to connect vnc over putty I get

```

2004-01-12 10:03:27   Looking up host "my.serverhostname.com"

2004-01-12 10:03:27   Connecting to 217.42.xx.xx port 22

2004-01-12 10:03:28   Server version: SSH-1.99-OpenSSH_3.7.1p2

2004-01-12 10:03:28   We claim version: SSH-2.0-PuTTY-Release-0.53b

2004-01-12 10:03:28   Using SSH protocol version 2

2004-01-12 10:03:28   Doing Diffie-Hellman group exchange

2004-01-12 10:03:29   Doing Diffie-Hellman key exchange

2004-01-12 10:03:32   Host key fingerprint is:

2004-01-12 10:03:32   ssh-rsa 1024 7c:0b:0d:f0:bf:fd:cd:5a:74:3a:f4:69:8a:0b:7c:f7

2004-01-12 10:03:32   Initialised zlib (RFC1950) compression

2004-01-12 10:03:32   Initialised zlib (RFC1950) decompression

2004-01-12 10:03:32   Initialised triple-DES client->server encryption

2004-01-12 10:03:32   Initialised triple-DES server->client encryption

2004-01-12 10:03:44   Keyboard-interactive authentication refused

2004-01-12 10:03:46   Sent password

2004-01-12 10:03:46   Access denied

2004-01-12 10:03:47   Keyboard-interactive authentication refused

2004-01-12 10:03:49   Sent password

2004-01-12 10:03:50   Access granted

2004-01-12 10:03:50   Opened channel for session

2004-01-12 10:03:50   Local port 5900 forwarding to my.serverhostname.com:5952

2004-01-12 10:03:51   Allocated pty

2004-01-12 10:03:51   Started a shell/command

2004-01-12 10:11:25   Opening forwarded connection to my.serverhostname.com:5952

2004-01-12 10:11:27   Forwarded connection refused by server

```

putty is setup to create a tunnel from port 5900 (local) to my.serverhostname.com:5952

any ideas guys?[/code]

----------

## fleed

What happens if you try running putty from the command line, as 

```
putty -L 9000:localhost:5952 yourservername -C -2
```

What do you have when you run netstat -ln on the server? Is vnc really listening on 5952?

Also, you might have tried -L 9000:youservername:5952 in putty before. If you have, change to localhost (as I wrote above) to see if it's fixed. It could be you're refusing connections from other than localhost either in ssh or vnc.

----------

## gazR

Thanks fleed,

finally got things working with  :Smile: 

putty.exe -ssh -L 5900:localhost:5952 myservername.com -C -2

and 

vncviewer.exe localhost:0

----------

