LINUX.ORG.RU
ФорумSecurity

проблемы с HTTP over SSH (ssh -L ......)


0

0

Доброго времени суток.
Наличие данной проблемы заствляет меня потоянно перезагружаться в windows(
Итак топология (сразу скажу извращённая):
________________         ________________________   ______________
|      |         |         |   | customer's |
| laptop   |-->   [ip-sec]------->| GW to customer net   |------>| Apache srv |
|10.33.251.7   |   [cisco ]   | 83.206.87.68      |   | 10.84.18.65|
|_______________|         |_______________________|   |____________|

Есть мой laptop, который с по ip-sec тоннелю подключен к моей офисной сети из которой мне выдался адрес 10.33.251.7. Используется vpnclient --version 4.8.01 (0640). Тоннер работает нормально и внутренний трафик в том числе http обрабатывает. Посену надеюсь пока можно предположить, что проблема не в нём.
Далле есть GW to customer net, который имеет адрес 83.206.87.68 и глядит в сеть заказчика, в которую мне как раз и надо, а конкретно на сервер Apache, имеющий адрес 10.84.18.65. Для доступа к нему я испульзую ssh тоннель с Port Forwarding, с переадресацией портов 22 и 80. Команда
user@user-laptop:~$ sudo ssh -vvv -L 10.33.251.7:22:10.84.18.65:22 -L 10.33.251.7:80:10.84.18.65:80 login@83.206.87.68 -N
позволяет мне успешно пользоваться ssh, а вот с http у меня возникают траблы: загружается только чать страницы и далее браузер говорит waiting, причём как только я отсылаю запрос ssh соединений (если оно было открыто) становиться «односторонним»: я вижу, что происходит на сервер (top к примеру отображается) но не реагирует на клавиатуру, даже на ctrl-c. Ниже то, что я вижу в консоле с моими комментариями:


user@user-laptop:~$ sudo ssh -vvv -L 10.33.251.7:22:10.84.18.65:22 -L 10.33.251.7:80:10.84.18.65:80 login@83.206.87.68 -N
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 83.206.87.68 [83.206.87.68] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 145/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '83.206.87.68' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 541/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
login@83.206.87.68's password:
||
||
запрос пароля на «GW to customer net»
||
||


debug3: packet_send2: adding 48 (len 62 padlen 18 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: Local connections to 10.33.251.7:22 forwarded to remote address 10.84.18.65:22
debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr 10.33.251.7
debug1: Local forwarding listening on 10.33.251.7 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local connections to 10.33.251.7:80 forwarded to remote address 10.84.18.65:80
debug3: channel_setup_fwd_listener: type 2 wildcard 0 addr 10.33.251.7
debug1: Local forwarding listening on 10.33.251.7 port 80.
||
||
подключение по ssh к «Apache srv»
||
||
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Entering interactive session.
debug1: Connection to port 22 forwarding to 10.84.18.65 port 22 requested.
||
||
открытие браузером страницы
||
||
debug2: fd 6 setting TCP_NODELAY
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
debug2: channel 2: open confirm rwindow 131072 rmax 32768
debug1: Connection to port 80 forwarding to 10.84.18.65 port 80 requested.
debug2: fd 7 setting TCP_NODELAY
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
debug2: channel 3: open confirm rwindow 131072 rmax 32768
debug1: Connection to port 80 forwarding to 10.84.18.65 port 80 requested.
debug2: fd 8 setting TCP_NODELAY
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 4: new [direct-tcpip]
debug1: Connection to port 80 forwarding to 10.84.18.65 port 80 requested.
debug2: fd 9 setting TCP_NODELAY
debug2: fd 9 setting O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 5: new [direct-tcpip]
debug1: Connection to port 80 forwarding to 10.84.18.65 port 80 requested.
debug2: fd 10 setting TCP_NODELAY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 6: new [direct-tcpip]
debug1: Connection to port 80 forwarding to 10.84.18.65 port 80 requested.
debug2: fd 11 setting TCP_NODELAY
debug2: fd 11 setting O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 7: new [direct-tcpip]
debug2: channel 4: open confirm rwindow 131072 rmax 32768
debug2: channel 5: open confirm rwindow 131072 rmax 32768
debug2: channel 6: open confirm rwindow 131072 rmax 32768
debug2: channel 7: open confirm rwindow 131072 rmax 32768
debug2: channel 3: rcvd eof
debug2: channel 3: output open -> drain
debug2: channel 3: obuf empty
debug2: channel 3: close_write
debug2: channel 3: output drain -> closed
debug2: channel 4: rcvd eof
debug2: channel 4: output open -> drain
debug2: channel 4: obuf empty
debug2: channel 4: close_write
debug2: channel 4: output drain -> closed
debug2: channel 3: read<=0 rfd 7 len 0
debug2: channel 3: read failed
debug2: channel 3: close_read
debug2: channel 3: input open -> drain
debug2: channel 4: read<=0 rfd 8 len 0
debug2: channel 4: read failed
debug2: channel 4: close_read
debug2: channel 4: input open -> drain
debug2: channel 3: ibuf empty
debug2: channel 3: send eof
debug2: channel 3: input drain -> closed
debug2: channel 4: ibuf empty
debug2: channel 4: send eof
debug2: channel 4: input drain -> closed
debug2: channel 3: send close
debug2: channel 4: send close
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug2: channel 2: window 1996962 sent adjust 100190
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
...
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
...
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug2: channel 5: read<=0 rfd 9 len 0
debug2: channel 5: read failed
debug2: channel 5: close_read
debug2: channel 5: input open -> drain
debug2: channel 6: read<=0 rfd 10 len 0
debug2: channel 6: read failed
debug2: channel 6: close_read
debug2: channel 6: input open -> drain
debug2: channel 7: read<=0 rfd 11 len 0
debug2: channel 7: read failed
debug2: channel 7: close_read
debug2: channel 7: input open -> drain
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug2: channel 5: ibuf empty
debug2: channel 5: send eof
debug2: channel 5: input drain -> closed
debug2: channel 6: ibuf empty
debug2: channel 6: send eof
debug2: channel 6: input drain -> closed
debug2: channel 7: ibuf empty
debug2: channel 7: send eof
debug2: channel 7: input drain -> closed
debug3: channel 3: will not send data after close
debug3: channel 4: will not send data after close
debug3: channel 3: will not send data after close
||
||
послдние 2 строки повторяются бесконечно. к этому моменту часть страницы загружена, ssh сессия не отвечает.
помогает только ctrl-c в первоначальном окне.
||
||

kasans
() автор топика
Ответ на: комментарий от kasans

^Cdebug1: channel 0: free: port listener, nchannels 8
debug3: channel 0: status: The following connections are open:
#2 direct-tcpip: listening port 22 for 10.84.18.65 port 22, connect from 10.33.251.7 port 59052 (t4 r0 i0/0 o0/0 fd 6/6 cfd -1)
#3 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40796 (t4 r1 i3/0 o3/0 fd 7/7 cfd -1)
#4 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797 (t4 r2 i3/0 o3/0 fd 8/8 cfd -1)
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 0: close_fds r 4 w 4 e -1 c -1
debug1: channel 1: free: port listener, nchannels 7
debug3: channel 1: status: The following connections are open:
#2 direct-tcpip: listening port 22 for 10.84.18.65 port 22, connect from 10.33.251.7 port 59052 (t4 r0 i0/0 o0/0 fd 6/6 cfd -1)
#3 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40796 (t4 r1 i3/0 o3/0 fd 7/7 cfd -1)
#4 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797 (t4 r2 i3/0 o3/0 fd 8/8 cfd -1)
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 1: close_fds r 5 w 5 e -1 c -1
debug1: channel 2: free: direct-tcpip: listening port 22 for 10.84.18.65 port 22, connect from 10.33.251.7 port 59052, nchannels 6
debug3: channel 2: status: The following connections are open:
#2 direct-tcpip: listening port 22 for 10.84.18.65 port 22, connect from 10.33.251.7 port 59052 (t4 r0 i0/0 o0/0 fd 6/6 cfd -1)
#3 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40796 (t4 r1 i3/0 o3/0 fd 7/7 cfd -1)
#4 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797 (t4 r2 i3/0 o3/0 fd 8/8 cfd -1)
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 2: close_fds r 6 w 6 e -1 c -1
debug1: channel 3: free: direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40796, nchannels 5
debug3: channel 3: status: The following connections are open:
#3 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40796 (t4 r1 i3/0 o3/0 fd 7/7 cfd -1)
#4 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797 (t4 r2 i3/0 o3/0 fd 8/8 cfd -1)
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 3: close_fds r 7 w 7 e -1 c -1
debug1: channel 4: free: direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797, nchannels 4
debug3: channel 4: status: The following connections are open:
#4 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40797 (t4 r2 i3/0 o3/0 fd 8/8 cfd -1)
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 4: close_fds r 8 w 8 e -1 c -1
debug1: channel 5: free: direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798, nchannels 3
debug3: channel 5: status: The following connections are open:
#5 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40798 (t4 r3 i3/0 o0/0 fd 9/9 cfd -1)
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 5: close_fds r 9 w 9 e -1 c -1
debug1: channel 6: free: direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799, nchannels 2
debug3: channel 6: status: The following connections are open:
#6 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40799 (t4 r4 i3/0 o0/0 fd 10/10 cfd -1)
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 6: close_fds r 10 w 10 e -1 c -1
debug1: channel 7: free: direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800, nchannels 1
debug3: channel 7: status: The following connections are open:
#7 direct-tcpip: listening port 80 for 10.84.18.65 port 80, connect from 10.33.251.7 port 40800 (t4 r5 i3/0 o0/0 fd 11/11 cfd -1)

debug3: channel 7: close_fds r 11 w 11 e -1 c -1
debug3: fd 1 is not O_NONBLOCK
debug1: Killed by signal 2.

kasans
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Security