Port forwarding using SSH with different users: how to debug connection problems?

6,953

I try to compose an answer so that we can mark this question solved.

To check the connection, run ssh using one or more -v options, like in:

ssh -v ... 

or

ssh -vvv ...

Checking the log, it is as the user can't connect (locally) to the port 5900.

Try to see if you can connect locally:

 ssh someotheruser@server 

and when you have the user's shell on the server try

 telnet 10.100.0.8 5900 

Be prepared to kill the telnet from another ssh session, it may hang even if it works (if it works it should say something like

Trying 10.100.0.8...
Connected to localhost.
Escape character is '^]'.
RFB 003.007

If it does not connect, the problem is not in ssh port forwarding, is that the VNC server is not accepting connections from the user.

Share:
6,953

Related videos on Youtube

MrD
Author by

MrD

Updated on September 18, 2022

Comments

  • MrD
    MrD about 1 year

    I have a server setup up with Ubuntu 12.10. Got everything working nicely except for one thing: SSH port forwarding.

    I use the following command to forward some VNC server to my PC:

    ssh -L 5900:node:5900 adminuser@server
    

    That works very well.

    However, this is not true for other users:

    ssh -L 5900:node:5900 someotheruser@server
    

    This user is able to connect to the server (can log in and do something), but the port is not forwarded, i.e. gvncviewer localhost is not finishing (says Connected to server but never asks for the password).

    What do I have to do in order to allow forwarding for the other (or selected) users as well?

    Edit: Using ssh -vv ... I got the following messages when calling gvncviewer localhost and having connected using the adminuser:

    debug1: Connection to port 5900 forwarding to 10.100.0.8 port 5900 requested.
    debug2: fd 9 setting TCP_NODELAY
    debug2: fd 9 setting O_NONBLOCK
    debug1: channel 3: new [direct-tcpip]
    debug2: channel 3: open confirm rwindow 2097152 rmax 32768
    ... -----> It works
    

    For the someotheruser I get:

    debug1: Connection to port 5900 forwarding to 10.100.0.8 port 5900 requested.
    debug2: fd 9 setting TCP_NODELAY
    debug2: fd 9 setting O_NONBLOCK
    debug1: channel 3: new [direct-tcpip]
    -----> Here it hangs for a long time...
    channel 3: open failed: connect failed: Connection timed out
    debug2: channel 3: zombie
    debug2: channel 3: garbage collecting
    debug1: channel 3: free: direct-tcpip: listening port 5900 for 10.100.0.8 port 5900, connect from 127.0.0.1 port 39009, nchannels 4
    

    Apparently the problem is caused by the VNC server and not by ssh.

    • Rmano
      Rmano over 9 years
      Try to use ssh -v to see if it can help to show the problem. Moreover, ports are global, so I imagine that you are not trying to run the second command while the first one is running (it is not clear in the question).
    • MrD
      MrD over 9 years
      I'm trying one or the other command, not both. ssh -v gives me OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012 on the server and OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013 on my computer
    • Rmano
      Rmano over 9 years
      Sorry I was not clear --- if you use ssh -v -L 5900:node:5900 someotheruser@server the command will be verbose and it will comment what is happening --- so it is easier to detect the problem. You can use also -vv and -vvv to have more debug information.
    • MrD
      MrD over 9 years
      Added the requested information in the question.
    • Rmano
      Rmano over 9 years
      It is as the user can't connect (locally) to the port 5900. Try to see if you can connect locally (ssh without the redirection, and in the user shell try telnet 10.100.0.8 5900). Be prepared to kill the telnet from another ssh session, it may hang even if it works (if it works it should say something like RFB 003.007 or similar). Check that the VNC server is run by the same user you are trying to connect with.
    • MrD
      MrD over 9 years
      The VNC server runs on windows, so neither of the usernames fit here. The telnet confirms your assumption, the normal user isn't getting anything while it works for the adminuser. Anyhow, the normal user is able to ping 10.100.0.8.
    • Rmano
      Rmano over 9 years
      Ok --- so the problem is not ssh. You have to find what's happening on the VNC server side --- being Windows I can't help you. Hope this helped anyway.
    • MrD
      MrD over 9 years
      That already cleared a lot. They have installed Win 7 on those computers and since then nothing worked. I'm lost when it comes to Win, so I have to see what to do. Thank you.
    • Rmano
      Rmano over 9 years
      I tried to summarize the answer for the posterity. Would you please accept and upvote it so that it will be found on searches? I will edit the title a bit too. (and delete some comment to clean it up).