OpenSSH_4.7p1, reverse shell

Hayder Mouhammed hmouhammed at gmail.com
Wed Apr 2 07:33:13 EST 2008 

Greetings,

I am using OpenSSH 4.7 and trying to use a middle machine to do reverse
shell. The error I run into is the destination says getsockopt TCP_NODELAY:
Connection reset by peer.

The setup:

3 machines (we can call them A,B,C) with QNX Neutrino

I would like machine C to be the destination. So we have A can talk to B,
and B can talk to C, but A can not talk to C directly.

What I am trying:

On C: ssh -N -R 10000:localhost:22 root at machineB

On B: running sshd

On A: ssh root at machineB -p 10000

>From my understanding when A connect to B it will forward all to port 10000
which has access to port 22 on C.

When I run the "On A" command I receive the error "getsockopt TCP_NODELAY:
Connection reset by peer" on machine C and "ssh_exchange_identification:
Connection closed by remote host" from machine A. I can SSH on A to B
without using the -p just fine. My sshd_config is below:

Many thanks for any suggestions you may have.

--H


#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/openssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/openssh/ssh_host_rsa_key
HostKey /etc/openssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    /root/.ssh/authorized_keys2

# For this to work you will also need host keys in
/etc/openssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

AllowTcpForwarding yes
GatewayPorts yes
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
KeepAlive yes
UseLogin yes
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes
ClientAliveInterval 0
ClientAliveCountMax 99999
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem    sftp    /opt/libexec/sftp-server

More information about the openssh-unix-dev mailing list