Tor > SSH, dynamic port forwarding error: "listen: Operation not permitted"

bobbx · March 17, 2016, 1:52am

$ ssh -NgD 4444 root@111.222.333.444
listen: Operation not permitted
listen: Operation not permitted
channel_setup_fwd_listener_tcpip: cannot listen to port: 4444
Could not request local forwarding.

Using info from Sign in · GitLab

$ nano ~/.ssh/config
Host foo
User Yourusername
HostName 111.222.333.444
DynamicForward 4444
ProxyCommand sudo socat - SOCKS4A:localhost:%h:%p,socksport=9050

Had to use sudo with ProxyCommand, without it I get:

$ ssh foo
socat[31863] E connect(5, AF=2 127.0.0.1:9050, 16): Operation not permitted

Even with sudo there are still some errors:

$ ssh foo -v
debug1: Local connections to LOCALHOST:4444 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 4444.
listen: Operation not permitted
debug1: Local forwarding listening on 127.0.0.1 port 4444.
debug1: channel 0: new [port listener]
debug1: channel 1: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.

But at least it works.
In Chromium Change proxy settings...
SOCKS Proxy: 127.0.0.1
Port: 4444
and wtfismyip.com shows my SSH server’s IP address.

Getting some interesting messages, but the port is still being forwarded.

~# debug1: Connection to port 4444 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: getpeername failed: Transport endpoint is not connected
debug1: Connection to port 4444 forwarding to socks port 0 requested.
debug1: channel 3: new [dynamic-tcpip]
debug1: getpeername failed: Transport endpoint is not connected
debug1: Connection to port 4444 forwarding to socks port 0 requested.
debug1: channel 4: new [dynamic-tcpip]
debug1: getpeername failed: Transport endpoint is not connected
debug1: channel 2: free: direct-tcpip: listening port 4444 for wtfismyip.com port 443, connect from 127.0.0.1 port 65535 to 127.0.0.1 port 4444, nchannels 5
debug1: channel 3: free: direct-tcpip: listening port 4444 for clients2.google.com port 443, connect from 127.0.0.1 port 65535 to 127.0.0.1 port 4444, nchannels 4
debug1: channel 4: free: direct-tcpip: listening port 4444 for clients4.google.com port 443, connect from 127.0.0.1 port 65535 to 127.0.0.1 port 4444, nchannels 3
~# debug1: Connection to port 4444 forwarding to socks port 0 requested.
debug1: channel 2: new [dynamic-tcpip]
debug1: getpeername failed: Transport endpoint is not connected

Is there a better (safer) way to setup dynamic port forwarding?

Patrick · March 17, 2016, 3:41pm

Likely cause:
Stream isolation gets into the way with local connections.

Potential help:
Disable stream isolation for ssh.

More info:

Patrick · March 17, 2016, 3:44pm

default socksification of ssh, wget, curl, etc. is confusing for local connections:
https://phabricator.whonix.org/T73

bobbx · March 17, 2016, 8:48pm

Thank you.
Confirming that the following works:

ssh.anondist-orig -NgD 8888 myusername@111.222.333.444