Workgroup Manager - Port Forwarding Problem

Question

Level 1

4 points

Workgroup Manager - Port Forwarding Problem

Hi,

Within my local network, I can easily connect to my server using Server Admin, Server Monitor, and Workgroup Manager. They all work great without SSH.

But when I use SSH to set up port forwarding on my local network like this:

"sudo ssh MySecretAdminID@192.xxx.x.x -L 311:127.0.0.1:311 -L 625:127.0.0.1:625"

I get this error message: "The login information is not valid for this server." Then, I switch the server IP back to its true IP (instead of 127.0.0.1) and it works great.

Server Admin and Server Monitor work fine under ssh.

Both ports 311 and 625 are open on the server for TCP.

Is there another port I need to forward?

Dual G5 Mac OS X (10.4.8)

Posted on Feb 18, 2007 12:45 PM

Reply

Answer 1

Fitzbew Author

Level 1

4 points

Feb 18, 2007 3:30 PM in response to Fitzbew

Hi,

Within my local network, I can easily connect to my
server using Server Admin, Server Monitor, and
Workgroup Manager. They all work great without SSH.

But when I use SSH to set up port forwarding on my
local network like this:

"sudo ssh MySecretAdminID@192.xxx.x.x -L
311:127.0.0.1:311 -L 625:127.0.0.1:625"

I get this error message: "The login information is
not valid for this server." Then, I switch the
server IP back to its true IP (instead of 127.0.0.1)
and it works great.

Server Admin and Server Monitor work fine under ssh.

Both ports 311 and 625 are open on the server for
TCP.

Is there another port I need to forward?

If I disable the firewalls on both machines (the server and the machine running Workgroup Manager), I still can't connect...I get the same error message.

Reply

Answer 2

jaydisc

Level 4

1,464 points

Feb 18, 2007 6:44 PM in response to Fitzbew

It's not you. It's Workgroup Manager. It doesn't seem to be fond of 127.0.0.1. I've had greater success with pointing Workgroup Manager to the Bonjour name of my workstation or its network IP (not loopback) and I remember that working, but not even that has worked for me recently.

311 and 625 should be all you need.

Reply

Answer 3

Fitzbew Author

Level 1

4 points

Feb 18, 2007 8:26 PM in response to jaydisc

It's not you. It's Workgroup Manager. It doesn't seem
to be fond of 127.0.0.1. I've had greater success
with pointing Workgroup Manager to the Bonjour name
of my workstation or its network IP (not loopback)
and I remember that working, but not even that has
worked for me recently.

311 and 625 should be all you need.

That's awful news.

Even though it's not working for you now, would you share your method for pointing WM to your network IP? (And then were you somehow piping it into SSH?)

Reply

Answer 4

jaydisc

Level 4

1,464 points

Feb 18, 2007 8:51 PM in response to Fitzbew

What I meant was that if I was using my MacBook to setup the SSH tunnel and my MacBook had an IP of 10.0.1.6, I would enter 10.0.1.6, rather than 127.0.0.1 or localhost into the WM connect dialog box. However, I have just tested that unsuccessfully.

I would recommend that you configure VPN services which is how I've worked around the issue.

Reply

Answer 5

Fitzbew Author

Level 1

4 points

Feb 19, 2007 8:19 AM in response to jaydisc

Jaydisc,

The following seems to have provided a fix/workaround for me:

I just added a "dummy" entry in my hosts file ("mycomputer") with an IP of 127.0.0.1. After setting up the SSH port forwarding (ports 311, 625) I can successfully connect to the server via WGM by specifying "mycomputer" in the address field.

This seems to be working fine.

So..I'm still puzzled:

1) why won't WGM "honor" the built-in "localhost" entry in my hosts file?
2) why is this also not a problem in Server Admin and Server Monitor?
3) Is this a "glitch" in ssh, or even the client version of OS X?

I noticed that when I put 127.0.0.1 in the WGM address field it was trying to connect to my local machine (the one with WGM installed). It would even let me login using the user accounts on the local computer! It seemed clear that the port was truly not being forwarded.

I am truly grateful for your help/advice and I hope that this information helps you.

Reply

Answer 6

jaydisc

Level 4

1,464 points

Feb 19, 2007 5:41 PM in response to Fitzbew

Wow! You're right! How bizarre!

I ran tcpdump on the loopback interface and when using Workgroup Manager to connect to the local NetInfo database, and NOTHING showed up. This means to me that Apple is trapping for localhost or 127.0.0.1 and rerouting it to NetInfo... just weird.

Reply

Answer 7

Fitzbew Author

Level 1

4 points

Feb 19, 2007 6:06 PM in response to jaydisc

I'm still puzzled, but I'm flagging this question as "answered". This seems to be a suitable workaround.

Reply

Answer 8

Mar 11, 2007 1:10 AM in response to Fitzbew

Just a thought that might lead to a better understanding.

NetInfo (computername.local and 127.0.0.1) is reserved for all local computers and as such is not a private IP address. How can you build ssh tunnels to 127.0.0.1 when that address exists and is reserved only locally? You are trying to secure connect to yourself, why use ssh? SSH is used to either connect to another private IP address or a public IP address (port 23).

Maybe some of the other guys out there can explain it better than me, but thats the way I understand it. HTH?

Reply

Answer 9

Fitzbew Author

Level 1

4 points

Mar 11, 2007 5:51 AM in response to Antonio Rocco

Just a thought that might lead to a better
understanding.

NetInfo (computername.local and 127.0.0.1) is
reserved for all local computers and as such is not a
private IP address. How can you build ssh tunnels to
127.0.0.1 when that address exists and is reserved
only locally? You are trying to secure connect to
yourself, why use ssh? SSH is used to either connect
to another private IP address or a public IP address
(port 23).

Maybe some of the other guys out there can explain it
better than me, but thats the way I understand it.
HTH?

What is happening is that we are sending traffic on a local port (127.0.0.1) to a port on a remote machine through an ssh tunnel. We are using ssh to encrypt this traffic.

WM normally uses ports 625 and 311 to connect to remote machines without ssh. By putting in 127.0.0.1 we are telling WM not to connect remotely but to the local machine. And ssh handles the rest. This works great.

The but is that for some reason WM would not accept "127.0.0.1" as an address for such activity, although the other server admin apps happily accept it.

Reply

Answer 10

jaydisc

Level 4

1,464 points

Mar 11, 2007 8:08 AM in response to Antonio Rocco

localhost and 127.0.0.1 are an address that each computer reserves as a distinct, separate, virtual network interface to itself. If you run ifconfig, you will see at the top:

<pre>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
</pre>

And way below that you will see your separate physical interfaces:

<pre>en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:16:cb:8f:b1:17
media: autoselect status: inactive
</pre>

What we are doing with SSH is opening up a port on our own computer, and then telling another process to connect to it, and SSH is clever enough to funnel that out to another machine.

Computername.local is a Bonjour name that does not resolve to 127.0.0.1 but rather to any and every physical interface, and more than typically (based on MY understanding), to an IPv6 representation of that interface as well.

MacBook Mac OS X (10.4.8)

MacBook Mac OS X (10.4.8)

Reply

Answer 11

Mar 11, 2007 10:58 AM in response to jaydisc

Hi jaydisc

Thank you for correcting me. Of course you are absolutely correct in what you say.

Reply