EDIT (for clarification)
Windows Client Remote Linux Server
|----------------------------------| |---------------------|
____________ ____________ ____________
| | | | | |
| Firefox | -------> | PuTTY | -------> | sshd | ---> (The Internet)
|____________| |____________| |____________|
Network settings: Interactive SSH Session sshd_config
Manual Proxy: (manual login) posted below
SOCKS Host: Configuration Settings:
localhost:9870 Connection|SSH|Tunnels
set to D9870
The above configuration worked perfectly fine until our ISP changed the server to a new one. By "perfectly fine" I mean I could browse the entire internet, including websites normally blocked in China. It still works perfectly fine when I login to another SSH session on another server as a test (a production web-server, not one I can purpose for this). In all cases the manual SSH login works as normal.
I need to figure out why it doesn't work with the new server since the sole purpose of that server is to provide this function to our company.
PREVIOUS POSTING
Our server provider recently changed our server and IP address. The hard-disk from the old server was moved to the new one, and the configuration was supposed to be identical other than the IP address change.
Prior to the move I was using PuTTY on a Windows box to tunnel web-traffic as a SOCKS proxy through the server using a Dynamic port set as 9870. After the move, I reconfigured the PuTTY to point to the new IP. But the tunnel no longer works (times out when requesting pages in Firefox).
I don't have access to the old server. But the sshd_config on the new server is:
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
EDIT:-
So far I have tried all the suggestions in the responses. Still not working. Is it possible the firewall at the datacenter where the server is hosted is preventing the ssh-tunnel? I have tried D80 as my dynamic port in PuTTY, but this also doesn't work (should it?). The server is primarily a web-server, but currently we are not running any websites on it, although Apache is running.
I have looked in the putty.log and although I can't make much sense of it, there is the following section:
Event Log: Opened channel for session
Event Log: Local port 9870 SOCKS dynamic forwarding
Outgoing packet type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 ........pty-req.
00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 ....xterm...P...
00000020 18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00 ................
00000030 00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
Outgoing raw data
00000000 ed 9b 4d c5 0c 7f c4 67 e7 ad 96 3f 5a fd 26 fb ..M....g...?Z.&.
00000010 48 27 cd e9 b9 bd 4f 52 2c e0 d3 4e de 62 5d ab H'....OR,..N.b].
00000020 c0 10 51 a9 80 8e 68 9c 6d 4c bf ab 75 e9 e1 7a ..Q...h.mL..u..z
00000030 bf 66 e3 ff 6f 94 fe f9 9e 78 3d b5 e0 a6 8c fd .f..o....x=.....
00000040 61 5b 69 b4 ec 7c 30 a0 29 87 9c 2c d2 94 57 bd a[i..|0.)..,..W.
00000050 6e 4b 9c 6c d0 39 cc 46 66 3c 5d 7d dc 37 76 cf nK.l.9.Ff<]}.7v.
00000060 9b c7 24 46 ..$F
Incoming raw data
00000000 30 ae 0c b2 25 a9 c1 73 47 1f 2d 6a 5e 5b 7f 88 0...%..sG.-j^[..
00000010 99 99 0c 28 ff 87 5b 0e 82 61 f5 33 81 3d 8a 7d ...(..[..a.3.=.}
00000020 d6 b7 3d 6f ..=o
Incoming packet type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ............
Which to me seems to look like the port-forwarding was accepted by the remote server.
FURTHER EDIT:-
I have tried connecting to another server that I regularly SSH to with exactly the same SSH tunnels setting in PuTTY (D9870)
This worked instantly (with Firefox seeing PuTTY it as a SOCKS proxy) and I was immediately able to access sites being blocked in my location [China].
What was most interesting about this test was that the netstat -an --inet test prescribed by respondents below on the server also did not show 127.0.0.1:9870.
I think I need to point out clearly that I'm using a Windows machine for the PuTTY/Firefox client. And I'm trying to use the remote Linux server to tunnel web-traffic through so I can securely get access to websites being blocked in China. It seems to me that the netstat test suggested was supposed to be run on my Windows box (in which case it's using the wrong netstat syntax).
At rwired's request, I'm reposting my previous comment as an answer, which was:
The intended implication was that something is blocking the outbound connection, which rwired discovered was indeed the case.
Set
in your
sshd_config. It defaults to "no", which prevents you from using remote port forwarding (ssh -R) to any address other than the remote SSH server itself.IMHO your sshd_config looks ok. Maybe sshd is started with additional command line parameters that set AllowTcpForwarding to no? If you do a "netstat -an --inet" on the server, does it show the forwarded port? Have you make sure your socks proxy is working correctly?
EDIT:
The output of netstat should look something like this:
First of all try to manually make an ssh connection using putty to the server, thus assuring there is no server IP mismatch, MITM attach prevention and so on, that ssh is putting in act and that may be not shown in a non interactive ssh session through putty.
If this works ok, then you really have to see the tunnel listening for connections on the localhost port through netstat, if it isn't I suspect the issue would not be ssh bounded
As a further debug you can then enable Putty logging in order to see where the problem really is.
EDIT: In the putty log you posted the only info making me curious is the terminal... My hypothesis is that the new server could not support such an "evoluted terminal", try downgrade the terminal to the ancient vt100. There is a quite weak possibility this can be the issue...
Have you checked to see if you public key file is actually on the server installed under ~/.ssh/authorized_keys
It's possible that it's not there at all and is allowing you to fall back to using a plain text login so therefore looking like it should be working.
When the server changed you should have gotten a warning about a new host key. You should have accepted the new key, possibly clearing the old key first. Did you do that? I believe if you have the wrong host key ssh will sometimes allow you to open an interactive session but will not forward ports
PuTTY stores its keys in the registry in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY (this is like the known_hosts files in OpenSSH). You can try hand-deleting keys from there. Or if you want to reset PuTTY's settings entirely and start over, try putty -cleanup.
If that's not your problem, you can also debug further with a verbose login. Try running "plink -v hostname" and looking at the error. You can also create a tunnel manually via plink; you may need to try those options to get the error to appear in plink. As a last resort, post the logs from plink -v and we can debug further.