January 27, 2004

OSX SSH Tunnels

Another entry about how OS X's supposed ease of use is not so easy regarding connecting to network servers.

The goal is to tunnel to a samba share. I'm tunneling from OS X to a linux box that hosts the samba share. This way, even though the samba share is on a private network in an office, I can access the fileserver from my home office powerbook.

Samba's port is 139. You can't redirect ports below 1024 unless you have root privileges. So what you do is you redirect a high port to the remote side's 139. So I made a tunnel sending my laptop's port 9876 to remote's 139.

Well, OS X doesn't allow you to try and connect to a samba share using a port other than 139. The command-K dialogue box doesn't allow it, and the underlying technology (mount_smbfs) doesn't allow it either. We're hardwired into port 139. Which is stupid.

So, I guess the answer is to open up a tunnel as root.

Unfortunately, none of the SSH tunnel GUI applications allow root connections.

So the only way to do it is the messy command-line command: 'sudo ssh -l user -i /Users/user/.ssh/identity -f -N -L 139:remote:139 remote'.

Bleah.

Posted by Curt at January 27, 2004 02:15 AM

Comments

hey that's not so bad.
save it as "samba-connect.sh" then all you have to do is:

sudo samba-connect.sh

:-)

Posted by: Derek Sivers at January 27, 2004 08:38 PM

yeah... it's not so bad for me, but I am trying to get something as simple as possible for others. They're not comfortable with sudo, especially since this particular sudo command will give you the same output whether you type in the wrong output or not (it just returns a prompt if it succeeds, and also if it fails).

If it weren't for the root requirement, I could just make an applescript out of it, which I've already done for someone. But in this case the need for the root password makes it a problem.

Posted by: Curt at January 27, 2004 09:08 PM

You could make the application executable itself setuid to root, the same way Virtual PC modifies itself the first time it's run:

chown root.staff /Applications/Tunnel.app/Contents/MacOS/tunnel
chmod 4750 /Applications/Tunnel.app/Contents/MacOS/tunnel

Now you can double-click it, same as usual, and it should have the power to create low-port tunnels.

Posted by: Richard Soderberg at February 1, 2004 05:59 PM

This is an older post, however I just wanted to state one thing.

Windows has the same restriction about only connecting to port 139. The only thing that can connect to another port is samba as this is something samba added in, not part of the standard.

Posted by: Anonymous at May 5, 2004 08:07 PM
Post a comment









Remember personal info?