Ever since posting this guide showing how and why to use ssh to tunnel stuff like vnc, http, etc. I have been doing it to secure my mythweb. I have some Debian/Lenny boxes setup with vnc and I'd like to secure it as well with ssh tunnels on them. My question: when I attempt to setup a tunnel ON MY DEBIAN BOX to another debian box, I get this error:



What's odd is that I do NOT get this error when I try the exact same thing from my KM R5.5 box. What is the difference?

I know I can run the command as root or add an entry to /etc/sudoers but again, it works without the need to do either on R5.5 and I'd like to know what setting I need to change on my Debian boxes to make it work as well.

Thanks!

_________________
Retired KM user (R4 - R6.04); friend to LH users.

Compare the ssh and sshd config in /etc/ssh/ for the two machines. IMO the policy that the non-KM debian box is using is probably the wiser. Using unprivileged ports isn't really a burden and can also reduce your script kiddy exposure(*).

(*) A friend in IT recently told me that moving their incoming SSH from the standard port 22 to something else made the difference between the log files filling up with cracking attempts and nearly zero. This is less a matter of security through obscurity than not leaving unattended valuables "in plain sight".

Thanks for the suggestion, tjc. I literally went line-by-line through both the files and found zero differences (with the exception of DenyUser root and mythtv). There has to be a setting somewhere I missed.

_________________
Retired KM user (R4 - R6.04); friend to LH users.

Try the ssl ones...

Hmmm... The ssh man page says "Only the superuser can forward privileged ports." KM must be running it as root somehow...

is the 'privilege' due to ssh or port < 1024? try a higher port.

_________________
R5F1 - Dell P4 2.4Ghz 500MB - PVR250 x 2 - GeForce FX 5200 - Onboard sound/NIC 80GB ATA/250GB ATA/400GB SATA

In general the ports below 1024 are privileged and can only be listened to by root. This is to prevent Joe Malicious User from setting up bogus "standard" services on a reserved port.