Unsolved
This post is more than 5 years old
11 Posts
0
8665
Is it possible to forward the DRAC web interface and remote video over an SSH connection to the DRAC?
We'd rather firewall off the HTTPS server, but it appears the SSH daemon on the DRAC doesn't allow port forwarding.
Is this true?
Can it be changed?
Here is some simple testing, I was unable to access the DRACs HTTPS interface over an SSH tunnel.
desktop $ netstat -nat | grep 443 | grep LISTEN
desktop $ sudo ssh -L 443:localhost:443 root@some-drac
root@some-drac's password:
/admin1->
# from another terminal
$ netstat -nat | grep 443 | grep LISTEN
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN
tcp6 0 0 ::1:443 :::* LISTEN
# so far so good, but any attempt in the browser to access either https://127.0.0.1:443/ or https://[::1]:443/ fail with ERR_CONNECTION_REFUSED. I don't believe the DRAC's SSH daemon allows any port forwarding, or allows any configuration.
$ sudo nmap -A -T4 -p443 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-12-20 14:48 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000074s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE VERSION
443/tcp open tcpwrapped
Please
DELL-Chris H
Moderator
Moderator
•
8.4K Posts
0
December 21st, 2016 09:00
LukeTido,
Could you confirm the server that you are working on, as there are functional differences between the older Dracs, and newer iDracs. I don't believe what you are trying to do is supported, but let me know the system and we can test it.
Also, do you have ports 5900 and 5901 open as well?
Let me know.
luketidd
11 Posts
0
December 21st, 2016 09:00
Thanks for the response! I can test on any generation Dell. I am currently testing on a DRAC7 (r620).
I get the same results on a DRAC8 (r730xd).
If you run SSH with -vvv you can see this when you attempt to load https://127.0.0.1/
I think the "administratively prohibited: open failed" is the key point here:
"""debug1: Connection to port 443 forwarding to localhost port 443 requested.
debug2: fd 10 setting TCP_NODELAY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
debug3: send packet: type 90
debug3: receive packet: type 92
channel 3: open failed: administratively prohibited: open failed
debug2: channel 3: zombie
debug2: channel 3: garbage collecting
debug1: channel 3: free: direct-tcpip: listening port 443 for localhost port 443, connect from 127.0.0.1 port 56026 to 127.0.0.1 port 443, nchannels 4
debug3: channel 3: status: The following connections are open:
#2 client-session (t4 r0 i0/0 o0/0 fd 7/8 cc -1)"""
If only we could change the port forwarding setting in /etc/ssh/sshd_config...
DELL-Chris H
Moderator
Moderator
•
8.4K Posts
0
December 21st, 2016 10:00
Thank you, upon further research I have discovered that ssh provides command line options for tunneling, to select a local port (9111) in this example to a remote server’s port (idrac_ip:443). Putty provides this option. Now with that being said, Dell does not recommend this as it is not as secure as a VPN is.
Now prior to firmware 1.57.57 on the iDRAC this works by using the following addresses:
localhost:9111/start.html
localhost:9111/login.html
https://localhost:9111/
After firmware 1.57.57 the iDRAC only works with:
localhost:9111/start.html
localhost:9111/login.html
However using vkvm and vConsole will not work while tunneling like this.
Let me know if this helps.
luketidd
11 Posts
0
December 22nd, 2016 12:00
What are your SSH options? If this is working for you then your DRAC has different settings than mine. The administratively prohibited error message from my SSH client is demonstrating that the SSH daemon on our DRACs do not allow port forwarding.