Mailing List Archive

Feature Request: Ability to specify local bind address for ssh(1) -W
Hello.

I have deployed an SSH bastion host, and would prefer to use the ssh(1)
-W option to establish a forwarding from that host to the others that it
can access.

However, the bastion host has multiple IP addresses, and I need ssh(1)
to make the connection from a specific source address.

There is currently no way to accomplish this with the -W option, as it
only takes a destination address. This means that I need to instruct my
SSH client to start a nc(1) command and use its -s option instead, but
those commands sometimes linger (as children of PID 1) for a long time
after the connection has long since died, and I would prefer that the
login not have the ability to run commands at all.

Would it be possible to extend the syntax to take an optional source
address? For example (showing my current configuration commented out,
and how this could be specified using -W instead):



Host foo.example.net
BatchMode Yes
ControlMaster auto
ControlPath ~/.ssh/control-path.d/%r@%h:%p.sock
ControlPersist 3
ProxyCommand none
RequestTTY No
User bar

Host *.example.net
# ProxyCommand ssh foo.example.net 'nc -6 -s 2001:db8::2 %h %p'
ProxyCommand ssh -W [2001:db8::2]:[%h]:%p foo.example.net



Regards,
Aaron Jones
Re: Feature Request: Ability to specify local bind address for ssh(1) -W [ In reply to ]
On 25.03.21 16:30, Aaron Jones wrote:
> I have deployed an SSH bastion host, and would prefer to use the ssh(1)
> -W option to establish a forwarding from that host to the others that it
> can access.
>
> However, the bastion host has multiple IP addresses, and I need ssh(1)
> to make the connection from a specific source address.

I do not speak for the OpenSSH developers, but I have a hunch that
they'll deny that request. Selecting the source address for an outgoing
connection usually is the job of the OS(*) and an application needs to
carry quite a bit of extra code to override that. OK for an explicit
networking tool like nc, but maybe not for ssh.

However, assuming that there's some *regularity* to your need, you might
be able to tell the kernel itself to adhere to it (e.g., for Linux, use
iptables to explicitly SNAT connections matching a pattern to a specific
source IP). No more extra processes that can linger that way.

(*) Off the top of my head: Look up the outgoing interface in the
default(!!) routing table, then choose the IP added last (Linux) / set
first (SunOS/Solaris) / round robin (*BSD) from those set on that interface.

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: Feature Request: Ability to specify local bind address for ssh(1) -W [ In reply to ]
> However, assuming that there's some *regularity* to your need, you
> might
> be able to tell the kernel itself to adhere to it (e.g., for Linux, use
> iptables to explicitly SNAT connections matching a pattern to a
> specific
> source IP). No more extra processes that can linger that way.

On Linux you can set the requested source IP in the routing table
per-destination; and, together with iptables, you can also correlate
routes with executables and users.

So you can have a range of UIDs use outgoing address 1, another
set use address 2, etc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Feature Request: Ability to specify local bind address for ssh(1) -W [ In reply to ]
On Mar 26, 2021, at 1:10 AM, Jochen Bern <Jochen.Bern@binect.de> wrote:
> On 25.03.21 16:30, Aaron Jones wrote:
>> I have deployed an SSH bastion host, and would prefer to use the ssh(1)
>> -W option to establish a forwarding from that host to the others that it
>> can access.
>>
>> However, the bastion host has multiple IP addresses, and I need ssh(1)
>> to make the connection from a specific source address.
>
> I do not speak for the OpenSSH developers, but I have a hunch that
> they'll deny that request. Selecting the source address for an outgoing
> connection usually is the job of the OS(*) and an application needs to
> carry quite a bit of extra code to override that. OK for an explicit
> networking tool like nc, but maybe not for ssh.
>
> However, assuming that there's some *regularity* to your need, you might
> be able to tell the kernel itself to adhere to it (e.g., for Linux, use
> iptables to explicitly SNAT connections matching a pattern to a specific
> source IP). No more extra processes that can linger that way.
>
> (*) Off the top of my head: Look up the outgoing interface in the
> default(!!) routing table, then choose the IP added last (Linux) / set
> first (SunOS/Solaris) / round robin (*BSD) from those set on that interface.


OpenSSH already supports the concept of setting a source address today via the BindAddress config option, and it’s straightforward to implement via the socket API without getting into anything OS-specific. The only thing missing here is the ability to pass a requested bind address through on a port-forwarding request.

Supporting this would require a protocol change, to add a new bind address (and probably also port) to the "direct-tcpip” request. This might require the introduction of a new channel type in the SSH_MSG_CHANNEL_OPEN request to allow the extra argument to be added without breaking interoperability with other SSH servers. When used, this new channel type would request that the remote SSH server do a bind() call on the outbound socket before doing a connect() to the requested target host/port.

It might be worth doing something similar to be able to specify a bind address on incoming forwarded TCP connection requests, such that the SSH client would bind() to a specific address/port before making the local connection. I think this could be done without any protocol changes. It would just be new fields in the -R argument (and RemoteForward config option).
--
Ron Frederick
ronf@timeheart.net



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev