Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
Fixing UID; port forwarding via process
alex at alex
May 23, 2009, 2:40 AM
Post #1 of 3 (2176 views)
Permalink
Two related sshd configuration questions.

I want to implement sshd so that it allows port forwarding but in a rather
specific manner. I can't alter what the client will do for various reasons,
but it's in essence:

ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com

What the sshd server needs to do is:

1. Authenticate the username passed (in the former "user-service") against
an external authentication database. I am hoping I can do this using (say)
a PAM module. Whatever the username specified, the UNIX UID required on the
server will the same. As the username is in fact a composite of a username
and a service name, the usernames provided cannot correspond to actual UNIX
usernames. Is it possible to write a PAM module for sshd that works this
way, and if so how can I force logins to a specific UID?

2. Rather than sshd opening up TCP connection to forward the connection (in
the above instance to server2.example.com:1234), I need sshd to launch a
process (in a similar way to inetd) and pipe the connection to that,
irrespective of what the user has specified on the ssh command line. It
needs to pass the username specified ("user-service", not the UID which
will always be the same) and preferably the "server2.example.com:1234" to
this process, either on the process's command line or in the environment.
Essentially what the process will be doing is an "nc" but dependent on the
"user-service" tuple passed and subject to some protocol translation. How
can I achieve this?

If the answer is "go hack about in openssh sources" that is a possibility
(though I'd rather not). Some indication of where to look would be useful.


--
Alex Bligh
Re: Fixing UID; port forwarding via process [ In reply to ]
unmanarc at gmail
May 25, 2009, 10:38 AM
Post #2 of 3 (2106 views)
Permalink
On Sábado 23 Mayo 2009 05:10:40 Alex Bligh escribió:
> Two related sshd configuration questions.
>
> I want to implement sshd so that it allows port forwarding but in a rather
> specific manner. I can't alter what the client will do for various reasons,
> but it's in essence:
>
> ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com
>
> What the sshd server needs to do is:
>
> 1. Authenticate the username passed (in the former "user-service") against
> an external authentication database. I am hoping I can do this using (say)
> a PAM module. Whatever the username specified, the UNIX UID required on the
> server will the same. As the username is in fact a composite of a username
> and a service name, the usernames provided cannot correspond to actual UNIX
> usernames. Is it possible to write a PAM module for sshd that works this
> way, and if so how can I force logins to a specific UID?
>
> 2. Rather than sshd opening up TCP connection to forward the connection (in
> the above instance to server2.example.com:1234), I need sshd to launch a
> process (in a similar way to inetd) and pipe the connection to that,
> irrespective of what the user has specified on the ssh command line. It
> needs to pass the username specified ("user-service", not the UID which
> will always be the same) and preferably the "server2.example.com:1234" to
> this process, either on the process's command line or in the environment.
> Essentially what the process will be doing is an "nc" but dependent on the
> "user-service" tuple passed and subject to some protocol translation. How
> can I achieve this?

Something useful will be iptables. iptables can redirect your connection to
127.0.0.1:x when you have your local program listening.

this can be done with iptables, --uid-owner policy, and REDIRECT. (I think).

-j REDIRECT in addition with uid-owner will redirect all the connections
created from you special users to your local service.

>
> If the answer is "go hack about in openssh sources" that is a possibility
> (though I'd rather not). Some indication of where to look would be useful.
--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attached Files:

Re: Fixing UID; port forwarding via process [ In reply to ]
alex at alex
May 25, 2009, 12:49 PM
Post #3 of 3 (2064 views)
Permalink
--On 25 May 2009 13:08:35 -0430 Aarón Mizrachi <unmanarc@gmail.com> wrote:

>> 2. Rather than sshd opening up TCP connection to forward the connection
>> (in the above instance to server2.example.com:1234), I need sshd to
>> launch a process (in a similar way to inetd) and pipe the connection to
>> that, irrespective of what the user has specified on the ssh command
>> line. It needs to pass the username specified ("user-service", not the
>> UID which will always be the same) and preferably the
>> "server2.example.com:1234" to this process, either on the process's
>> command line or in the environment. Essentially what the process will be
>> doing is an "nc" but dependent on the "user-service" tuple passed and
>> subject to some protocol translation. How can I achieve this?
>
> Something useful will be iptables. iptables can redirect your connection
> to 127.0.0.1:x when you have your local program listening.
>
> this can be done with iptables, --uid-owner policy, and REDIRECT. (I
> think).
>
> -j REDIRECT in addition with uid-owner will redirect all the connections
> created from you special users to your local service.

Agree, but by the the supplied username will have been lost (as they'll
all be running under the same UID).

--
Alex Bligh

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal