openssh unix dev - Oct 2011 - Detect PID of sshd processes used by one public key; detect -R allocated port on the server

I have a situation where a number of potentially hostile clients ssh to
a host I control, each ssh'ing in as the same user, and each forwarding
a remote port back to them.

So, the authorized_keys file looks like:

no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7"
ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com

[the permitopen stanza just disables -L forwarding by only enabling a
forwarding to a port that will always refuse connections. Ignore this.]

and the ssh line from the client looks like this:

ssh -R0:127.0.0.1:1234 -N -ldummyuser central.example.org
Allocated port 54403 for remote forward to 127.0.0.1:1234

Now, ssh -R with a 0 port option allocates a remote port, which is what I
want to do, as I have lots and lots of these clients. It tells the /client/
what port it has allocated, but I want to know on the /server/ what port
has been allocated. On the server I want to detect which port (if any)
client1234 at example.com has open, and connect to that.

I can't pass this information from the client, because the potentially
hostile client could pass back a different number. I could then connect
to a port and be fooled into connecting to wrong client.

My plan was to get the PID of the sshd process, then use lsof to find
what ports it was listening on.

The lsof bit works:

$ lsof -n -p 12287 -a -i4tcp -a -sTCP:LISTEN
COMMAND   PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    12287 testuser   10u  IPv4 10196497      0t0  TCP 127.0.0.1:54403 
(LISTEN)

But there seems to be no way to get the PIDs of an ssh process associated
with a particular public key, as opposed to a particular user.

Logs would be unreliable anyway (race conditions), but the log line simply 
says this (no indication of what key is accepted):

Oct  8 09:30:15 test sshd[12214]: Accepted publickey for dummyuser from 
10.1.3.45 port 55158 ssh2
Oct  8 09:30:15 test sshd[12214]: pam_unix(sshd:session): session opened 
for user dummyuser by (uid=0)

I can't help but think that log line would be more useful if it said which
public key was accepted (am willing to provide a patch, but would prefer
to avoid a code change).

Any ideas on how to get from a public key to list of sshd processes?

-- 
Alex Bligh

On 2011-10-08 at 10:01 +0100, Alex Bligh wrote:
> I can't help but think that log line would be more useful if it said
which
> public key was accepted (am willing to provide a patch, but would prefer
> to avoid a code change).
LogLevel VERBOSE

-Phil

--On 8 October 2011 08:06:59 -0400 Stephen Harris <lists at spuddy.org>
wrote:
>>
no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forward
>> ing,permitopen="127.0.0.1:7"
>
>> But there seems to be no way to get the PIDs of an ssh process
associated
>> with a particular public key, as opposed to a particular user.
>
> Instead of command="/bin/true" use
command="/path/to/script".  The script
> can look at parent processes and work up the tree until it reaches the
> sshd process.
(I hope you don't mind me sending the reply to the list)

This strategy does not work for two reasons:

1. when -N is used, command= / ForceCommand is not executed. It only forces
   running of a command when there is either an interactive session
   requested or a command on the command line.

2. (less of an issue), the user's shell can no longer be /bin/false; it has
   to be a real shell.

-- 
Alex Bligh