Alex Bligh
2011-Oct-08 09:01 UTC
Detect PID of sshd processes used by one public key; detect -R allocated port on the server
I have a situation where a number of potentially hostile clients ssh to a host I control, each ssh'ing in as the same user, and each forwarding a remote port back to them. So, the authorized_keys file looks like: no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com [the permitopen stanza just disables -L forwarding by only enabling a forwarding to a port that will always refuse connections. Ignore this.] and the ssh line from the client looks like this: ssh -R0:127.0.0.1:1234 -N -ldummyuser central.example.org Allocated port 54403 for remote forward to 127.0.0.1:1234 Now, ssh -R with a 0 port option allocates a remote port, which is what I want to do, as I have lots and lots of these clients. It tells the /client/ what port it has allocated, but I want to know on the /server/ what port has been allocated. On the server I want to detect which port (if any) client1234 at example.com has open, and connect to that. I can't pass this information from the client, because the potentially hostile client could pass back a different number. I could then connect to a port and be fooled into connecting to wrong client. My plan was to get the PID of the sshd process, then use lsof to find what ports it was listening on. The lsof bit works: $ lsof -n -p 12287 -a -i4tcp -a -sTCP:LISTEN COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 12287 testuser 10u IPv4 10196497 0t0 TCP 127.0.0.1:54403 (LISTEN) But there seems to be no way to get the PIDs of an ssh process associated with a particular public key, as opposed to a particular user. Logs would be unreliable anyway (race conditions), but the log line simply says this (no indication of what key is accepted): Oct 8 09:30:15 test sshd[12214]: Accepted publickey for dummyuser from 10.1.3.45 port 55158 ssh2 Oct 8 09:30:15 test sshd[12214]: pam_unix(sshd:session): session opened for user dummyuser by (uid=0) I can't help but think that log line would be more useful if it said which public key was accepted (am willing to provide a patch, but would prefer to avoid a code change). Any ideas on how to get from a public key to list of sshd processes? -- Alex Bligh
Phil Pennock
2011-Oct-08 10:56 UTC
Detect PID of sshd processes used by one public key; detect -R allocated port on the server
On 2011-10-08 at 10:01 +0100, Alex Bligh wrote:> I can't help but think that log line would be more useful if it said which > public key was accepted (am willing to provide a patch, but would prefer > to avoid a code change).LogLevel VERBOSE -Phil
Alex Bligh
2011-Oct-08 13:20 UTC
Detect PID of sshd processes used by one public key; detect -R allocated port on the server
--On 8 October 2011 08:06:59 -0400 Stephen Harris <lists at spuddy.org> wrote:>> no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forward >> ing,permitopen="127.0.0.1:7" > >> But there seems to be no way to get the PIDs of an ssh process associated >> with a particular public key, as opposed to a particular user. > > Instead of command="/bin/true" use command="/path/to/script". The script > can look at parent processes and work up the tree until it reaches the > sshd process.(I hope you don't mind me sending the reply to the list) This strategy does not work for two reasons: 1. when -N is used, command= / ForceCommand is not executed. It only forces running of a command when there is either an interactive session requested or a command on the command line. 2. (less of an issue), the user's shell can no longer be /bin/false; it has to be a real shell. -- Alex Bligh