openssh bugs - Jun 2024 - [Bug 3704] New: Implement an interface to capture port number of random remote port forwarding -R 0:localhost:22

https://bugzilla.mindrot.org/show_bug.cgi?id=3704

            Bug ID: 3704
           Summary: Implement an interface to capture port number of
                    random remote port forwarding -R 0:localhost:22
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: umut at tezduyar.com

I am exposing IoT devices SSH interface to the cloud. The IoT devices
set up the port forwarding with -R 0:localhost:22. The random port
number is picked by the sshd and is sent to the client on the TTY. Then
my clients are sending the port number to the server to keep track of
active sessions. 

Here I rely on client doing the right thing and reporting the correct
allocated port number to the server. 

I would like to request a feature to have an interface on the sshd to
capture the allocated port number for a given key/fingerprint

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3704

Nikola <root at nixsum.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |root at nixsum.net

--- Comment #1 from Nikola <root at nixsum.net> ---
As a third observer I'd like to suggest you try something else.

You can use a unix socket instead as it will be easier to track.

The below example assumes your "controller" uses pam_systemd for user
sessions.

I also assume you are using a separate user and ssh key for each IOT
client.

On the IOT client:

$ export remote_uid=`ssh iot_device_1 at debbie 'id -u'`
$ ssh iot_user_1 at controller -R
/run/user/$remote_uid/sshd.sock:localhost:22

On the controller to connect to the IOT device you can use:

# ssh -o "ProxyCommand socat - UNIX-CLIENT:/run/user/`id -u
iot_user_1`/sshd.sock" iot_user_1 at iot_device_1

This way you can always correlate a user to their forwarded socket and
they can only create a unix socket with their limited permissions.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3704

kolAflash at kolahilft.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kolAflash at kolahilft.de

--- Comment #2 from kolAflash at kolahilft.de ---
(In reply to Nikola from comment #1)
> [...]
> You can use a unix socket instead as it will be easier to track.
If possible, I'd also recommend UNIX sockets. They are much safer then
127.0.0.1. See also bug 3695
Comments say even Windows supports UNIX sockets nowadays:
https://lwn.net/Articles/984838/

Alternatively let not SSH find the free port, but use "ss".

#!/bin/bash
port="10000"  # start searching here
while [ -n "$(ss -tan4H "sport = ${port}")" ]; do
  port="$((port+1))"
done

-- 
You are receiving this mail because:
You are watching the assignee of the bug.