openssh unix dev - Sep 2007 - Q: how to restrict access selectively to client initiated local port forward

Hello,

At work we have an internal application that implements a proxy.  It 
works by counting the number of connections per IP address and using 
this to enforce usage limits (i.e. not more than X connections from a 
given IP).

The important thing for us is a unique IP per client.  We have this 
implemented where each client first authenticates through OpenVPN and is 
assigned a unique IP address.

But some of our users can't get their corporate firewall changed to 
allow the tunnel to be established. So we've come up with a way that 
they can use ssh local port forwarding to accomplish the same thing.


For example:

This is the idealized case, the client connects to the proxy and their 
connections are managed:

client ---------------------> proxy

VPN:

With the vpn the client is given a unique IP and all works well.

client (10.8.0.x) ---------------> proxy (10.8.0.1)

Open SSH:

With open ssh we use the following command:

ssh -L yyyy:10.8.0.x:yyyy user at proxy

client (a.b.c.d) ------------------> proxy
          local redirect to -------> (10.8.0.x)


where yyyy is the port being forwarded and lo:x is a loopback alias on 
the proxy to be 10.8.0.x (a differnent loopback IP will exist for each 
connecting client)

This works since it appears to the proxy that the connections are 
originating from 10.8.0.x.

However as far as I can tell there is no way in OpenSSH to define an 
access control policy for which connecting users are allowed to redirect 
through which local IP.

i.e. we can't enforce that only user1 can local redirect through 
10.8.0.12. which would allow anyone with system access to redirect 
through 10.8.0.12.

I've downloaded and locally modified openssh-4.7p1 to include a new 
module that will allow this decision to be made (reads a custom 
configuration file that answers the question: can $user redirect through 
$hostname).  But I can't figure out the exact place to insertit in the 
OpenSSH source code.

Could someone point me to the source file and line that is responsible 
for the server side inialization of a client local forward?

I tried connecting in serverloop.c function: static void 
server_input_global_request(int type, u_int32_t seq, void *ctxt);

which by its comment says it deals with "-R" style forwarding but this
doesn't seem to be the correct place for "-L" style forwarding.

Thanks for your help,

Mike

On Thu, Sep 27, 2007 at 01:14:32PM -0400, Michael O'Cleirigh wrote:
<snip>
> However as far as I can tell there is no way in OpenSSH to define an 
> access control policy for which connecting users are allowed to redirect 
> through which local IP.
> 
> i.e. we can't enforce that only user1 can local redirect through 
> 10.8.0.12. which would allow anyone with system access to redirect 
> through 10.8.0.12.
> 
> I've downloaded and locally modified openssh-4.7p1 to include a new 
> module that will allow this decision to be made (reads a custom 
> configuration file that answers the question: can $user redirect through 
> $hostname).  But I can't figure out the exact place to insertit in the 
> OpenSSH source code.
> 
> Could someone point me to the source file and line that is responsible 
> for the server side inialization of a client local forward?
I've long forgotten how I did it, but when I was at Barracuda Networks
I did just this while working on this work:

	http://wilbur.25thandclement.com/~william/projects/streamlocal.html

I forgot why I didn't release the other work. But, I added a feature to
execute a progam which transformed port forward requests on the server side;
if the script exited with non-zero the request was denied. It had the
configuration work and everything.

You can try querying denis at barracuda.com and he might be able to give you
the patch (diff against the vendor tree and the production/development
tree), or bits of it to get you started. IIRC, it was non-trivial, like the
stream local patch. You can't easily just "drop in" a feature into
the
OpenSSH code (i.e. add a function somewhere which plugs-in a complex branch
of logic), because the codebase is rather brittle at this point.

Good luck.

On Thu, Sep 27, 2007 at 01:14:32PM -0400, Michael O'Cleirigh
wrote:
> The important thing for us is a unique IP per client.  We have this
> implemented where each client first authenticates through OpenVPN
> and is assigned a unique IP address.
> 
> But some of our users can't get their corporate firewall changed to
> allow the tunnel to be established. So we've come up with a way
> that they can use ssh local port forwarding to accomplish the same
> thing.
Then you should run OpenVPN over TCP on port 22 or whatever you're
using for SSH that can be reached from clients, on another public IP
address and be done.

> However as far as I can tell there is no way in OpenSSH to define
> an access control policy for which connecting users are allowed to
> redirect through which local IP.
Right, because there's no way for OpenSSH to implement it anyway.

> answers the question: can $user redirect through $hostname)
Does the socket API keep track of socket owners?


//Peter