openssh unix dev - Feb 2008 - remote/reverse port forward, ssh client setting source IPs to what ssh server reports

Note: most but not all of this message is about OpenSSH

When I do a remote forward (port on server listens for incoming
traffic, traffic gets forwarded to port that is listening on client),
the source IPs of all the incoming connections in the server app on
the client machine are 127.0.0.1/localhost. Using "-v", I can see that
sshd passes the IP addresses of what computers connected to the sshd's
port that forwards to the client. The client does not use/set the
originating information when connect. RFC 4254 requires the server
send the originating IP across the wire to the client so I believe all
ssh servers will send this across the wire.
-------------------------------------------------------------------------------------------------------------------------
7.2. TCP/IP Forwarding Channels


   When a connection comes to a port for which remote forwarding has
   been requested, a channel is opened to forward the port to the other
   side.

      byte      SSH_MSG_CHANNEL_OPEN
      string    "forwarded-tcpip"
      uint32    sender channel
      uint32    initial window size
      uint32    maximum packet size
      string    address that was connected
      uint32    port that was connected
###string    originator IP address###########################################
      uint32    originator port
--------------------------------------------------------------------------------------------------------------------------
   The 'originator IP address' is the numeric IP address of the machine
   from where the connection request originates, and the 'originator
   port' is the port on the host from where the connection originated.
--------------------------------------------------------------------------------------------------------------------------

from -v of ssh, proof that the ssh client does know the originator IP
and port, but server app on computer with ssh client will never see
this

--------------------------------------------------------------------------------------------------------------------------
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 6 win
131072 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 80,
originator 81.910.872.450 port 50454
debug1: channel 7: new [81.910.872.450]
debug1: confirm forwarded-tcpip
debug1: channel 7: connected
debug1: channel 7: free: 81.910.872.450, nchannels 11
--------------------------------------------------------------------------------------------------------------------------


The fact that all incoming connection to the server app running on the
client are 127.0.0.1/localhost causes severe problems. Any security
scheme relying on looking at the IPs of the incoming connections to
the server app are now useless. For example if the server app is a
webserver, it can't record the IPs of customers who buy something in
an online store.

My question is, are there any ssh clients, FOSS or commercial that
will set the source IP addresses to what the ssh server reports?
Either through being a VPN, emulating a NIC/network interface, or
playing with raw sockets/socket options, or something else? For
OpenSSH this is a feature request.

I also dug around in the source of OpenSSH, "connect_to" function in
channels.c is what I think creates the connection on the ssh client to
the destination in a remote forward. It uses Berkeley Sockets. Perhaps
there should be a option to use raw sockets and spoof the source IP to
what the ssh server passed to the ssh client, or set
"ip_nonlocal_bind" with sysctl on linux or do whatever it takes to
have a arbitrary IP address bind with a particular OS (not portable, I
know),  and then do a bind with the source IP from the ssh server on
the socket before doing the connect to the server app on OpenSSH
client. Then OpenSSH client will be reporting the correct source IP to
the server app. Note, adding the feature to "connect_to" would also
require editing "channel_connect_by_listen_address" function in
channels.c and "client_request_forwarded_tcpip" function in
clientloop.c to forward the originating IP I think. I am not an expert
at programing or C or posix OSes so my implementation theories and
analysis might be faulty.

On Tue, Feb 26, 2008 at 07:41:18PM -0500, bulk88 wrote:
> Note: most but not all of this message is about OpenSSH
> 
> When I do a remote forward (port on server listens for incoming
> traffic, traffic gets forwarded to port that is listening on client),
> the source IPs of all the incoming connections in the server app on
> the client machine are 127.0.0.1/localhost. Using "-v", I can see
that
> sshd passes the IP addresses of what computers connected to the sshd's
> port that forwards to the client. The client does not use/set the
> originating information when connect.
<snip>
> clientloop.c to forward the originating IP I think. I am not an expert
> at programing or C or posix OSes so my implementation theories and
> analysis might be faulty.
So, you're worried about a user who has a shell (or at least a local account
w/ forwarding privileges) accessing services as a local user, but not so
much about letting such users spoof other arbitrary IP addresses?

More over, in order to use raw sockets, or use any of the others tricks
(which may or may not be available), the process must have root privileges.
But, in OpenSSH these forwards are done from a process with the UID of the
user.

OpenSSH does support TUN/TAP (emulated network device). But this isn't
something you normally allow arbitrary users to manipulate. And, in any
event, it requires root permissions.

On other other hand, on OpenBSD you can define packet filter rules based on
the UID of the connecting process. PF has been ported to various systems,
but I'm not sure if this ability works elsewhere.