Hello I'm trying to create compatibility with an automated system that I do not have control over and cannot change. The system was built to connect to individual embedded linux machines that create reverse tunnels back to a server. These tunnels take the form: /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22000:127.0.0.1:22 robot at externalhost /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22001:127.0.0.1:22 robot at externalhost /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22002:127.0.0.1:22 robot at externalhost /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22003:127.0.0.1:22 robot at externalhost The bot then SCP copies from the home directory: scp -i id_rsa -P 22000 remote at localhost:file.tar.gz The major issue is that the Port is the identifying metric for the home folder of the remote user. Each tunnel should have a different folder because each folder represents a different physical location. The system was setup with individual machines in mind. Instead of SCP pulling from /home/remote, it should pull from /home/remote22000, /home/remote22001, etc based on the port number of the reverse tunnel.' I'm not sure if there's anyway to get sshd to solve this problem currently. I'm open to all suggestions. I have spent a lot of time reading man pages for openssh and nothing I have tried has worked so far. I found this post to the mailing list: http://www.gossamer-threads.com/lists/openssh/dev/52909 If I made each tunnel listen on a different port then I could use that to chroot each port to a different directory. I don't know if this is the best approach. I can't get the patch to work on a current version of openssh so if that's the best solution I would need some help with that. Thanks
Darren Tucker
2014-Jan-24 09:22 UTC
Change initial directory based on port of reverse tunnel?
On Fri, Jan 24, 2014 at 7:20 PM, John <givemefive at gmail.com> wrote:> I'm trying to create compatibility with an automated system that I do > not have control over and cannot change.I'm having trouble visualising the picture here.> The system was built to > connect to individual embedded linux machines that create reverse > tunnels back to a server. > > These tunnels take the form: > /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22000:127.0.0.1:22 > robot at externalhost > /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22001:127.0.0.1:22 > robot at externalhost > /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22002:127.0.0.1:22 > robot at externalhost > /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22003:127.0.0.1:22 > robot at externalhostok, so far this sounds like you have some devices out in the field which may be behind stateful firewalls, NAT or dynamic addresses and a server on a fixed address and you want to be able to connect back to these devices in the field. remotedevice ssh'es into externalhost and presumably keeps the connections up. when you want to connect to a device you get onto externalhost and ssh to localhost on whatever port corresponds to that device. so far so good.> The bot then SCP copies from the home directory: > scp -i id_rsa -P 22000 remote at localhost:file.tar.gzThis is where I'm not sure I follow you. This is initiated by remotedevice or by externalhost? If it's initiated by externalhost, then I would think you could change whatever initiates it on externalhost. The only way I can see this working is if it's initiated by remotedevice to be run on externalhost via ssh, which is much more complicated that necessary, ie you'd see these commands on externaldevice: externaldevice$ ssh -i /home/remote/.ssh/id_rsa -Nnx2TR \ 22000:127.0.0.1:22 robot at externalhost externaldevice$ ssh robot at externalhost scp -i id_rsa -P 22000 \ file.tar.gz remote at localhost:file.tar.gz instead of the simpler: externaldevice$ ssh scp -i id_rsa remote at localhost:file.tar.gz file.tar.gz am I following correctly?> The major issue is that the Port is the identifying metric for the > home folder of the remote user.the id_rsa keys and usernames are all identical?> Each tunnel should have a different > folder because each folder represents a different physical location. > The system was setup with individual machines in mind. > > Instead of SCP pulling from /home/remote, it should pull from > /home/remote22000, /home/remote22001, etc based on the port number of > the reverse tunnel.' > > I'm not sure if there's anyway to get sshd to solve this problem > currently. I'm open to all suggestions. I have spent a lot of time > reading man pages for openssh and nothing I have tried has worked so > far. > > I found this post to the mailing list: > http://www.gossamer-threads.com/lists/openssh/dev/52909 > > If I made each tunnel listen on a different port then I could use that > to chroot each port to a different directory. I don't know if this is > the best approach. > > I can't get the patch to work on a current version of openssh so if > that's the best solution I would need some help with that.That patch is already in the current version of OpenSSH. If I'm following you then it's not going to help, though (it's about making decisions in sshd based on which port the connection is made on, however in your scenario you're actually connecting to ssh on externalhost, not sshd). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.