openssh unix dev - Jun 2014 - Reverse tunnel security settings

I have a number of connections coming in to my host to create a reverse tunnel

from machine 1: ssh -R:19991:192.168.250.251:80 user1 at host.org -N -f
from machine 2: ssh -R:19992:192.168.250.251:80 user2 at host.org -N -f
from machine 3: ssh -R:19993:192.168.250.251:80 user3 at host.org -N -f


You can see that each user has a specific port that they should use.

I would either like to dynamically set the correct port on my host (I
know what they should be), or if I cannot I would like to restrict the
connections so that the users can only open the tunnel on the ports
that I have specified.

I have not found anything in the configuration settings to restrict
the ports that can be selected by an inbound connection.  When a
dynamic port (0) is used, this appears to just pick the next available
port.

I have experimentally patched serverloop.c to ignore the user
specified port and used one based on the uid but wonder:
a) Is there a good way to achieve this without patching openssh
b) If the best way is to continue with the patch perhaps we can
discuss options for what the patch should look like as I would prefer
to submit to the project rather than maintain my own branch.  I would
suggest either calling out to an external program that returns the
port (this may be considered to be a security problem), or some other
mapping from users to the port (range?) they can choose

On 2014-06-17, James Berry <james at coppermoth.com>
wrote:
> I have a number of connections coming in to my host to create a reverse
tunnel
>
> from machine 1: ssh -R:19991:192.168.250.251:80 user1 at host.org -N -f
> from machine 2: ssh -R:19992:192.168.250.251:80 user2 at host.org -N -f
> from machine 3: ssh -R:19993:192.168.250.251:80 user3 at host.org -N -f
>
>
> You can see that each user has a specific port that they should use.
>
> I would either like to dynamically set the correct port on my host (I
> know what they should be), or if I cannot I would like to restrict the
> connections so that the users can only open the tunnel on the ports
> that I have specified.
>
> I have not found anything in the configuration settings to restrict
> the ports that can be selected by an inbound connection.  When a
> dynamic port (0) is used, this appears to just pick the next available
> port.
>
> I have experimentally patched serverloop.c to ignore the user
> specified port and used one based on the uid but wonder:
> a) Is there a good way to achieve this without patching openssh
Restricting port numbers could be done with a firewall that permits uid
specifications.

PF can do this, though I'm not quite sure if doing this from a firewall
counts as a "good way" and, given the controls already available on
local forwarding, it does seem like something that it would be
reasonable to implement internally in ssh.
> b) If the best way is to continue with the patch perhaps we can
> discuss options for what the patch should look like as I would prefer
> to submit to the project rather than maintain my own branch.  I would
> suggest either calling out to an external program that returns the
> port (this may be considered to be a security problem), or some other
> mapping from users to the port (range?) they can choose
For restrictions, it feels to me like this should probably be handled in
a similar way to permitopen as done for local forwarding - i.e.
config parameter (which can be used in a Match block per-user) and
authorized_keys option (which can call out to an external program via
AuthorizedKeysCommand if wanted).

Then for the other part of what you're looking for, dynamic port
allocation on the server just needs to take account of the port
restrictions - in that case, the client could set port 0, server
picks an allowed port and uses it, and the client doesn't have to
worry about choosing it itself.