Clément Péron
2020-Feb-11 18:07 UTC
Identify multiple users doing reverse port FWD with their pubkeys
Hello, I hope it's the correct ML to get support for "advanced" ssh use (sorry if it's not the case) And I would be very grateful if someone could help me on this issue. Here is my challenge : - I have X devices (around 30) and one SSH server - Each of them have a unique public key and create one dynamic reverse port forwarding on the server - All of them connect with the same UNIX user (I don't want to create a new user each time, I add a new device) When I connect to the server, I would like to know which pubkey as open which reverse port. I would like to know which is the proper / easiest way to achieve this? Thanks for your help, Clement
Jochen Bern
2020-Feb-11 23:03 UTC
Identify multiple users doing reverse port FWD with their pubkeys
On 02/11/2020 07:07 PM, Cl?ment P?ron wrote:> - I have X devices (around 30) and one SSH server > - Each of them have a unique public key and create one dynamic reverse > port forwarding on the server > - All of them connect with the same UNIX user (I don't want to create > a new user each time, I add a new device) > > When I connect to the server, I would like to know which pubkey as > open which reverse port.The auth happens when the device opens the SSH connection, and if your logging verbosity is high enough, the pubkey's fingerprint will be written to the log. If you really need to identify *the pubkey*, you'll have to grab the PID of the sshd process holding the reverse port (can be gleaned from the output of "{netstat,ss} -natp") and then search through the logs for the lines of when it got started. Whereas the *IP* of the device in question can be read on demand from the same netstat/ss output, just look for the incoming SSH connection held by the same PID ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200211/086ddd8d/attachment.p7s>
Philipp Marek
2020-Feb-12 07:46 UTC
Identify multiple users doing reverse port FWD with their pubkeys
>> When I connect to the server, I would like to know which pubkey as >> open which reverse port.See the man page of authorized_keys, and specifically the "environment" there: environment="ID=user1" ssh-rsa ... Also I guess you'd use "command=", and perhaps "restrict" or so.> The auth happens when the device opens the SSH connection, and if your > logging verbosity is high enough, the pubkey's fingerprint will be > written to the log. If you really need to identify *the pubkey*, you'll > have to grab the PID of the sshd process holding the reverse port (can > be gleaned from the output of "{netstat,ss} -natp") and then search > through the logs for the lines of when it got started.An unpriviledged user can't filehandles of other users. And grepping through logs isn't allowed for normal users as well - especially not the authentication logs...> Whereas the *IP* of the device in question can be read on demand from > the same netstat/ss output, just look for the incoming SSH connection > held by the same PID ...No. Just no. ;) Look at $SSH_CLIENT and/or $SSH_CONNECTION for that kind of information.
Clément Péron
2020-Feb-12 11:00 UTC
Identify multiple users doing reverse port FWD with their pubkeys
Hi Jochen, On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern at binect.de> wrote:> > On 02/11/2020 07:07 PM, Cl?ment P?ron wrote: > > - I have X devices (around 30) and one SSH server > > - Each of them have a unique public key and create one dynamic reverse > > port forwarding on the server > > - All of them connect with the same UNIX user (I don't want to create > > a new user each time, I add a new device) > > > > When I connect to the server, I would like to know which pubkey as > > open which reverse port. > > The auth happens when the device opens the SSH connection, and if your > logging verbosity is high enough, the pubkey's fingerprint will be > written to the log. If you really need to identify *the pubkey*, you'll > have to grab the PID of the sshd process holding the reverse port (can > be gleaned from the output of "{netstat,ss} -natp") and then search > through the logs for the lines of when it got started.Thanks for the solution, Indeed it will works but it's not really proper, I would like to find a way like having a different parameter for each pubkey in the authorized key file and then be able to identify which device did the established connection. For example I try to set an environnement variable for each pubkey in the authorized file but can't get it when doing reverse forwarding. Then I try to have a different permitlisten port but it doesn't work with dynamic port :(. Can i create a tunnel for each device or execute a specific command to identify a posteriori which device created the reverse forwarding port? Thanks, Clement> > Whereas the *IP* of the device in question can be read on demand from > the same netstat/ss output, just look for the incoming SSH connection > held by the same PID ... > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev