M Rubon
2020-Feb-13 15:59 UTC
Identify multiple users doing reverse port FWD with their pubkeys
Cl?ment P?ron wrote:> I would like to know which pubkey has open which reverse port.Some of the things which have been mentioned will only work if your remote client runs a command/shell on the server. Specifically setting a per-key environment variable does not work if you are only doing a remote port forward. Similarly the environment variables $SSH_CLIENT and/or $SSH_CONNECTION environment variables are only available when the client runs a command or shell on the server. These environment variables are unfortunately not set for other SSH processes related to your connections, for instance while running the AuthorizedKeysCommand or in the process which does the port forwarding. Your options for IDing the remote client are: (1) the PPID of the process handling the AuthorizedKeysCommand is also the PPID of the process doing the reverse port forwarding. You can record the ID during authorization and then figure out which reverse tunnel corresponds to that. (2) If your reverse tunnel connects to the client machine's SSH server, then on your server you can use the openssh command ssh-keyscan -p PORT 127.0.0.1 to identify the host key of the client machine (note that this is not the default key the client will use to connect to your server). (3) If you have control of the client, you set the client to run a command, and then intercept that on your server to record the details. If your client does not run a command, I don't think you can force this on the server side. (I am not so happy with the security of running a command when it is not needed, but others may be happy with this). These are not particularly clean or easy, but might work for your needs. It would be nice if $SSH_CLIENT and/or $SSH_CONNECTION were set when AuthorizedKeysCommand was run and were also set in the process which does the port forwarding. It would also be nice if the per-key environment variable was set in the process which does the port forwarding, which would allow you to tag it. Mike
Clément Péron
2020-Feb-13 17:37 UTC
Identify multiple users doing reverse port FWD with their pubkeys
Hi Mike On Thu, 13 Feb 2020 at 17:02, M Rubon <rubonmtz at gmail.com> wrote:> > Cl?ment P?ron wrote: > > I would like to know which pubkey has open which reverse port. > > Some of the things which have been mentioned will only work if your > remote client runs a command/shell on the server. Specifically > setting a per-key environment variable does not work if you are only > doing a remote port forward. Similarly the environment variables > $SSH_CLIENT and/or $SSH_CONNECTION environment variables are only > available when the client runs a command or shell on the server. > These environment variables are unfortunately not set for other SSH > processes related to your connections, for instance while running the > AuthorizedKeysCommand or in the process which does the port > forwarding. > > Your options for IDing the remote client are: > > (1) the PPID of the process handling the AuthorizedKeysCommand is also > the PPID of the process doing the reverse port forwarding. You can > record the ID during authorization and then figure out which reverse > tunnel corresponds to that. > > (2) If your reverse tunnel connects to the client machine's SSH > server, then on your server you can use the openssh command > ssh-keyscan -p PORT 127.0.0.1 to identify the host key of the > client machine (note that this is not the default key the client will > use to connect to your server).This is something that I didn't think about and totally make sense in my case. I will go for that, thanks !> > (3) If you have control of the client, you set the client to run a > command, and then intercept that on your server to record the details. > If your client does not run a command, I don't think you can force > this on the server side. (I am not so happy with the security of > running a command when it is not needed, but others may be happy with > this). > > These are not particularly clean or easy, but might work for your needs.Thanks a lot, your explanations are really helpful ! Clement> > It would be nice if $SSH_CLIENT and/or $SSH_CONNECTION were set when > AuthorizedKeysCommand was run and were also set in the process which > does the port forwarding. It would also be nice if the per-key > environment variable was set in the process which does the port > forwarding, which would allow you to tag it. > > Mike > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev