search for: sshfwd

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes PasswordAuthentication no GatewayPorts no AllowTcpForwarding yes HostbasedAuthentication...

...Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like > > /etc/ssh/authorized_keys/sshfwd: > > cert-authority,principals=?batcha-fwd,batchb-fwd? ... > > /etc/ssh/sshd_config containing: > > Match User sshfwd > PubkeyAuthentication yes > PasswordAuthentication no > GatewayPorts no > AllowTcpForwarding...

Is there a new syntax, or procecure for handling specific port forwarding through tcp wrappers (as is done with the ssh.com version)? It looks like someone had a patch back in october, but the source code has changed a lot since then and I'm not sure how to incorporate it. Any help is appeciated.

...steps I took were (on the client): # ssh-keygen -t rsa -f /.ssh/id_rsa Generating public/private rsa key pair. [set a null password] # scp /.ssh/id_rsa.pub dtucker at 192.168.1.1:.ssh/authorized_keys Password: # ssh 192.168.1.1 echo passwordless auth works passwordless auth works # cygrunsrv -I SSHFWD -p /usr/bin/ssh -a "-L 3128:192.168.1.1:3128 -v -N -l dtucker 192.168.1.1" # net start SSHFWD # netstat -an | grep 3128 TCP 127.0.0.1:3128 0.0.0.0:0 LISTENING # telnet 127.0.0.1 3128 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'....

...g by default. This means that only the local host can access forwarded ports. Adding "GatewayPorts yes" to .ssh/config usually does this job. Unfortunately, OpenSSH does not recognize the same hosts.allow/ hosts.deny options as ssh.com's sshd client, i.e., it dosn't recognize the sshfwd settings in hosts.allow. So adding "GatewayPorts" opens up all forwarded ports to outside inspection not considering using a firewall. The patch uses basically the same method as ssh.com. A lookup is made in hosts.allow/hosts.deny on sshfwd-<port number> (not port name -- this is...

...6:localhost:1433 & i=$(( $i + 1 )) done The obvious problem here: We have some weird script bringing up 100 ssh clients with 100 connections. What if we could tell ssh to load a file and do it, where the file contained something like: # Set default authentication default auth=privkey:/home/sshfwd/.ssh/id_rsa user=sshfwd # listen (-L; listen-dynamic is -D) # nmap syntax for addresses (i.e. 192.168.1-20.35-123) # MySQL servers listen bind=10.10.10.20 listen-address=192.168.30.50-100 \ listen-port=3306 forward-address=localhost forward-port=3306 # MS SQL 2000 and 2005 servers listen bind=10....