Re: Fixing UID; port forwarding via process

On Sábado 23 Mayo 2009 05:10:40 Alex Bligh escribió:
Two related sshd configuration questions.

I want to implement sshd so that it allows port forwarding but in a rather
specific manner. I can't alter what the client will do for various reasons,
but it's in essence:

ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com

What the sshd server needs to do is:

1. Authenticate the username passed (in the former "user-service") against
an external authentication database. I am hoping I can do this using (say)
a PAM module. Whatever the username specified, the UNIX UID required on the
server will the same. As the username is in fact a composite of a username
and a service name, the usernames provided cannot correspond to actual UNIX
usernames. Is it possible to write a PAM module for sshd that works this
way, and if so how can I force logins to a specific UID?

2. Rather than sshd opening up TCP connection to forward the connection (in
the above instance to server2.example.com:1234), I need sshd to launch a
process (in a similar way to inetd) and pipe the connection to that,
irrespective of what the user has specified on the ssh command line. It
needs to pass the username specified ("user-service", not the UID which
will always be the same) and preferably the "server2.example.com:1234" to
this process, either on the process's command line or in the environment.
Essentially what the process will be doing is an "nc" but dependent on the
"user-service" tuple passed and subject to some protocol translation. How
can I achieve this?

Something useful will be iptables. iptables can redirect your connection to
127.0.0.1:x when you have your local program listening.

this can be done with iptables, --uid-owner policy, and REDIRECT. (I think).

-j REDIRECT in addition with uid-owner will redirect all the connections
created from you special users to your local service.


If the answer is "go hack about in openssh sources" that is a possibility
(though I'd rather not). Some indication of where to look would be useful.
--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Fixing UID; port forwarding via process
    ... Two related sshd configuration questions. ... Authenticate the username passed against ... the UNIX UID required on the ... Rather than sshd opening up TCP connection to forward the connection (in ...
    (SSH)
  • Re: sshd closes connection immediately after login
    ... on Interix. ... proceeds to close the connection. ... I have not fiddled with the sshd configuration files ... You did an OS upgrade. ...
    (comp.security.ssh)
  • RE: sshd does not die when client issues control-C or closes
    ... I have been tesing OpenSSH sshd running under uClinux using Putty, ... I set my Client Keep alive parameters to issue 4 requests every ... # Or after 1 connection deny subsequent connections up to 2 ...
    (SSH)
  • RE: X11 Forwarding
    ... Upon receipt of a connection request, ... the daemon forks, creating a new process. ... I guess all those forums out there saying that sshd reads the config ... First do a "ps -f" to get the PPID ...
    (SSH)
  • Re: C/R without "leaks"
    ... sshd: to give up the connection when something goes wrong. ... server consolidation with a virtual machine, your do with containers. ...
    (Linux-Kernel)