Re: Restrict a client port-forward to 1 port



On Jueves 13 Agosto 2009 14:30:13 Joseph Spenner escribió:
--- On Thu, 8/13/09, Adriana Rodean <adrya1984@xxxxxxxxx> wrote:
Hi again,

Maybe i didn't expressed myself right.
I want client X to be able to connect with this command:
ssh -L
30300:localhost:8080 -R 1037:localhost:55555
Client Y to be able to connect with: ssh -L
30300:localhost:8080 -R
1038:localhost:55555
and so on
but client Y should be forbidden to connect with: ssh
-L
30300:localhost:8080 -R 1037:localhost:55555

From what I can tell, your goal is to restrict certain REMOTE port forward
values. I do not think it is possible to place restrictions on REMOTE port
forwards if port forwarding is enabled in sshd_config. In the
authorized_keys, you can list 'permitopen' options, but this only applies
to LOCAL port forwards.

I'm sorry, i confused the local port forwarding to server with remote to
local. In normal configuration possibilities, as Joseph said, there is no any
possible _simple_ option that i can see.

what i see:

- iptables won't be useful on such case, yes, openssh will open this port with
a process owned by your specific user, but, "-m owner" only applies for OUTPUT
and POSTROUTING chains. What you need is for INPUT chain.

- Internal openssh configuration does not provide you any way to limit what
port are allowed to open by an specific user. Only for outgoing connections you
can see limits, and you can do it without rsa/dss/... certificates using "Match
User" directive on sshd_config

---

But there are other useful possibilities... More complex obviously. I will not
specify exactly how you can use it, but, hope it helps.

LEVEL: MED. EFFICIENCY: LOW
1. Monitor/event script, this script will do something like:

kill -9 $(netstat -anpo | grep ^tcp | grep LISTEN | cut -d"/" -f1 | cut -d: -
f2,3 | awk '{printf("echo -n \"%s \"; ps -p %s uh\n",$1,$4);}' | bash | awk
'{printf("%s %s %s\n",$1,$2,$3);}' | grep unmanarc | grep -v ^1234 | cut -d' '
-f3)

where unmanarc is the username wanted, and the 1234 the port that you allow
for him.

Event will result in system detriment because each bind will launch this
command, and even both mechanisms will allow the port binding for a short
period of time until the script runs...

LEVEL: MED. EFFICIENCY: MED
2. similar script but creating a dynamic rule on iptables, by default every
port are restricted, when the script detects a match (username-port), the
script will open an INPUT rule allowing this port. In reverse, the port will
be completely useless. This script have to have special mechanism to detect
when you close the SSH, and close the iptables rule too (-D). But... This
mechanism is prone to a race condition. An attacker could simply

LEVEL: HIGH. EFFICIENCY: HIGH
3. Possibly, the most feasible option: SELinux.

It's possible to enforce a policy defining specials _port_t labels, and
restricting specific users domains to bind only on labeled ports on the program
domain. For that, previously, you have to add to selinux the specific unix
accounts to these user domains.

LEVEL: HIGH. EFFICIENCY: HIGH
4. LD_PRELOAD Method.

LD_PRELOAD method will enable you to create a wrapper for bind. This wrapper
could check for "getuid();" and check if a port/user are allowed. This
database could be hardcoded or could exist in some specific file.

----------------

My recommendation: if you really need an efficient mechanism, try with selinux
or ld_preload, if you don't, try with scripts.



;-)

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.



Relevant Pages

  • Re: Net::SSH::Perl bind socket problem
    ... >> bind to), maybe the ssh object is not destroyed between the loops. ... > I did use netstat -neat during, and after the script launch. ... only to handle the "port already in use" case... ...
    (perl.beginners)
  • Re: How to Create a TCP/IP PrinterPort on a MS Cluster 2k3 via Scr
    ... XP is not in the cluster so I'm not clear on the failure question. ... the user running the script should be admin on the remote print server. ... thus the creation of the port on the node. ...
    (microsoft.public.windows.server.clustering)
  • Re: How to Create a TCP/IP PrinterPort on a MS Cluster 2k3 via Scr
    ... XP is not in the cluster so I'm not clear on the failure question. ... the user running the script should be admin on the remote print server. ... thus the creation of the port on the node. ...
    (microsoft.public.windows.server.clustering)
  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: How to Create a TCP/IP PrinterPort on a MS Cluster 2k3 via Scr
    ... I think Edwin is using the prnport.vbs script from the OS what uses the WMI ... thus the creation of the port on the node. ... NOT in de cluster resource! ... virtualPrinter in MSCS. ...
    (microsoft.public.windows.server.clustering)