Re: Restrict a client port-forward to 1 port

On Jueves 13 Agosto 2009 14:30:13 Joseph Spenner escribió:
--- On Thu, 8/13/09, Adriana Rodean <adrya1984@xxxxxxxxx> wrote:
Hi again,

Maybe i didn't expressed myself right.
I want client X to be able to connect with this command:
ssh -L
30300:localhost:8080 -R 1037:localhost:55555
Client Y to be able to connect with: ssh -L
30300:localhost:8080 -R
and so on
but client Y should be forbidden to connect with: ssh
30300:localhost:8080 -R 1037:localhost:55555

From what I can tell, your goal is to restrict certain REMOTE port forward
values. I do not think it is possible to place restrictions on REMOTE port
forwards if port forwarding is enabled in sshd_config. In the
authorized_keys, you can list 'permitopen' options, but this only applies
to LOCAL port forwards.

I'm sorry, i confused the local port forwarding to server with remote to
local. In normal configuration possibilities, as Joseph said, there is no any
possible _simple_ option that i can see.

what i see:

- iptables won't be useful on such case, yes, openssh will open this port with
a process owned by your specific user, but, "-m owner" only applies for OUTPUT
and POSTROUTING chains. What you need is for INPUT chain.

- Internal openssh configuration does not provide you any way to limit what
port are allowed to open by an specific user. Only for outgoing connections you
can see limits, and you can do it without rsa/dss/... certificates using "Match
User" directive on sshd_config


But there are other useful possibilities... More complex obviously. I will not
specify exactly how you can use it, but, hope it helps.

1. Monitor/event script, this script will do something like:

kill -9 $(netstat -anpo | grep ^tcp | grep LISTEN | cut -d"/" -f1 | cut -d: -
f2,3 | awk '{printf("echo -n \"%s \"; ps -p %s uh\n",$1,$4);}' | bash | awk
'{printf("%s %s %s\n",$1,$2,$3);}' | grep unmanarc | grep -v ^1234 | cut -d' '

where unmanarc is the username wanted, and the 1234 the port that you allow
for him.

Event will result in system detriment because each bind will launch this
command, and even both mechanisms will allow the port binding for a short
period of time until the script runs...

2. similar script but creating a dynamic rule on iptables, by default every
port are restricted, when the script detects a match (username-port), the
script will open an INPUT rule allowing this port. In reverse, the port will
be completely useless. This script have to have special mechanism to detect
when you close the SSH, and close the iptables rule too (-D). But... This
mechanism is prone to a race condition. An attacker could simply

3. Possibly, the most feasible option: SELinux.

It's possible to enforce a policy defining specials _port_t labels, and
restricting specific users domains to bind only on labeled ports on the program
domain. For that, previously, you have to add to selinux the specific unix
accounts to these user domains.

4. LD_PRELOAD Method.

LD_PRELOAD method will enable you to create a wrapper for bind. This wrapper
could check for "getuid();" and check if a port/user are allowed. This
database could be hardcoded or could exist in some specific file.


My recommendation: if you really need an efficient mechanism, try with selinux
or ld_preload, if you don't, try with scripts.


Ing. Aaron G. Mizrachi P.
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.