port forwarding source address
- From: phil-news-nospam@xxxxxxxx
- Date: 12 May 2008 08:29:23 GMT
Currently, SSH has 2 ways to do address binding for port forwarding:
1. The SSH encrypted connection itself can be bound to a specific IP address
with the -b command line option (BindAddress in the config file).
2. Port forwarding can bind to a specific address on the listening host,
the local host for -D and -L (DynamicForward and LocalForward), or the
remote host for -R (RemoteForward).
What I would like to have is an option to bind the source address of the
outbound connections being forwarded.
An example with -L (LocalForward) would work like this. The ssh client will
listen to the port and optionally also the specified address on the local host.
For each connection coming in to that port, a connection is made from the
remote host to the destination host and port specified. What my suggested
option would do is specify what address that remote-to-destination connection
would come from. It would only make sense to use addresses configured on a
working interface on the remote machine.
The purpose of the suggested option would be so that it is possible to make
the forwarded connection come from an address on the remote machine other than
the first one that default socket binding would ordinarily use. It would be
similar to what -b does for the SSH encrypted connection itself, but be used
for the forwarded connection.
To add such a feature, the information sent from the local client to the remote
server about forwardings being done for dynamic and local forwarding would have
to have this new information included. I don't know enough about the SSH
protocol to know how easy it would be to add new information. If this involves
a fixed structure, it would require the local client and remote server to both
have the feature implemented. If the information is transferred with tagged
pieces of data that could otherwise be ignored, then it could be incrementally
added without breaking compatibility with older versions.
The port forwarded source bind address would be specific to each forwarding.
That is, each -D or -L or -R would have its own source bind address for the
outgoing connections to be made. So it almost certainly would need to be an
extension of the forwarding syntax. Possibilities are:
-D [bind_address|*:]port[:[source_address|*]]
-D [bind_address|*/]port[/[source_address|*]]
-L [bind_address|*:]port:host:hostport[:[source_address|*]]
-L [bind_address|*/]port/host/hostport[/[source_address|*]]
-R [bind_address|*:]port:host:hostport[:[source_address|*]]
-R [bind_address|*/]port/host/hostport[/[source_address|*]]
It could also be possible to specify a source port number. This would have
limitations, of course. Only root could source from a privileged port. And
only one connection could be forwarded to the same destination host:hostport
(although with dynamic forwarding, this can still be a lot of connections to
different host:hostport destinations).
-D [bind_address|*:]port[:[source_address|*][:[source_port|*]]]
-D [bind_address|*/]port[/[source_address|*][/[source_port|*]]]
-L [bind_address|*:]port:host:hostport[:[source_address|*][:[source_port|*]]]
-L [bind_address|*/]port/host/hostport[/[source_address|*][/[source_port|*]]]
-R [bind_address|*:]port:host:hostport[:[source_address|*][:[source_port|*]]]
-R [bind_address|*/]port/host/hostport[/[source_address|*][/[source_port|*]]]
If the source address is empty or specified with * then the usual default
behaviour would be specified (possibly overriding a differently configured
source address from the config file for the same forwarded port). Same for
the source port.
I have in the past done successful code modification to sshd. That was to
implement a session logging feature for a server that was hosting untrusted
users. That was a simplistic patch for a very specific need, and was not
intended for general use. All "configuration" values were hard coded, such
as the path to store the session logs in (they were dynamically named based
on the date and time the session started).
So maybe I could develop this feature. But this would clearly require more
knowledge of SSH including how it parses the various forwarding options, and
how it passes them over the session, and how it interprets that data at the
remote end. And right now I have no OpenBSD machine running to do this on
the non-portable version (it was an ancient Sun Sparc machine that had a PSU
failure). I suppose I could set up some virtual machines to get OpenBSD back
up on a couple machines at home.
--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |
.
- Follow-Ups:
- Re: port forwarding source address
- From: Andrew Gideon
- Re: port forwarding source address
- Prev by Date: Re: Cygwin+SSH : Permission Problem
- Next by Date: Re: SSH GUI slow
- Previous by thread: Protect yourself against Operation Sudden Fall
- Next by thread: Re: port forwarding source address
- Index(es):
Relevant Pages
|
|
