Discussion:
Fixing UID; port forwarding via process
(too old to reply)
Alex Bligh
2009-05-25 17:15:52 UTC
Permalink
Two related sshd configuration questions.

I want to implement sshd so that it allows port forwarding but in a rather
specific manner. I can't alter what the client will do for various reasons,
but it's in essence:

ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com

What the sshd server needs to do is:

1. Authenticate the username passed (in the former "user-service") against
an external authentication database. I am hoping I can do this using (say)
a PAM module. Whatever the username specified, the UNIX UID required on the
server will the same. As the username is in fact a composite of a username
and a service name, the usernames provided cannot correspond to actual UNIX
usernames. Is it possible to write a PAM module for sshd that works this
way, and if so how can I force logins to a specific UID?

2. Rather than sshd opening up TCP connection to forward the connection (in
the above instance to server2.example.com:1234), I need sshd to launch a
process (in a similar way to inetd) and pipe the connection to that,
irrespective of what the user has specified on the ssh command line. It
needs to pass the username specified ("user-service", not the UID which
will always be the same) and preferably the "server2.example.com:1234" to
this process, either on the process's command line or in the environment.
Essentially what the process will be doing is an "nc" but dependent on the
"user-service" tuple passed and subject to some protocol translation. How
can I achieve this?

If the answer is "go hack about in openssh sources" that is a possibility
(though I'd rather not). Some indication of where to look would be useful.
--
Alex Bligh
Aarón Mizrachi
2009-05-26 17:29:28 UTC
Permalink
--nextPart1479920.RAcYXKZyKs
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Post by Alex Bligh
Two related sshd configuration questions.
I want to implement sshd so that it allows port forwarding but in a rather
specific manner. I can't alter what the client will do for various reason=
s,
Post by Alex Bligh
ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com
1. Authenticate the username passed (in the former "user-service") against
an external authentication database. I am hoping I can do this using (say)
a PAM module. Whatever the username specified, the UNIX UID required on t=
he
Post by Alex Bligh
server will the same. As the username is in fact a composite of a username
and a service name, the usernames provided cannot correspond to actual UN=
IX
Post by Alex Bligh
usernames. Is it possible to write a PAM module for sshd that works this
way, and if so how can I force logins to a specific UID?
2. Rather than sshd opening up TCP connection to forward the connection (=
in
Post by Alex Bligh
the above instance to server2.example.com:1234), I need sshd to launch a
process (in a similar way to inetd) and pipe the connection to that,
irrespective of what the user has specified on the ssh command line. It
needs to pass the username specified ("user-service", not the UID which
will always be the same) and preferably the "server2.example.com:1234" to
this process, either on the process's command line or in the environment.
Essentially what the process will be doing is an "nc" but dependent on the
"user-service" tuple passed and subject to some protocol translation. How
can I achieve this?
Something useful will be iptables. iptables can redirect your connection to=
=20
127.0.0.1:x when you have your local program listening.

this can be done with iptables, --uid-owner policy, and REDIRECT. (I think).

=2Dj REDIRECT in addition with uid-owner will redirect all the connections=
=20
created from you special users to your local service.
Post by Alex Bligh
If the answer is "go hack about in openssh sources" that is a possibility
(though I'd rather not). Some indication of where to look would be useful.
=2D-=20
Ing. Aaron G. Mizrachi P. =20

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

--nextPart1479920.RAcYXKZyKs
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEABECAAYFAkoa16EACgkQ2ixydRu83wArNQCaA5zQhzNRDs3LHr6GcHWBgaBK
ZggAoLSJdAwGJVgpiF9D0xtx2N9eTn7x
=v5V6
-----END PGP SIGNATURE-----

--nextPart1479920.RAcYXKZyKs--
Alex Bligh
2009-05-26 17:32:23 UTC
Permalink
Post by Aarón Mizrachi
Post by Alex Bligh
2. Rather than sshd opening up TCP connection to forward the connection
(in the above instance to server2.example.com:1234), I need sshd to
launch a process (in a similar way to inetd) and pipe the connection to
that, irrespective of what the user has specified on the ssh command
line. It needs to pass the username specified ("user-service", not the
UID which will always be the same) and preferably the
"server2.example.com:1234" to this process, either on the process's
command line or in the environment. Essentially what the process will be
doing is an "nc" but dependent on the "user-service" tuple passed and
subject to some protocol translation. How can I achieve this?
Something useful will be iptables. iptables can redirect your connection
to 127.0.0.1:x when you have your local program listening.
this can be done with iptables, --uid-owner policy, and REDIRECT. (I
think).
-j REDIRECT in addition with uid-owner will redirect all the connections
created from you special users to your local service.
Agree, but by the the supplied username will have been lost (as they'll
all be running under the same UID).

--
Alex Bligh

Loading...