RFC: non-root ssh tun access

Chris Rapier rapier at psc.edu
Sat Aug 26 02:13:38 EST 2006 

A while ago we developed a series of patches we call PMVPN for Poor 
Man's VPN. Basically what we did was intercept open() calls and compare 
the tuple to a set of rules we had (using LD_PRELOAD (windows and OS X 
required more annoying proceedures that we didn't explore in any 
depth)). If the rule matched then we'd automatically open an SSH tunnel 
to the target and forward the appropriate port over it. The nice bit was 
that everything happened on a per user basis so we could actually 
forward 'privileged' ports without being root or impacting anyone else 
on the host (very useful in multiuser setups). We were able to do this 
by not actually touching the privileged ports but by mucking with the 
system calls so even though the application thought it was using port 25 
it was actually using port 27618 as its end of the ssh tunnel.

There were some advantages to this (transparency and ease of use to the 
user) but we never actually followed through on it. Mostly because we 
decided to focus on HPN and we thought one huge set of patches was 
enough to cope with :)

If you, or anyone else here, wants the code to try building on we've 
done I'll dig it up and send it over.


Jason wrote:
> The attached patch is against openssh-4.3_p2 to allow non-root users to
> vpn in over ssh.  root access is still needed on client side (or an sudo
> solution).  Currently, I have it working with an sudo command to
> configure a tap interface on the server side. eg to ssh into my gentoo
> server:
> 
> # ssh -fw any:any user at ssh_server.box "sudo /etc/init.d/net.tap0 restart"
> 
> Then, configure the tap interface on the client side.
> 
> So far,
> 	1.) the patch applies cleanly to 4.3_p2
> 	2.) compiles cleanly on a Linux x86 system
> 	3.) successfully permits non-root users to login, then access the tun
> 		 interface (via 'ioctl(fd, TUNSETOWNER, uid)')
> 
> To be done:
> 	1.) propagate the change to the other platforms to clean up the 
> 		 "#if defined(...)'s"
> 	2.) verify no bugs have been introduced.
> 	3.) verify I'm not smoking crack.  :)
> 
> This is my first attempt at modifying openssh, so I'm sure I've screwed up
> a few conventions or security procedures.  Let me know if I did and I'll
> fix it.

More information about the openssh-unix-dev mailing list