RFC: non-root ssh tun access

Darren Tucker dtucker at zip.com.au
Tue Aug 29 08:20:58 EST 2006


Chris Rapier wrote:
> 
> Damien Miller wrote:
>> On Fri, 25 Aug 2006, Chris Rapier wrote:
>>
>>> A while ago we developed a series of patches we call PMVPN for Poor 
>>> Man's VPN. Basically what we did was intercept open() calls and compare 
>>> the tuple to a set of rules we had (using LD_PRELOAD (windows and OS X 
>>> required more annoying proceedures that we didn't explore in any 
>>> depth)). If the rule matched then we'd automatically open an SSH tunnel 
>>> to the target and forward the appropriate port over it.
>> You can do something similar with an unmodified ssh, "socksify" and
>> DynamicForward
> 
> Well, the idea was to integrate things in order to bring greater 
> security to a larger number of people. The majority of people won't go 
> to the hassle of paying for and installing socksify and then do all of 
> the DynamicForward routines from the command line.

The "socksify" that comes with dante works and it's free (and Free).
http://www.inet.no/dante/

If you want to get somewhat wackier, you can grab slirp (a userspace tcp 
stack from the olden days) and build it socksified.

This will let you turn arbitrary tcp connections (including both locally 
originated and routed) into ssh port forward requests.  You need to be 
able to run pppd on the client (ie root access) but there's nothing 
required on the server side other than regular port forwarding support.

Most DNS requests don't work over the tunnel but hacking a DNS server to 
only use tcp would get around that too.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list