[RFC]: OpenSSH vpn lists

John Richard Moser nigelenki at comcast.net
Thu Mar 22 08:14:50 EST 2007 

I've got an idea for using OpenSSH to establish a sort of internal
secure network, where everything going back and forth between certain
services (i.e. MySQL, how horrid) is encrypted even if the
application/server doesn't support launching the service over SSL.  This
has some issues; so I'm probing for ideas on a new feature that would
resolve them and make this easier.

Let's hypothesize that you have 100 database servers serving MySQL
(TCP:3306) and MS SQL 2005 (TCP:1433).  These are as follows:

10.10.30.[50-100]:3306 - MySQL
10.10.40.[75-125]:1433 - MS SQL 2000/2005

To deal with this, you set up on each machine 100 virtual network
adapters that don't route outside:

192.168.30.[50-100] - 10.10.30.[50-100] mates
192.168.40.[75-125] - 10.10.40.[75-125] mates

Now you run ssh as follows.  In this example, the local IP is
10.10.10.20 (can probably omit -b).  Also we use private key
authentication so no pasword:

i=50;
while [ "$i" != "101" ]; do
 ssh -b 10.10.10.20 -L 192.168.30.${i}:3306:localhost:3306 &
 i=$(( $i + 1 ))
done
i=75;
while [ "$i" != "126" ]; do
 ssh -b 10.10.10.20 -L 192.168.40.${i}:3306:localhost:1433 &
 i=$(( $i + 1 ))
done

The obvious problem here:  We have some weird script bringing up 100 ssh
clients with 100 connections.  What if we could tell ssh to load a file
and do it, where the file contained something like:

# Set default authentication
default auth=privkey:/home/sshfwd/.ssh/id_rsa user=sshfwd
# listen (-L; listen-dynamic is -D)
# nmap syntax for addresses (i.e. 192.168.1-20.35-123)
# MySQL servers
listen bind=10.10.10.20 listen-address=192.168.30.50-100 \
  listen-port=3306 forward-address=localhost forward-port=3306
# MS SQL 2000 and 2005 servers
listen bind=10.10.10.20 listen-address=192.168.40.75-125 \
  listen-port=3306 forward-address=localhost forward-port=1433

This file would only contain "listen" and "listen-dynamic" lines; define
the four parameters to -D or -L; a bind address (-b); and a remote user.
 default authentication is privkey, followed by gssapi; or specified on
a 'default' line.  Same with 'user='.

Addresses and ports would be specified as they are in nmap, with
comma-separated sets and hyphen-separated ranges.

Another useful feature that would compliment this would be reverse
binding, i.e. connecting out to a remote server and forwarding
connections to an IP address on it to the local host; this would allow
for a high-security server to have a privkey, connect out to servers
with the pubkey, and then allow them to forward ports into it onto its
local host.  This is a thousand times better than putting the privkey
freaking everywhere because one root-level compromise spells doom.  This
feature could have the policy listen-r, with the command switch "-L
r:bind_addr:port:host:hostport" or some such craziness.

Not sure.. anyone have any thoughts?
-- 
    We will enslave their women, eat their children and rape their
    cattle!
             -- Bosc, Evil alien overlord from the fifth dimension
Anti-Spam:  https://bugzilla.mozilla.org/show_bug.cgi?id=229686

More information about the openssh-unix-dev mailing list