Q: how to restrict access selectively to client initiated local port forward

Michael O'Cleirigh mocleiri at jpint.utoronto.ca
Fri Sep 28 03:14:32 EST 2007 

Hello,

At work we have an internal application that implements a proxy.  It 
works by counting the number of connections per IP address and using 
this to enforce usage limits (i.e. not more than X connections from a 
given IP).

The important thing for us is a unique IP per client.  We have this 
implemented where each client first authenticates through OpenVPN and is 
assigned a unique IP address.

But some of our users can't get their corporate firewall changed to 
allow the tunnel to be established. So we've come up with a way that 
they can use ssh local port forwarding to accomplish the same thing.


For example:

This is the idealized case, the client connects to the proxy and their 
connections are managed:

client ---------------------> proxy

VPN:

With the vpn the client is given a unique IP and all works well.

client (10.8.0.x) ---------------> proxy (10.8.0.1)

Open SSH:

With open ssh we use the following command:

ssh -L yyyy:10.8.0.x:yyyy user at proxy

client (a.b.c.d) ------------------> proxy
          local redirect to -------> (10.8.0.x)


where yyyy is the port being forwarded and lo:x is a loopback alias on 
the proxy to be 10.8.0.x (a differnent loopback IP will exist for each 
connecting client)

This works since it appears to the proxy that the connections are 
originating from 10.8.0.x.

However as far as I can tell there is no way in OpenSSH to define an 
access control policy for which connecting users are allowed to redirect 
through which local IP.

i.e. we can't enforce that only user1 can local redirect through 
10.8.0.12. which would allow anyone with system access to redirect 
through 10.8.0.12.

I've downloaded and locally modified openssh-4.7p1 to include a new 
module that will allow this decision to be made (reads a custom 
configuration file that answers the question: can $user redirect through 
$hostname).  But I can't figure out the exact place to insertit in the 
OpenSSH source code.

Could someone point me to the source file and line that is responsible 
for the server side inialization of a client local forward?

I tried connecting in serverloop.c function: static void 
server_input_global_request(int type, u_int32_t seq, void *ctxt);

which by its comment says it deals with "-R" style forwarding but this 
doesn't seem to be the correct place for "-L" style forwarding.

Thanks for your help,

Mike

More information about the openssh-unix-dev mailing list