remote/reverse port forward, ssh client setting source IPs to what ssh server reports

William Ahern william at 25thandClement.com
Wed Feb 27 13:46:00 EST 2008


On Tue, Feb 26, 2008 at 07:41:18PM -0500, bulk88 wrote:
> Note: most but not all of this message is about OpenSSH
> 
> When I do a remote forward (port on server listens for incoming
> traffic, traffic gets forwarded to port that is listening on client),
> the source IPs of all the incoming connections in the server app on
> the client machine are 127.0.0.1/localhost. Using "-v", I can see that
> sshd passes the IP addresses of what computers connected to the sshd's
> port that forwards to the client. The client does not use/set the
> originating information when connect.
<snip>
> clientloop.c to forward the originating IP I think. I am not an expert
> at programing or C or posix OSes so my implementation theories and
> analysis might be faulty.

So, you're worried about a user who has a shell (or at least a local account
w/ forwarding privileges) accessing services as a local user, but not so
much about letting such users spoof other arbitrary IP addresses?

More over, in order to use raw sockets, or use any of the others tricks
(which may or may not be available), the process must have root privileges.
But, in OpenSSH these forwards are done from a process with the UID of the
user.

OpenSSH does support TUN/TAP (emulated network device). But this isn't
something you normally allow arbitrary users to manipulate. And, in any
event, it requires root permissions.

On other other hand, on OpenBSD you can define packet filter rules based on
the UID of the connecting process. PF has been ported to various systems,
but I'm not sure if this ability works elsewhere.



More information about the openssh-unix-dev mailing list