Detect PID of sshd processes used by one public key; detect -R allocated port on the server

Alex Bligh alex at alex.org.uk
Sat Oct 8 20:01:38 EST 2011 

I have a situation where a number of potentially hostile clients ssh to
a host I control, each ssh'ing in as the same user, and each forwarding
a remote port back to them.

So, the authorized_keys file looks like:

no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" 
ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com

[the permitopen stanza just disables -L forwarding by only enabling a
forwarding to a port that will always refuse connections. Ignore this.]

and the ssh line from the client looks like this:

ssh -R0:127.0.0.1:1234 -N -ldummyuser central.example.org
Allocated port 54403 for remote forward to 127.0.0.1:1234

Now, ssh -R with a 0 port option allocates a remote port, which is what I
want to do, as I have lots and lots of these clients. It tells the /client/
what port it has allocated, but I want to know on the /server/ what port
has been allocated. On the server I want to detect which port (if any)
client1234 at example.com has open, and connect to that.

I can't pass this information from the client, because the potentially
hostile client could pass back a different number. I could then connect
to a port and be fooled into connecting to wrong client.

My plan was to get the PID of the sshd process, then use lsof to find
what ports it was listening on.

The lsof bit works:

$ lsof -n -p 12287 -a -i4tcp -a -sTCP:LISTEN
COMMAND   PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    12287 testuser   10u  IPv4 10196497      0t0  TCP 127.0.0.1:54403 
(LISTEN)

But there seems to be no way to get the PIDs of an ssh process associated
with a particular public key, as opposed to a particular user.

Logs would be unreliable anyway (race conditions), but the log line simply 
says this (no indication of what key is accepted):

Oct  8 09:30:15 test sshd[12214]: Accepted publickey for dummyuser from 
10.1.3.45 port 55158 ssh2
Oct  8 09:30:15 test sshd[12214]: pam_unix(sshd:session): session opened 
for user dummyuser by (uid=0)

I can't help but think that log line would be more useful if it said which
public key was accepted (am willing to provide a patch, but would prefer
to avoid a code change).

Any ideas on how to get from a public key to list of sshd processes?

-- 
Alex Bligh

More information about the openssh-unix-dev mailing list