Change initial directory based on port of reverse tunnel?

Darren Tucker dtucker at zip.com.au
Fri Jan 24 20:22:49 EST 2014


On Fri, Jan 24, 2014 at 7:20 PM, John <givemefive at gmail.com> wrote:
> I'm  trying to create compatibility with an automated system that I do
> not have control over and cannot change.

I'm having trouble visualising the picture here.

> The system was built to
> connect to individual embedded linux machines that create reverse
> tunnels back to a server.
>
> These tunnels take the form:
> /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22000:127.0.0.1:22
> robot at externalhost
> /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22001:127.0.0.1:22
> robot at externalhost
> /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22002:127.0.0.1:22
> robot at externalhost
> /bin/ssh -i /home/remote/.ssh/id_rsa -Nnx2TR 22003:127.0.0.1:22
> robot at externalhost

ok, so far this sounds like you have some devices out in the field
which may be behind stateful firewalls, NAT or dynamic addresses and a
server on a fixed address and you want to be able to connect back to
these devices in the field.

remotedevice ssh'es into externalhost and presumably keeps the connections up.
when you want to connect to a device you get onto externalhost and ssh
to localhost on whatever port corresponds to that device.  so far so
good.

> The bot then SCP copies from the home directory:
> scp -i id_rsa -P 22000 remote at localhost:file.tar.gz

This is where I'm not sure I follow you.  This is initiated by
remotedevice or by externalhost?

If it's initiated by externalhost, then I would think you could change
whatever initiates it on externalhost.  The only way I can see this
working is if it's initiated by remotedevice to be run on externalhost
via ssh, which is much more complicated that necessary, ie you'd see
these commands on externaldevice:

externaldevice$ ssh -i /home/remote/.ssh/id_rsa -Nnx2TR \
   22000:127.0.0.1:22  robot at externalhost

externaldevice$ ssh  robot at externalhost scp -i id_rsa -P 22000 \
   file.tar.gz remote at localhost:file.tar.gz

instead of the simpler:

externaldevice$ ssh  scp -i id_rsa remote at localhost:file.tar.gz file.tar.gz

am I following correctly?

> The major issue is that the Port is the identifying metric for the
> home folder of the remote user.

the id_rsa keys and usernames are all identical?

> Each tunnel should have a different
> folder because each folder represents a different physical location.
> The system was setup with individual machines in mind.
>
> Instead of SCP pulling from /home/remote, it should pull from
> /home/remote22000, /home/remote22001, etc based on the port number of
> the reverse tunnel.'
>
> I'm not sure if there's anyway to get sshd to solve this problem
> currently.  I'm open to all suggestions. I have spent a lot of time
> reading man pages for openssh and nothing I have tried has worked so
> far.
>
> I found this post to the mailing list:
> http://www.gossamer-threads.com/lists/openssh/dev/52909
>
> If I made each tunnel listen on a different port then I could use that
> to chroot each port to a different directory. I don't know if this is
> the best approach.
>
> I can't get the patch to work on a current version of openssh so if
> that's the best solution I would need some help with that.

That patch is already in the current version of OpenSSH.  If I'm
following you then it's not going to help, though (it's about making
decisions in sshd based on which port the connection is made on,
however in your scenario you're actually connecting to ssh on
externalhost, not sshd).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list