log port forwarding

[Vincent LEFEVERE]

Hello

No reply to my mail since two week ! Nobody read it ?
I send you again the patch.
If you do not fully understand my english You could read the patch to understand which fonctionnality I would like to be include in the ssh deamon.

Best regards

Vincent Lefevere

De : Vincent LEFEVERE
Envoyé : jeudi 9 février 2017 21:10
À : 'openssh-unix-dev at mindrot.org' <openssh-unix-dev at mindrot.org>
Objet : RE: log port forwarding

Hello,

Not receiving a reply to the previous mail about logging port forwarding in the ssh daemon, let me explain the reason for this need. It is a question of using a machine as a bastion to isolate two networks and at the same time allow connections between these two networks via ssh tunnels.
For security reasons, it is necessary to keep track of each tunnel associated with the login used in a log.
It is of course necessary to set the user's shell to / bin / cat or an equivalent command so that the user can not run another solution to create tunnels.

The patch that I have previously suggested logs in syslog every outgoing or dynamic tunnel. But it does not log the incoming tunnels. What can be judged insufficient!
Using the variables displayed in debug, I discovered another problem: the address and port of the origin of the tunnels are always 0.0.0.0:0
This does not make it easy to link information between a firewall that logged an attack and the tunnel used by the attack (and the associated login).

So, I corrected this with a new patch attached. (I tested it with IPv4 and IPv6 tunnels on Linux.)

Could you tell me if you agree to integrate the feature (using or not the patch I gave you)?

Thank you

Best regards

Vincent Lefevere

-------------- next part --------------
A non-text attachment was scrubbed...
Name: log_port_forwarding3.patch.gz
Type: application/x-gzip
Size: 2236 bytes
Desc: log_port_forwarding3.patch.gz
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170222/6c4f7067/attachment-0001.bin>