Identify multiple users doing reverse port FWD with their pubkeys

Clément Péron peron.clem at gmail.com
Fri Feb 14 04:37:31 AEDT 2020 

Hi Mike

On Thu, 13 Feb 2020 at 17:02, M Rubon <rubonmtz at gmail.com> wrote:
>
> Clément Péron wrote:
> > I would like to know which pubkey has open which reverse port.
>
> Some of the things which have been mentioned will only work if your
> remote client runs a command/shell on the server.  Specifically
> setting a per-key environment variable does not work if you are only
> doing a remote port forward.  Similarly the environment variables
> $SSH_CLIENT and/or $SSH_CONNECTION environment variables are only
> available when the client runs a command or shell on the server.
> These environment variables are unfortunately not set for other SSH
> processes related to your connections, for instance while running the
> AuthorizedKeysCommand or in the process which does the port
> forwarding.
>
> Your options for IDing the remote client are:
>
> (1) the PPID of the process handling the AuthorizedKeysCommand is also
> the PPID of the process doing the reverse port forwarding.  You can
> record the ID during authorization and then figure out which reverse
> tunnel corresponds to that.
>
> (2) If your reverse tunnel connects to the client machine's SSH
> server, then on your server you can use the openssh command
> ssh-keyscan -p PORT 127.0.0.1    to identify the host key of the
> client machine (note that this is not the default key the client will
> use to connect to your server).

This is something that I didn't think about and totally make sense in my case.
I will go for that, thanks !

>
> (3) If you have control of the client, you set the client to run a
> command, and then intercept that on your server to record the details.
> If your client does not run a command, I don't think you can force
> this on the server side.  (I am not so happy with the security of
> running a command when it is not needed, but others may be happy with
> this).
>
> These are not particularly clean or easy, but might work for your needs.

Thanks a lot, your explanations are really helpful !
Clement

>
> It would be nice if $SSH_CLIENT and/or $SSH_CONNECTION were set when
> AuthorizedKeysCommand was run and were also set in the process which
> does the port forwarding.  It would also be nice if the per-key
> environment variable was set in the process which does the port
> forwarding, which would allow you to tag it.
>
> Mike
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list