Identify multiple users doing reverse port FWD with their pubkeys

M Rubon rubonmtz at gmail.com
Fri Feb 14 02:59:02 AEDT 2020


Clément Péron wrote:
> I would like to know which pubkey has open which reverse port.

Some of the things which have been mentioned will only work if your
remote client runs a command/shell on the server.  Specifically
setting a per-key environment variable does not work if you are only
doing a remote port forward.  Similarly the environment variables
$SSH_CLIENT and/or $SSH_CONNECTION environment variables are only
available when the client runs a command or shell on the server.
These environment variables are unfortunately not set for other SSH
processes related to your connections, for instance while running the
AuthorizedKeysCommand or in the process which does the port
forwarding.

Your options for IDing the remote client are:

(1) the PPID of the process handling the AuthorizedKeysCommand is also
the PPID of the process doing the reverse port forwarding.  You can
record the ID during authorization and then figure out which reverse
tunnel corresponds to that.

(2) If your reverse tunnel connects to the client machine's SSH
server, then on your server you can use the openssh command
ssh-keyscan -p PORT 127.0.0.1    to identify the host key of the
client machine (note that this is not the default key the client will
use to connect to your server).

(3) If you have control of the client, you set the client to run a
command, and then intercept that on your server to record the details.
If your client does not run a command, I don't think you can force
this on the server side.  (I am not so happy with the security of
running a command when it is not needed, but others may be happy with
this).

These are not particularly clean or easy, but might work for your needs.

It would be nice if $SSH_CLIENT and/or $SSH_CONNECTION were set when
AuthorizedKeysCommand was run and were also set in the process which
does the port forwarding.  It would also be nice if the per-key
environment variable was set in the process which does the port
forwarding, which would allow you to tag it.

Mike


More information about the openssh-unix-dev mailing list