Re: Re: Identify multiple users doing reverse port FWD with their pubkeys

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Jochen,

On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote:
>
> On 02/11/2020 07:07 PM, Clément Péron wrote:
> > - I have X devices (around 30) and one SSH server
> > - Each of them have a unique public key and create one dynamic reverse
> > port forwarding on the server
> > - All of them connect with the same UNIX user (I don't want to create
> > a new user each time, I add a new device)
> >
> > When I connect to the server, I would like to know which pubkey as
> > open which reverse port.
>
> The auth happens when the device opens the SSH connection, and if your
> logging verbosity is high enough, the pubkey's fingerprint will be
> written to the log. If you really need to identify *the pubkey*, you'll
> have to grab the PID of the sshd process holding the reverse port (can
> be gleaned from the output of "{netstat,ss} -natp") and then search
> through the logs for the lines of when it got started.

Thanks for the solution, Indeed it will works but it's not really
proper, I would like to find a way like having a different parameter
for each pubkey in the authorized key file and then be able to
identify which device did the established connection.

For example I try to set an environnement variable for each pubkey in
the authorized file but can't get it when doing reverse forwarding.
Then I try to have a different permitlisten port but it doesn't work
with dynamic port :(.
Can i create a tunnel for each device or execute a specific command to
identify a posteriori which device created the reverse forwarding
port?

Thanks,
Clement

>
> Whereas the *IP* of the device in question can be read on demand from
> the same netstat/ss output, just look for the incoming SSH connection
> held by the same PID ...
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux