Hi Mike On Thu, 13 Feb 2020 at 17:02, M Rubon <rubonmtz@xxxxxxxxx> wrote: > > Clément Péron wrote: > > I would like to know which pubkey has open which reverse port. > > Some of the things which have been mentioned will only work if your > remote client runs a command/shell on the server. Specifically > setting a per-key environment variable does not work if you are only > doing a remote port forward. Similarly the environment variables > $SSH_CLIENT and/or $SSH_CONNECTION environment variables are only > available when the client runs a command or shell on the server. > These environment variables are unfortunately not set for other SSH > processes related to your connections, for instance while running the > AuthorizedKeysCommand or in the process which does the port > forwarding. > > Your options for IDing the remote client are: > > (1) the PPID of the process handling the AuthorizedKeysCommand is also > the PPID of the process doing the reverse port forwarding. You can > record the ID during authorization and then figure out which reverse > tunnel corresponds to that. > > (2) If your reverse tunnel connects to the client machine's SSH > server, then on your server you can use the openssh command > ssh-keyscan -p PORT 127.0.0.1 to identify the host key of the > client machine (note that this is not the default key the client will > use to connect to your server). This is something that I didn't think about and totally make sense in my case. I will go for that, thanks ! > > (3) If you have control of the client, you set the client to run a > command, and then intercept that on your server to record the details. > If your client does not run a command, I don't think you can force > this on the server side. (I am not so happy with the security of > running a command when it is not needed, but others may be happy with > this). > > These are not particularly clean or easy, but might work for your needs. Thanks a lot, your explanations are really helpful ! Clement > > It would be nice if $SSH_CLIENT and/or $SSH_CONNECTION were set when > AuthorizedKeysCommand was run and were also set in the process which > does the port forwarding. It would also be nice if the per-key > environment variable was set in the process which does the port > forwarding, which would allow you to tag it. > > Mike > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
