On Sábado 23 Mayo 2009 05:10:40 Alex Bligh escribió: > Two related sshd configuration questions. > > I want to implement sshd so that it allows port forwarding but in a rather > specific manner. I can't alter what the client will do for various reasons, > but it's in essence: > > ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com > > What the sshd server needs to do is: > > 1. Authenticate the username passed (in the former "user-service") against > an external authentication database. I am hoping I can do this using (say) > a PAM module. Whatever the username specified, the UNIX UID required on the > server will the same. As the username is in fact a composite of a username > and a service name, the usernames provided cannot correspond to actual UNIX > usernames. Is it possible to write a PAM module for sshd that works this > way, and if so how can I force logins to a specific UID? > > 2. Rather than sshd opening up TCP connection to forward the connection (in > the above instance to server2.example.com:1234), I need sshd to launch a > process (in a similar way to inetd) and pipe the connection to that, > irrespective of what the user has specified on the ssh command line. It > needs to pass the username specified ("user-service", not the UID which > will always be the same) and preferably the "server2.example.com:1234" to > this process, either on the process's command line or in the environment. > Essentially what the process will be doing is an "nc" but dependent on the > "user-service" tuple passed and subject to some protocol translation. How > can I achieve this? Something useful will be iptables. iptables can redirect your connection to 127.0.0.1:x when you have your local program listening. this can be done with iptables, --uid-owner policy, and REDIRECT. (I think). -j REDIRECT in addition with uid-owner will redirect all the connections created from you special users to your local service. > > If the answer is "go hack about in openssh sources" that is a possibility > (though I'd rather not). Some indication of where to look would be useful. -- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.