Re: Fixing UID; port forwarding via process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sábado 23 Mayo 2009 05:10:40 Alex Bligh escribió:
> Two related sshd configuration questions.
>
> I want to implement sshd so that it allows port forwarding but in a rather
> specific manner. I can't alter what the client will do for various reasons,
> but it's in essence:
>
> ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com
>
> What the sshd server needs to do is:
>
> 1. Authenticate the username passed (in the former "user-service") against
> an external authentication database. I am hoping I can do this using (say)
> a PAM module. Whatever the username specified, the UNIX UID required on the
> server will the same. As the username is in fact a composite of a username
> and a service name, the usernames provided cannot correspond to actual UNIX
> usernames. Is it possible to write a PAM module for sshd that works this
> way, and if so how can I force logins to a specific UID?
>
> 2. Rather than sshd opening up TCP connection to forward the connection (in
> the above instance to server2.example.com:1234), I need sshd to launch a
> process (in a similar way to inetd) and pipe the connection to that,
> irrespective of what the user has specified on the ssh command line. It
> needs to pass the username specified ("user-service", not the UID which
> will always be the same) and preferably the "server2.example.com:1234" to
> this process, either on the process's command line or in the environment.
> Essentially what the process will be doing is an "nc" but dependent on the
> "user-service" tuple passed and subject to some protocol translation. How
> can I achieve this?

Something useful will be iptables. iptables can redirect your connection to 
127.0.0.1:x when you have your local program listening.

this can be done with iptables, --uid-owner policy, and REDIRECT. (I think).

-j REDIRECT in addition with uid-owner will redirect all the connections 
created from you special users to your local service.

>
> If the answer is "go hack about in openssh sources" that is a possibility
> (though I'd rather not). Some indication of where to look would be useful.
-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux