SSH – How to Send Port Number to Server via Reverse SSH Tunnel

sshssh-tunnel

I have two machines, Client and Server.

Client (who is behind a corporate firewall) opens a reverse SSH tunnel to Server, which has a publicly-accessible IP address, using this command:

ssh -nNT -R0:localhost:2222 insecure@server.example.com

In OpenSSH 5.3+, the 0 occurring just after the -R means "pick an available port" rather than explicitly calling for one. The reason I'm doing this is because I don't want to pick a port that's already in use. In truth, there are actually many Clients out there that need to set up similar tunnels.

The problem at this point is that the server does not know which Client is which. If we want to connect back to one of these Clients (via localhost) then how do we know which port refers to which client?

I'm aware that ssh reports the port number to the command line when used in the above manner. However, I'd also like to use autossh to keep the sessions alive. autossh runs its child process via fork/exec, presumably, so that the output of the actual ssh command is lost in the ether.

Furthermore, I can't think of any other way to get the remote port from Client. Thus, I'm wondering if there is a way to determine this port on Server.

One idea I have is to somehow use /etc/sshrc, which is supposedly a script that runs for every connection. However, I don't know how one would get the pertinent information here (perhaps the PID of the particular sshd process handling that connection?) I'd love some pointers.

Thanks!

Best Answer

Wouldn't a VPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process:

apt-get install openvpn
mkdir /etc/openvpn/easy-rsa
mkdir -p /etc/openvpn/ccd/client_server
touch /etc/openvpn/ipp.txt
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca 
./build-dh
./build-key-server server
cd /etc/openvpn/easy-rsa/keys
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Then create a new file /etc/openvpn/client_server.conf and put the following in it, changing the SERVER_IP_ADDRESS as appropriate

local SERVER_IP_ADDRESS
port 8443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
pkcs12 /etc/openvpn/easy-rsa/keys/server.p12
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 192.168.100.0 255.255.255.0
client-config-dir /etc/openvpn/ccd/client_server
ccd-exclusive
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
reneg-sec 0

Then build a key per user who is going to connect, and create the config file in the ccd dir

./build-key-pkcs12 user1@domain.com
echo "ifconfig-push 192.168.100.2 255.255.255.0" > /etc/openvpn/ccd/client_server/user1@domain.com

The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.

Then you now have static IPs per connecting user.

Then supply the user1@domain.com.p12 file to the end-user and use the following config file

client
dev tun
proto udp
remote SERVER_IP_ADDRESS 8443
pkcs12 user1@domain.com.p12
resolv-retry infinite
nobind
ns-cert-type server
comp-lzo
verb 3
reneg-sec 0

serverloop.c:

/* check permissions */
if (!options.allow_tcp_forwarding ||
    no_port_forwarding_flag ||
    (!want_reply && listen_port == 0)
#ifndef NO_IPPORT_RESERVED_CONCEPT
    || (listen_port != 0 && listen_port < IPPORT_RESERVED &&
    pw->pw_uid != 0)
#endif
    ) {
        success = 0;
        packet_send_debug("Server has disabled port forwarding.");
} else {
        /* Start listening on the port */
        success = channel_setup_remote_fwd_listener(
            listen_address, listen_port,
            &allocated_listen_port, options.gateway_ports);
}

Unfortunately, as you can see, there aren't many conditions that appear to prevent port forwarding aside from the standard ones.

I was about to recommend the same suggestion for using mod_owner within iptables, but Jeff has beaten me to it.

Your cleanest solution would just to modify this file (for example, you can use pw->pw_uid to get the uid of the user connecting, and map that to the correct port) and recompile your SSH server, but that would depend on how comfortable you are with this.

Ssh – ssh tunnel and reverse ssh tunnel in one connection

It's perfectly legal to use both straight and reverse port forwarding in the same tunnel. You can even multiply each option to setup multiple ports forwarding.

I'm sure your problem there is a bit different: you want to forward port 9000 that is for X connections and your approach most likely clashes with two more related security mechanisms: X-server's own authorization and SSH own X-forwarding control. If you only aim to run X apps through SSH client, then you don't need to tunnel X ports manually. Instead, configure both your SSH server and client to establish X-forwarding by this configuration:

1) On SSH server set line "X11Forwarding yes" in /etc/ssh/sshd_config (don't forget to restart sshd)

2) On client side either use explicit -X option for ssh or alternatively, add line "ForwardX11" in your .ssh/config for the connected host. The command would be just like that:

ssh -X -L 5433:db:5432 office

which must setup X forwarding by agreement between all the X control mechanisms.

Best Answer

Related Solutions

Linux – How to limit reverse SSH tunelling ports

serverloop.c:

Ssh – ssh tunnel and reverse ssh tunnel in one connection

Related Topic