Restrict a client port-forward to 1 port

Hi,

Is it possible to restrict a client port-forwarding to one port?
For example i want client X to open only port 1037 on server through
port-forwarding, client Y only port 1038 and so on...
How can this be possible?
I use private/public keys authentication.
Client version is openssh3.8p1, is windows client, and server version
is latest openssh on a linux machine.

Can anyone help please?

Thank you so much,
Adriana

--- On Wed, 8/12/09, Adriana Rodean <adrya1984@...> wrote:

> Hi,
>
> Is it possible to restrict a client port-forwarding to one
> port?

Yes, but you must force key authentication.
Then, in the authorized keys, the 2 entries should look like this:

permitopen="10.16.0.211:1037" ssh-dss AAAAB3NzaC1k...hyHN/a7BHblrelqwejrjqw..first.client.key...etc..elrjwerwer
permitopen="10.16.0.211:1038" ssh-dss weafasdfds..second.client.key..werwerewerwe....etc..



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

On Miércoles 12 Agosto 2009 11:53:30 Adriana Rodean escribió:
each instance of ssh are excecuted with the UID determined by the SSH logon:

Log example:

[GWCONN]:  IN= OUT=wan0 SRC=_._._._ DST=_._._._ LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=9946 DF PROTO=TCP SPT=46684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
OPT (020405B40402080A2E3B8D980000000001030305) UID=500 GID=500

if you set some rule like:

iptables -I OUTPUT -o \! lo  -m owner --uid-owner 500 -j LOGDROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp
--dport 80 -j ACCEPT

you will enable only the port 80 for UID 500 (usernames can be used also).

but remember the -o \! lo, that means that iptables won't block any connection
from UID 500 to localhost, which is needed for ssh internal work.


;-)

Hope it helps.

> Thank you so much,
> Adriana

--
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

On Miércoles 12 Agosto 2009 16:42:54 Aarón Mizrachi escribió: dropping. You can use: -j DROP instead

The sentence without logdrop:

iptables -I OUTPUT -o \! lo  -m owner --uid-owner 500 -j DROP
iptables -I OUTPUT -m owner --uid-owner 500 -p tcp -m state --state NEW -m tcp
--dport 80 -j ACCEPT


;-)
--
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Hi again,

Maybe i didn't expressed myself right.
I want client X to be able to connect with this command: ssh -L
30300:localhost:8080 -R 1037:localhost:55555
Client Y to be able to connect with: ssh -L 30300:localhost:8080 -R
1038:localhost:55555
and so on
but client Y should be forbidden to connect with:  ssh -L
30300:localhost:8080 -R 1037:localhost:55555

On the server sshd_config file i already have PermitOpen 8080 so from
the client side only 8080 is accesible on server.

Thank you again,
Sorry for the confusion

Adriana

--- On Thu, 8/13/09, Adriana Rodean <adrya1984@...> wrote:

From what I can tell, your goal is to restrict certain REMOTE port forward values.  I do not think it is possible to place restrictions on REMOTE port forwards if port forwarding is enabled in sshd_config.  In the authorized_keys, you can list 'permitopen' options, but this only applies to LOCAL port forwards.

Hi,

Thank you so much for the reply :)

Yes that's exactly what i want, restrict certain REMOTE port forward values.
If client X has remote port 1037 on the server then client Y should be
forbidden to do remote port-forwarding on port 1037 if client X is not
connected.
Can't it be restricted somehow with iptables or with some Linux commands?
If ssh can't i'm thinking maybe Linux can...
I mean restrict only client X (which is behind a certain ip address)
to listen to port 1037 on the server.

I'm not Linux user, and have minimal knowledge about Linux, but maybe
someone knows...

Thank you again,
Adriana

On Thu, Aug 13, 2009 at 22:00, Joseph Spenner<joseph85750@...> wrote:

On Jueves 13 Agosto 2009 14:30:13 Joseph Spenner escribió: I'm sorry, i confused the local port forwarding to server with remote to
local. In normal configuration possibilities, as Joseph said, there is no any
possible  _simple_ option that i can see.

what i see:

- iptables won't be useful on such case, yes, openssh will open this port with
a process owned by your specific user, but, "-m owner" only applies for OUTPUT
and POSTROUTING chains. What you need is for INPUT chain.

- Internal openssh configuration does not provide you any way to limit what
port are allowed to open by an specific user. Only for outgoing connections you
can see limits, and you can do it without rsa/dss/... certificates using "Match
User" directive on sshd_config

---

But there are other useful possibilities... More complex obviously. I will not
specify exactly how you can use it, but, hope it helps.

LEVEL: MED. EFFICIENCY: LOW
1. Monitor/event script, this script will do something like:

kill -9 $(netstat -anpo | grep ^tcp | grep LISTEN |  cut -d"/" -f1 | cut -d: -
f2,3 | awk '{printf("echo -n \"%s \"; ps -p %s uh\n",$1,$4);}' | bash | awk
'{printf("%s %s %s\n",$1,$2,$3);}' | grep unmanarc | grep -v ^1234 | cut -d' '
-f3)

where unmanarc is the username wanted, and the 1234 the port that you allow
for him.

Event will result in system detriment because each bind will launch this
command, and even both mechanisms will allow the port binding for a short
period of time until the script runs...

LEVEL: MED. EFFICIENCY: MED
2. similar script but creating a dynamic rule on iptables, by default every
port are restricted, when the script detects a match (username-port), the
script will open an INPUT rule allowing this port. In reverse, the port will
be completely useless. This script have to have special mechanism to detect
when you close the SSH, and close the iptables  rule too (-D). But... This
mechanism is prone to a race condition. An attacker could simply

LEVEL: HIGH. EFFICIENCY: HIGH
3. Possibly, the most feasible option: SELinux.

It's possible to enforce a policy defining specials _port_t labels, and
restricting specific users domains to bind only on labeled ports on the program
domain. For that, previously, you have to add to selinux the specific unix
accounts to these user domains.

LEVEL: HIGH. EFFICIENCY: HIGH
4. LD_PRELOAD Method.

LD_PRELOAD method will enable you to create a wrapper for bind. This wrapper
could check for "getuid();" and check if a port/user are allowed. This
database could be hardcoded or could exist in some specific file.

----------------

My recommendation: if you really need an efficient mechanism, try with selinux
or ld_preload, if you don't, try with scripts.



;-)

--
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

--- On Fri, 8/14/09, Adriana Rodean <adrya1984@...> wrote:

Another option could be to create a type of 'portmon' script (port monitor).  It could run via root cron, and be looking for user port forwards.  Here's an example of what it would see on the sshd (remote) server:

root@slack182:~# lsof -ni |grep user42
sshd    2565 user42    7u  IPv4 146804       TCP 127.0.0.1:12345 (LISTEN)

This means user42 has a REMOTE port forward built on port 12345 (notice, it is bound to 127.0.0.1 as remote port forwards always are).
Your script could look for such processes, and if unauthorized ports are present kill the PID(s) associated with them (in this case 2565).




     

Hi,

Thank you so much all for the suggestions :)))

Same as Peter i believe that this should be a feature of OpenSSH,
restrict not only local port along with a public key, but remote port
also. This will solve my problem. So please if someone can implement
this would be great...

In the meantime i will try handle with Linux suggestions...
Problem with this approach is that all my clients connect to server
with same user. And from your suggestions i see that i can bind a port
to an user to do the restriction.
Is there any other way to do this? Like bind ip of the client with a port?
Right now only way to identify uniquely a client in my server is by
it's public key in authorized_keys, that's why this feature would of
been nice in ssh to be implemented ...

Thank you so much all,
Adriana

On Sun, Aug 16, 2009 at 01:15, Peter Stuge<peter@...> wrote: