port forwarding source address - SSH

This is a discussion on port forwarding source address - SSH ; Currently, SSH has 2 ways to do address binding for port forwarding: 1. The SSH encrypted connection itself can be bound to a specific IP address with the -b command line option (BindAddress in the config file). 2. Port forwarding ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: port forwarding source address

  1. port forwarding source address

    Currently, SSH has 2 ways to do address binding for port forwarding:

    1. The SSH encrypted connection itself can be bound to a specific IP address
    with the -b command line option (BindAddress in the config file).

    2. Port forwarding can bind to a specific address on the listening host,
    the local host for -D and -L (DynamicForward and LocalForward), or the
    remote host for -R (RemoteForward).

    What I would like to have is an option to bind the source address of the
    outbound connections being forwarded.

    An example with -L (LocalForward) would work like this. The ssh client will
    listen to the port and optionally also the specified address on the local host.
    For each connection coming in to that port, a connection is made from the
    remote host to the destination host and port specified. What my suggested
    option would do is specify what address that remote-to-destination connection
    would come from. It would only make sense to use addresses configured on a
    working interface on the remote machine.

    The purpose of the suggested option would be so that it is possible to make
    the forwarded connection come from an address on the remote machine other than
    the first one that default socket binding would ordinarily use. It would be
    similar to what -b does for the SSH encrypted connection itself, but be used
    for the forwarded connection.

    To add such a feature, the information sent from the local client to the remote
    server about forwardings being done for dynamic and local forwarding would have
    to have this new information included. I don't know enough about the SSH
    protocol to know how easy it would be to add new information. If this involves
    a fixed structure, it would require the local client and remote server to both
    have the feature implemented. If the information is transferred with tagged
    pieces of data that could otherwise be ignored, then it could be incrementally
    added without breaking compatibility with older versions.

    The port forwarded source bind address would be specific to each forwarding.
    That is, each -D or -L or -R would have its own source bind address for the
    outgoing connections to be made. So it almost certainly would need to be an
    extension of the forwarding syntax. Possibilities are:

    -D [bind_address|*:]port[:[source_address|*]]
    -D [bind_address|*/]port[/[source_address|*]]

    -L [bind_address|*:]port:host:hostport[:[source_address|*]]
    -L [bind_address|*/]port/host/hostport[/[source_address|*]]

    -R [bind_address|*:]port:host:hostport[:[source_address|*]]
    -R [bind_address|*/]port/host/hostport[/[source_address|*]]

    It could also be possible to specify a source port number. This would have
    limitations, of course. Only root could source from a privileged port. And
    only one connection could be forwarded to the same destination host:hostport
    (although with dynamic forwarding, this can still be a lot of connections to
    different host:hostport destinations).

    -D [bind_address|*:]port[:[source_address|*][:[source_port|*]]]
    -D [bind_address|*/]port[/[source_address|*][/[source_port|*]]]

    -L [bind_address|*:]port:host:hostport[:[source_address|*][:[source_port|*]]]
    -L [bind_address|*/]port/host/hostport[/[source_address|*][/[source_port|*]]]

    -R [bind_address|*:]port:host:hostport[:[source_address|*][:[source_port|*]]]
    -R [bind_address|*/]port/host/hostport[/[source_address|*][/[source_port|*]]]

    If the source address is empty or specified with * then the usual default
    behaviour would be specified (possibly overriding a differently configured
    source address from the config file for the same forwarded port). Same for
    the source port.

    I have in the past done successful code modification to sshd. That was to
    implement a session logging feature for a server that was hosting untrusted
    users. That was a simplistic patch for a very specific need, and was not
    intended for general use. All "configuration" values were hard coded, such
    as the path to store the session logs in (they were dynamically named based
    on the date and time the session started).

    So maybe I could develop this feature. But this would clearly require more
    knowledge of SSH including how it parses the various forwarding options, and
    how it passes them over the session, and how it interprets that data at the
    remote end. And right now I have no OpenBSD machine running to do this on
    the non-portable version (it was an ancient Sun Sparc machine that had a PSU
    failure). I suppose I could set up some virtual machines to get OpenBSD back
    up on a couple machines at home.

    --
    |WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
    | by the abuse department, bellsouth.net is blocked. If you post to |
    | Usenet from these places, find another Usenet provider ASAP. |
    | Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

  2. Re: port forwarding source address

    On Mon, 12 May 2008 08:29:23 +0000, phil-news-nospam wrote:

    > The port forwarded source bind address would be specific to each
    > forwarding.


    Could this be done with a combination of --cmd-owner and --to-source (and
    perhaps --uid-owner) in iptables?

    - Andrew

  3. Re: port forwarding source address

    On Mon, 12 May 2008 16:16:14 +0000 (UTC) Andrew Gideon wrote:
    | On Mon, 12 May 2008 08:29:23 +0000, phil-news-nospam wrote:
    |
    |> The port forwarded source bind address would be specific to each
    |> forwarding.
    |
    | Could this be done with a combination of --cmd-owner and --to-source (and
    | perhaps --uid-owner) in iptables?

    I don't see how --cmd-owner could make the distinctions. The command name in
    all cases would be "sshd". And --uid-owner would be similarly limited.

    I don't see how --to-source would even fit in this.

    One thing I want to use the feature I suggested for is to be able to make
    connections simultaneous from more than one IP address. These would be
    forwarded from different port numbers on the local machine. For example I
    could forward one browser through one port, and another browser through
    another port, and have them each to web sites as coming from different IP
    addresses.

    So basically I'm looking for someone that understands the forwarding data
    passed by SSH, and would understand how deep I would have to get into this
    to add this new info, before I divert my time to even try it.

    --
    |WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
    | by the abuse department, bellsouth.net is blocked. If you post to |
    | Usenet from these places, find another Usenet provider ASAP. |
    | Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

+ Reply to Thread