Identify owner of an ssh-tunnel - SSH

This is a discussion on Identify owner of an ssh-tunnel - SSH ; I would like to use an ssh tunnel as the sole means to access an httpd server. User accounts are set up without a login shell and access to the server is done by port redirection. It is of course ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Identify owner of an ssh-tunnel

  1. Identify owner of an ssh-tunnel

    I would like to use an ssh tunnel as the sole means to access an httpd
    server. User accounts are set up without a login shell and access to
    the server is done by port redirection. It is of course possible to
    authenticate again on the web server, but it would be nice to be able
    to detect the owner of a particular tunnel and use that for
    authentication on the restricted-access server.
    I don't see any /proc information that allows me to connect the
    identity to information available to the httpd daemon.

    Any ideas welcome...

    -Stefan


  2. Re: Identify owner of an ssh-tunnel

    >>>>> "stefan23" == stefan23 writes:

    stefan23> I would like to use an ssh tunnel as the sole means to
    stefan23> access an httpd server. User accounts are set up without a
    stefan23> login shell and access to the server is done by port
    stefan23> redirection. It is of course possible to authenticate again
    stefan23> on the web server, but it would be nice to be able to detect
    stefan23> the owner of a particular tunnel and use that for
    stefan23> authentication on the restricted-access server. I don't see
    stefan23> any /proc information that allows me to connect the identity
    stefan23> to information available to the httpd daemon.

    This is very much a hack, but you could do getpeername() on the TCP
    connection to the web server, then use lsof -itcp:... to find the sshd
    process -- assuming the sshd is using privilege separation so that the
    process opening the forwarded connections is running under the login
    user's uid.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Identify owner of an ssh-tunnel

    On 2006-03-01, Richard E. Silverman wrote:
    >>>>>> "stefan23" == stefan23 writes:

    > stefan23> [...] it would be nice to be able to detect
    > stefan23> the owner of a particular tunnel and use that for
    > stefan23> authentication on the restricted-access server. [...]
    >
    > This is very much a hack, but you could do getpeername() on the TCP
    > connection to the web server, then use lsof -itcp:... to find the sshd
    > process -- assuming the sshd is using privilege separation so that the
    > process opening the forwarded connections is running under the login
    > user's uid.


    Slightly less hacky variant of the same idea: run identd (maybe listening
    only on the loopback) and use the result of getpeername() to do an
    ident lookup.

    > stefan23> I don't see
    > stefan23> any /proc information that allows me to connect the identity
    > stefan23> to information available to the httpd daemon.


    On Linux (at least) you could use getpeername() to look up the uid in
    /proc/net/tcp.

    It's a shame that SO_PEERCRED doesn't work on TCP sockets (the kernel has
    enough information to do it for local-local connections but not others).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread