openssh-unix-dev October 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Detect PID of sshd processes used by one publi

Detect PID of sshd processes used by one public key; detect -R allocated port on the server

From: Alex Bligh <alex_at_nospam>
Date: Sat Oct 08 2011 - 09:01:38 GMT
To: openssh-unix-dev@mindrot.org

I have a situation where a number of potentially hostile clients ssh to
a host I control, each ssh'ing in as the same user, and each forwarding
a remote port back to them.

So, the authorized_keys file looks like:

no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7"
ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234@example.com

[the permitopen stanza just disables -L forwarding by only enabling a
forwarding to a port that will always refuse connections. Ignore this.]

and the ssh line from the client looks like this:

ssh -R0:127.0.0.1:1234 -N -ldummyuser central.example.org
Allocated port 54403 for remote forward to 127.0.0.1:1234

Now, ssh -R with a 0 port option allocates a remote port, which is what I
want to do, as I have lots and lots of these clients. It tells the /client/
what port it has allocated, but I want to know on the /server/ what port
has been allocated. On the server I want to detect which port (if any)
client1234@example.com has open, and connect to that.

I can't pass this information from the client, because the potentially
hostile client could pass back a different number. I could then connect
to a port and be fooled into connecting to wrong client.

My plan was to get the PID of the sshd process, then use lsof to find
what ports it was listening on.

The lsof bit works:

$ lsof -n -p 12287 -a -i4tcp -a -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 12287 testuser 10u IPv4 10196497 0t0 TCP 127.0.0.1:54403
(LISTEN)

But there seems to be no way to get the PIDs of an ssh process associated
with a particular public key, as opposed to a particular user.

Logs would be unreliable anyway (race conditions), but the log line simply
says this (no indication of what key is accepted):

Oct 8 09:30:15 test sshd[12214]: Accepted publickey for dummyuser from
10.1.3.45 port 55158 ssh2
Oct 8 09:30:15 test sshd[12214]: pam_unix(sshd:session): session opened
for user dummyuser by (uid=0)

I can't help but think that log line would be more useful if it said which
public key was accepted (am willing to provide a patch, but would prefer
to avoid a code change).

Any ideas on how to get from a public key to list of sshd processes?

-- Alex Bligh _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev