alex at alex
May 23, 2009, 2:40 AM
Views: 1036
Permalink
|
|
Fixing UID; port forwarding via process
|
|
Two related sshd configuration questions.
I want to implement sshd so that it allows port forwarding but in a rather
specific manner. I can't alter what the client will do for various reasons,
but it's in essence:
ssh -l user-service -L 9999:server2.example.com:1234 server1.example.com
What the sshd server needs to do is:
1. Authenticate the username passed (in the former "user-service") against
an external authentication database. I am hoping I can do this using (say)
a PAM module. Whatever the username specified, the UNIX UID required on the
server will the same. As the username is in fact a composite of a username
and a service name, the usernames provided cannot correspond to actual UNIX
usernames. Is it possible to write a PAM module for sshd that works this
way, and if so how can I force logins to a specific UID?
2. Rather than sshd opening up TCP connection to forward the connection (in
the above instance to server2.example.com:1234), I need sshd to launch a
process (in a similar way to inetd) and pipe the connection to that,
irrespective of what the user has specified on the ssh command line. It
needs to pass the username specified ("user-service", not the UID which
will always be the same) and preferably the "server2.example.com:1234" to
this process, either on the process's command line or in the environment.
Essentially what the process will be doing is an "nc" but dependent on the
"user-service" tuple passed and subject to some protocol translation. How
can I achieve this?
If the answer is "go hack about in openssh sources" that is a possibility
(though I'd rather not). Some indication of where to look would be useful.
--
Alex Bligh
|
Fixing UID; port forwarding via process
