erlang ssh and port forwarding

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

erlang ssh and port forwarding

Max Lapshin-2
Hi.

I'm writing ssh proxy in erlang:  https://github.com/flussonic/ssh-proxy

It is required for our support team:  engineers need to login to customers servers but I want to make a revocation of access.

So this is a proxy that will hide our team private key from whole team (except me).

There is a working POC, but I've got a problem:

port forwarding do not work:

debug1: Connection to port 9080 forwarding to localhost port 80 requested.

debug1: channel 3: new [direct-tcpip]

channel 3: open failed: administratively prohibited: Not allowed

debug1: channel 3: free: direct-tcpip: listening port 9080 for localhost port 80, connect from ::1 port 54743 to ::1 port 9080, nchannels 4


Is something not ready in erlang ssh?


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Ali Sabil
Hi Max,

I did the same thing some months ago, and I did dive into the Erlang ssh implementation a bit.

I didn't have a need for port forwarding, but as far as I can remember they are not implemented by the ssh application because all `ssh global requests` are denied:

Best,
Ali

On Sun, Jan 28, 2018 at 9:35 AM, Max Lapshin <[hidden email]> wrote:
Hi.

I'm writing ssh proxy in erlang:  https://github.com/flussonic/ssh-proxy

It is required for our support team:  engineers need to login to customers servers but I want to make a revocation of access.

So this is a proxy that will hide our team private key from whole team (except me).

There is a working POC, but I've got a problem:

port forwarding do not work:

debug1: Connection to port 9080 forwarding to localhost port 80 requested.

debug1: channel 3: new [direct-tcpip]

channel 3: open failed: administratively prohibited: Not allowed

debug1: channel 3: free: direct-tcpip: listening port 9080 for localhost port 80, connect from ::1 port 54743 to ::1 port 9080, nchannels 4


Is something not ready in erlang ssh?


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Hans Nilsson R (AL/EAB)
Hi,

there was a start of tcp port forwarding, but since it makes me feel uneasy to have unfinished code hanging around in security software I removed it in commit 7efc9c9460baa78dba0bc63e300890df5a97812f
Thu Apr 28 16:35:23 2016 +0200

There are currently no plans to implement port-forwarding or X11-forwarding.

/Hans

On 01/29/2018 11:43 AM, Ali Sabil wrote:

> Hi Max,
>
> I did the same thing some months ago, and I did dive into the Erlang ssh
> implementation a bit.
>
> I didn't have a need for port forwarding, but as far as I can remember they
> are not implemented by the ssh application because all `ssh global
> requests` are denied:
> https://github.com/erlang/otp/blob/177eab3b67d9840c75d9986cd8870a84414bcacb/lib/ssh/src/ssh_connection.erl#L654
>
> Best,
> Ali
>
> On Sun, Jan 28, 2018 at 9:35 AM, Max Lapshin <[hidden email]> wrote:
>
>> Hi.
>>
>> I'm writing ssh proxy in erlang:  https://github.com/flussonic/ssh-proxy
>>
>> It is required for our support team:  engineers need to login to customers
>> servers but I want to make a revocation of access.
>>
>> So this is a proxy that will hide our team private key from whole team
>> (except me).
>>
>> There is a working POC, but I've got a problem:
>>
>> port forwarding do not work:
>>
>> debug1: Connection to port 9080 forwarding to localhost port 80 requested.
>>
>> debug1: channel 3: new [direct-tcpip]
>>
>> channel 3: open failed: administratively prohibited: Not allowed
>>
>> debug1: channel 3: free: direct-tcpip: listening port 9080 for localhost
>> port 80, connect from ::1 port 54743 to ::1 port 9080, nchannels 4
>>
>>
>> Is something not ready in erlang ssh?
>>
>> _______________________________________________
>> erlang-questions mailing list
>> [hidden email]
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Max Lapshin-2
Hi, Hans.

Yes, found this commit.

Perhaps it is possible to return it as a pluggable thing?

Port forwarding is a very important thing for such a daemon.  Would you accept a pull request that makes possible it via some behaviour in daemon options?

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Max Lapshin-2

-handle_msg(#ssh_msg_channel_open{channel_type = "forwarded-tcpip" = Type,

-                                sender_channel = RemoteId,

-                                initial_window_size = RWindowSz,

-                                maximum_packet_size = RPacketSz,


I see in this commit forwarded-tcpip, but do not see here direct-tcpip.  Have you implemented it?

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Eric des Courtis-3
I need this functionality also. Please consider having a way to plug this functionality back in.

Eric

On Mon, Jan 29, 2018 at 10:02 AM, Max Lapshin <[hidden email]> wrote:

-handle_msg(#ssh_msg_channel_open{channel_type = "forwarded-tcpip" = Type,

-                                sender_channel = RemoteId,

-                                initial_window_size = RWindowSz,

-                                maximum_packet_size = RPacketSz,


I see in this commit forwarded-tcpip, but do not see here direct-tcpip.  Have you implemented it?

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Hans Nilsson R (AL/EAB)
I don't know any implementation of direct-tcpip.

And pull requests are always welcome!  But as usual, remember doc and test(s)...

Making it pluggable would be excellent.  I have not studied the implemntation
I removed with that in mind, but if it could be done as a subsystem like sftp
it would be great.

/Hans


> Perhaps it is possible to return it as a pluggable thing?

> Port forwarding is a very important thing for such a daemon.  Would you
> accept a pull request that makes possible it via some behaviour in daemon
> options?




On 01/29/2018 09:15 PM, Eric des Courtis wrote:

> I need this functionality also. Please consider having a way to plug this
> functionality back in.
>
> Eric
>
> On Mon, Jan 29, 2018 at 10:02 AM, Max Lapshin <[hidden email]> wrote:
>
>> -handle_msg(#ssh_msg_channel_open{channel_type = "forwarded-tcpip" = Type,
>>
>> -                                sender_channel = RemoteId,
>>
>> -                                initial_window_size = RWindowSz,
>>
>> -                                maximum_packet_size = RPacketSz,
>>
>> I see in this commit forwarded-tcpip, but do not see here direct-tcpip.
>> Have you implemented it?
>>
>> _______________________________________________
>> erlang-questions mailing list
>> [hidden email]
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: erlang ssh and port forwarding

Max Lapshin-2
Ok, so our tool is working and already deployed as a very MVP for us:



It allows to revoke access to a server via ssh proxying approach.

We will have to dig in ssh implementation in erlang and think how to add direct-tcpip support there.

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions