Re: -Y that proxies over a socket, á la -J 'nc HOST PORT'
Hello again,
i wrote:
[.]
|One problem i had with plain, user mode network stack qemu(1)
|hostfwd= VMs, however, which yet ended up as, e.g.,
|
| $ dbclient -J 'nc HOST PORT' steffen@crux3
| $ dbclient -Y [HOST:]PORT crux3
an update for this on top of 2015.68 so that it applies without
conflicts. I.e., i know you don't want it, but i use it and
i think some others may want it, too.
Ciao!
--steffen
diff --git a/cli-main.c b/cli-main.c
index c7c9035..e3683d9 100644
--- a/cli-main.c
+++ b/cli-main.c
@@ -73,7 +73,9 @@ int main(int argc, char ** argv) {
} else
#endif
{
- progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, &ses);
+ progress = connect_remote((cli_opts.proxy_over_localhost
+? "localhost" : cli_opts.remotehost),
+cli_opts.remoteport, cli_connected, &ses);
sock_in = sock_out = -1;
}
diff --git a/cli-runopts.c b/cli-runopts.c
index 58b64ce..c7f28c1 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -56,6 +56,7 @@ static void printhelp() {
"Usage: %s [options] [user@]host[/port] [command]\n"
#endif
"-p \n"
+ "-Y Connect to localhost:port, authenticate as [user@]host\n"
"-l \n"
"-tAllocate a pty\n"
"-TDon't allocate a pty\n"
@@ -227,6 +228,9 @@ void cli_getopts(int argc, char ** argv) {
}
cli_opts.always_accept_key = 1;
break;
+case 'Y': /* "local-remoteport" */
+ cli_opts.proxy_over_localhost = 1;
+ /* FALLTRHU */
case 'p': /* remoteport */
next = &cli_opts.remoteport;
break;
@@ -650,6 +654,8 @@ static void parse_hostname(const char* orighostarg) {
port = strchr(cli_opts.remotehost, '/');
}
if (port) {
+ if (cli_opts.proxy_over_localhost)
+ dropbear_exit("-Y mutually exclusive with ^port");
*port = '\0';
cli_opts.remoteport = port+1;
}
diff --git a/dbclient.1 b/dbclient.1
index cf9c647..0788e3b 100644
--- a/dbclient.1
+++ b/dbclient.1
@@ -4,6 +4,7 @@ dbclient \- lightweight SSH client
.SH SYNOPSIS
.B dbclient
[\-Tt] [\-p
+.I port\fR] [\-Y
.I port\fR] [\-i
.I id\fR] [\-L
.I l\fR:\fIh\fR:\fIr\fR] [\-R
@@ -28,6 +29,11 @@ Connect to
on the remote host. Alternatively a port can be specified as hostname^port.
Default is 22.
.TP
+.B \-Y \fIport
+Connect to
+.I port
+on localhost, but use the given hostname for key comparison purposes.
+.TP
.B \-i \fIidfile
Identity file.
Read the identity key from file
diff --git a/runopts.h b/runopts.h
index 062cfd8..add1a42 100644
--- a/runopts.h
+++ b/runopts.h
@@ -132,6 +132,7 @@ typedef struct cli_runopts {
int wantpty;
int always_accept_key;
int no_hostkey_check;
+ int proxy_over_localhost;
int no_cmd;
int backgrounded;
int is_subsystem;
diff --git a/scp.c b/scp.c
index 5a71292..0f6a8fb 100644
--- a/scp.c
+++ b/scp.c
@@ -324,7 +324,7 @@ main(int argc, char **argv)
addargs(&args, "%s", ssh_program);
fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
+ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:Y:q1246S:o:F:")) != -1)
switch (ch) {
/* User-visible flags. */
case '1':
@@ -343,6 +343,9 @@ main(int argc, char **argv)
case 'P':
addargs(&args, "-p%s", optarg);
break;
+ case 'Y':
+ addargs(&args, "-Y%s", optarg);
+ break;
case 'B':
fprintf(stderr, "Note: -B option is disabled in this version of scp");
break;
@@ -1146,7 +1149,7 @@ usage(void)
{
(void) fprintf(stderr,
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
- " [-l limit] [-P port] [-S program]\n"
+ " [-l limit] [-P port] [-Y port] [-S program]\n"
" [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
exit(1);
}
Re: Dropbear 2018.76
Matt Johnston wrote: |Dropbear 2018.76 is released. As well as the usual Thank you! And yes, i am still using such grumpy networks with VMs, so please let me post the "git am" mailbox that adds support for proxy-over- localhost. Ciao, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) db-diff.mbox Description: application/mbox
Re: Dropbear 2018.76
Hello Matt.
Matt Johnston wrote:
|> On Wed 28/2/2018, at 12:59 am, Steffen Nurpmeso \
|> wrote:
|> And yes, i am still using such grumpy networks with VMs, so please
|> let me post the "git am" mailbox that adds support for proxy-over-
|> localhost.
...
|Thanks for the patch, though I'm not sure it's worth adding this as \
|a special case - can't the same thing be
|achieved with dbclient -J "nc localhost port" ?
Yes i think so, but this requires context switching or
at least quite some I/O that is useless. Some boxes
also do not have nc(1) by default. And all that just because of
a little name switch (that is impossible without this patch).
|Adding proxycommand as a -o option might be worthwhile though, so it \
|can pass to scp.
ok?? Ok, so how about "-o ProxyLocalhost=PORT"?
Find that attached at your will.
Ciao,
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
From b843dd88dac28007410e224d53d66b0599e0e86d Mon Sep 17 00:00:00 2001
Message-Id:
From: Steffen Nurpmeso
Date: Thu, 1 Mar 2018 22:11:45 +0100
Subject: [PATCH] Add -o ProxyLocalhost=PORT
---
cli-main.c| 6 --
cli-runopts.c | 12
dbclient.1| 9 -
runopts.h | 1 +
4 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/cli-main.c b/cli-main.c
index 713cb09..bf75fd8 100644
--- a/cli-main.c
+++ b/cli-main.c
@@ -86,8 +86,10 @@ int main(int argc, char ** argv) {
} else
#endif
{
- progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport,
- cli_connected, &ses, cli_opts.bind_address, cli_opts.bind_port);
+ progress = connect_remote((cli_opts.proxy_over_localhost
+? "localhost" : cli_opts.remotehost),
+cli_opts.remoteport, cli_connected, &ses,
+cli_opts.bind_address, cli_opts.bind_port);
sock_in = sock_out = -1;
}
diff --git a/cli-runopts.c b/cli-runopts.c
index abcfc9f..f5d1f37 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -138,6 +138,7 @@ void cli_getopts(int argc, char ** argv) {
cli_opts.progname = argv[0];
cli_opts.remotehost = NULL;
cli_opts.remoteport = NULL;
+ cli_opts.proxy_over_localhost = 0;
cli_opts.username = NULL;
cli_opts.cmd = NULL;
cli_opts.no_cmd = 0;
@@ -681,6 +682,9 @@ static void parse_hostname(const char* orighostarg) {
port = strchr(cli_opts.remotehost, '/');
}
if (port) {
+ if (cli_opts.proxy_over_localhost)
+ dropbear_exit("-o ProxyLocalhost mutually "
+"exclusive with ^port");
*port = '\0';
cli_opts.remoteport = port+1;
}
@@ -891,6 +895,7 @@ static void add_extendedopt(const char* origstr) {
#ifndef DISABLE_SYSLOG
"\tUseSyslog\n"
#endif
+ "\tProxyLocalhost\n"
);
exit(EXIT_SUCCESS);
}
@@ -909,5 +914,12 @@ static void add_extendedopt(const char* origstr) {
}
#endif
+ if (match_extendedopt(&optstr, "ProxyLocalhost") == DROPBEAR_SUCCESS) {
+ /* No port validity check until use */
+ cli_opts.proxy_over_localhost = 1;
+ cli_opts.remoteport = (/* unconst */char*)optstr;
+ return;
+ }
+
dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
}
diff --git a/dbclient.1 b/dbclient.1
index 1516e7c..597f20f 100644
--- a/dbclient.1
+++ b/dbclient.1
@@ -149,10 +149,17 @@ The following options have currently been implemented:
.RS
.TP
.B ExitOnForwardFailure
-Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be “yes” or “no”. The default is “no”.
+Specifies whether dbclient should terminate the connection if it cannot
+set up all requested local and remote port forwardings.
+The argument must be "yes" or "no".
+The default is "no".
.TP
.B UseSyslog
Send dbclient log messages to syslog in addition to stderr.
+.TP
+.B ProxyLocalhost
+Connect to the given port on localhost,
+but keep on using the given hostname for key comparison purposes.
.RE
.TP
.B \-s
diff --git a/runopts.h b/runopts.h
index 3123383..cb00350 100644
--- a/runopts.h
+++ b/runopts.h
@@ -145,6 +145,7 @@ typedef struct cli_runopts {
int wantpty;
int always_accept_key;
int no_hostkey_check;
+ int proxy_over_localhost;
int no_cmd;
int backgrounded;
int is_subsystem;
--
2.16.2
Re: Dropbear 2018.76
Matt Johnston wrote: |On 2 March 2018 6:17:42 pm AWST, Konstantin Tokarev \ |wrote: |>02.03.2018, 00:18, "Steffen Nurpmeso" : |>>> ok?? Ok, so how about "-o ProxyLocalhost=PORT"? |> |>There is no such option in openssh | |I'm not opposed to adding options just for dropbear. Another alternative \ |that might be more flexible would be | |-o keyhostname=example.com localhost:7766 | |With example.com used for known_hosts matching. Then the proxy tcp \ |destination could be a remote host too if desired. Thoughts? I do not like the hunk in cli-runopts.c, line 681. The test is now useless and depends on the order on the command line. Regarding yours: isn't that much harder to implement? The nice thing about this patch is that it is so small and could be carried along for over four years without having a look :). I mean, today with all those docker images and entire vde2 local networks etc. the need as such can easily be seen as something ridiculous, i know... Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Dropbear 2018.76
I want to point out that Konstantin Tokarev was Cc:d in my message, his name has been stripped by the ML. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: restrict access
Walter Harms wrote in
:
|I did a little experiment and it worked.
|
| if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
| goto out;
|
|this will allow only connections from 192.168.1.* to the server
|that shows the change can be very simple. I did not try with more compli\
|cated situations. The limits of this approach needs to be evaluated.
Since the begin of this thread this sounds like a 100% firewall
thing to me. Why would you like to compile this in?
I mean, i can imagine the NetBSD/FreeBSD black(now block)list
approach in which a server software who "knows" what has happened
acts via a hook instead of let some expensive log parser
reevaluate state which is known in the moment the log happens.
But this? I am not an administrator and thus firewall guru, but
i for example have in my net-qos.sh:fwcore_start() (heavily
vaporised this is)
change_chain INPUT
new_chain i_good i_alien i_sshorvpn i_tcp_new
add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
add_rule -j i_good
add_rule -j i_alien
add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new
change_chain i_tcp_new
fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn
change_chain i_sshorvpn
So and in here you can allow or deny ssh-specific anyway you want
to, add, remove and change, use "-m recent" and hitcounts etc.,
and all without recompilation. (Having real address and/or CIDR
tables which could be managed separately would be cool though.)
--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Re: restrict access
Hans Harder wrote in : |or when you have no root access... You will not make it through. \o/ --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
