Re: -Y that proxies over a socket, á la -J 'nc HOST PORT'
Hello again, i wrote: [.] |One problem i had with plain, user mode network stack qemu(1) |hostfwd= VMs, however, which yet ended up as, e.g., | | $ dbclient -J 'nc HOST PORT' steffen@crux3 | $ dbclient -Y [HOST:]PORT crux3 an update for this on top of 2015.68 so that it applies without conflicts. I.e., i know you don't want it, but i use it and i think some others may want it, too. Ciao! --steffen diff --git a/cli-main.c b/cli-main.c index c7c9035..e3683d9 100644 --- a/cli-main.c +++ b/cli-main.c @@ -73,7 +73,9 @@ int main(int argc, char ** argv) { } else #endif { - progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, &ses); + progress = connect_remote((cli_opts.proxy_over_localhost +? "localhost" : cli_opts.remotehost), +cli_opts.remoteport, cli_connected, &ses); sock_in = sock_out = -1; } diff --git a/cli-runopts.c b/cli-runopts.c index 58b64ce..c7f28c1 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -56,6 +56,7 @@ static void printhelp() { "Usage: %s [options] [user@]host[/port] [command]\n" #endif "-p \n" + "-Y Connect to localhost:port, authenticate as [user@]host\n" "-l \n" "-tAllocate a pty\n" "-TDon't allocate a pty\n" @@ -227,6 +228,9 @@ void cli_getopts(int argc, char ** argv) { } cli_opts.always_accept_key = 1; break; +case 'Y': /* "local-remoteport" */ + cli_opts.proxy_over_localhost = 1; + /* FALLTRHU */ case 'p': /* remoteport */ next = &cli_opts.remoteport; break; @@ -650,6 +654,8 @@ static void parse_hostname(const char* orighostarg) { port = strchr(cli_opts.remotehost, '/'); } if (port) { + if (cli_opts.proxy_over_localhost) + dropbear_exit("-Y mutually exclusive with ^port"); *port = '\0'; cli_opts.remoteport = port+1; } diff --git a/dbclient.1 b/dbclient.1 index cf9c647..0788e3b 100644 --- a/dbclient.1 +++ b/dbclient.1 @@ -4,6 +4,7 @@ dbclient \- lightweight SSH client .SH SYNOPSIS .B dbclient [\-Tt] [\-p +.I port\fR] [\-Y .I port\fR] [\-i .I id\fR] [\-L .I l\fR:\fIh\fR:\fIr\fR] [\-R @@ -28,6 +29,11 @@ Connect to on the remote host. Alternatively a port can be specified as hostname^port. Default is 22. .TP +.B \-Y \fIport +Connect to +.I port +on localhost, but use the given hostname for key comparison purposes. +.TP .B \-i \fIidfile Identity file. Read the identity key from file diff --git a/runopts.h b/runopts.h index 062cfd8..add1a42 100644 --- a/runopts.h +++ b/runopts.h @@ -132,6 +132,7 @@ typedef struct cli_runopts { int wantpty; int always_accept_key; int no_hostkey_check; + int proxy_over_localhost; int no_cmd; int backgrounded; int is_subsystem; diff --git a/scp.c b/scp.c index 5a71292..0f6a8fb 100644 --- a/scp.c +++ b/scp.c @@ -324,7 +324,7 @@ main(int argc, char **argv) addargs(&args, "%s", ssh_program); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:Y:q1246S:o:F:")) != -1) switch (ch) { /* User-visible flags. */ case '1': @@ -343,6 +343,9 @@ main(int argc, char **argv) case 'P': addargs(&args, "-p%s", optarg); break; + case 'Y': + addargs(&args, "-Y%s", optarg); + break; case 'B': fprintf(stderr, "Note: -B option is disabled in this version of scp"); break; @@ -1146,7 +1149,7 @@ usage(void) { (void) fprintf(stderr, "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n" - " [-l limit] [-P port] [-S program]\n" + " [-l limit] [-P port] [-Y port] [-S program]\n" " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); exit(1); }
Re: Dropbear 2018.76
Matt Johnston wrote: |Dropbear 2018.76 is released. As well as the usual Thank you! And yes, i am still using such grumpy networks with VMs, so please let me post the "git am" mailbox that adds support for proxy-over- localhost. Ciao, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) db-diff.mbox Description: application/mbox
Re: Dropbear 2018.76
Hello Matt. Matt Johnston wrote: |> On Wed 28/2/2018, at 12:59 am, Steffen Nurpmeso \ |> wrote: |> And yes, i am still using such grumpy networks with VMs, so please |> let me post the "git am" mailbox that adds support for proxy-over- |> localhost. ... |Thanks for the patch, though I'm not sure it's worth adding this as \ |a special case - can't the same thing be |achieved with dbclient -J "nc localhost port" ? Yes i think so, but this requires context switching or at least quite some I/O that is useless. Some boxes also do not have nc(1) by default. And all that just because of a little name switch (that is impossible without this patch). |Adding proxycommand as a -o option might be worthwhile though, so it \ |can pass to scp. ok?? Ok, so how about "-o ProxyLocalhost=PORT"? Find that attached at your will. Ciao, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) From b843dd88dac28007410e224d53d66b0599e0e86d Mon Sep 17 00:00:00 2001 Message-Id: From: Steffen Nurpmeso Date: Thu, 1 Mar 2018 22:11:45 +0100 Subject: [PATCH] Add -o ProxyLocalhost=PORT --- cli-main.c| 6 -- cli-runopts.c | 12 dbclient.1| 9 - runopts.h | 1 + 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/cli-main.c b/cli-main.c index 713cb09..bf75fd8 100644 --- a/cli-main.c +++ b/cli-main.c @@ -86,8 +86,10 @@ int main(int argc, char ** argv) { } else #endif { - progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, - cli_connected, &ses, cli_opts.bind_address, cli_opts.bind_port); + progress = connect_remote((cli_opts.proxy_over_localhost +? "localhost" : cli_opts.remotehost), +cli_opts.remoteport, cli_connected, &ses, +cli_opts.bind_address, cli_opts.bind_port); sock_in = sock_out = -1; } diff --git a/cli-runopts.c b/cli-runopts.c index abcfc9f..f5d1f37 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -138,6 +138,7 @@ void cli_getopts(int argc, char ** argv) { cli_opts.progname = argv[0]; cli_opts.remotehost = NULL; cli_opts.remoteport = NULL; + cli_opts.proxy_over_localhost = 0; cli_opts.username = NULL; cli_opts.cmd = NULL; cli_opts.no_cmd = 0; @@ -681,6 +682,9 @@ static void parse_hostname(const char* orighostarg) { port = strchr(cli_opts.remotehost, '/'); } if (port) { + if (cli_opts.proxy_over_localhost) + dropbear_exit("-o ProxyLocalhost mutually " +"exclusive with ^port"); *port = '\0'; cli_opts.remoteport = port+1; } @@ -891,6 +895,7 @@ static void add_extendedopt(const char* origstr) { #ifndef DISABLE_SYSLOG "\tUseSyslog\n" #endif + "\tProxyLocalhost\n" ); exit(EXIT_SUCCESS); } @@ -909,5 +914,12 @@ static void add_extendedopt(const char* origstr) { } #endif + if (match_extendedopt(&optstr, "ProxyLocalhost") == DROPBEAR_SUCCESS) { + /* No port validity check until use */ + cli_opts.proxy_over_localhost = 1; + cli_opts.remoteport = (/* unconst */char*)optstr; + return; + } + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); } diff --git a/dbclient.1 b/dbclient.1 index 1516e7c..597f20f 100644 --- a/dbclient.1 +++ b/dbclient.1 @@ -149,10 +149,17 @@ The following options have currently been implemented: .RS .TP .B ExitOnForwardFailure -Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be “yes” or “no”. The default is “no”. +Specifies whether dbclient should terminate the connection if it cannot +set up all requested local and remote port forwardings. +The argument must be "yes" or "no". +The default is "no". .TP .B UseSyslog Send dbclient log messages to syslog in addition to stderr. +.TP +.B ProxyLocalhost +Connect to the given port on localhost, +but keep on using the given hostname for key comparison purposes. .RE .TP .B \-s diff --git a/runopts.h b/runopts.h index 3123383..cb00350 100644 --- a/runopts.h +++ b/runopts.h @@ -145,6 +145,7 @@ typedef struct cli_runopts { int wantpty; int always_accept_key; int no_hostkey_check; + int proxy_over_localhost; int no_cmd; int backgrounded; int is_subsystem; -- 2.16.2
Re: Dropbear 2018.76
Matt Johnston wrote: |On 2 March 2018 6:17:42 pm AWST, Konstantin Tokarev \ |wrote: |>02.03.2018, 00:18, "Steffen Nurpmeso" : |>>> ok?? Ok, so how about "-o ProxyLocalhost=PORT"? |> |>There is no such option in openssh | |I'm not opposed to adding options just for dropbear. Another alternative \ |that might be more flexible would be | |-o keyhostname=example.com localhost:7766 | |With example.com used for known_hosts matching. Then the proxy tcp \ |destination could be a remote host too if desired. Thoughts? I do not like the hunk in cli-runopts.c, line 681. The test is now useless and depends on the order on the command line. Regarding yours: isn't that much harder to implement? The nice thing about this patch is that it is so small and could be carried along for over four years without having a look :). I mean, today with all those docker images and entire vde2 local networks etc. the need as such can easily be seen as something ridiculous, i know... Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Dropbear 2018.76
I want to point out that Konstantin Tokarev was Cc:d in my message, his name has been stripped by the ML. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: restrict access
Walter Harms wrote in : |I did a little experiment and it worked. | | if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0) | goto out; | |this will allow only connections from 192.168.1.* to the server |that shows the change can be very simple. I did not try with more compli\ |cated situations. The limits of this approach needs to be evaluated. Since the begin of this thread this sounds like a 100% firewall thing to me. Why would you like to compile this in? I mean, i can imagine the NetBSD/FreeBSD black(now block)list approach in which a server software who "knows" what has happened acts via a hook instead of let some expensive log parser reevaluate state which is known in the moment the log happens. But this? I am not an administrator and thus firewall guru, but i for example have in my net-qos.sh:fwcore_start() (heavily vaporised this is) change_chain INPUT new_chain i_good i_alien i_sshorvpn i_tcp_new add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT add_rule -j i_good add_rule -j i_alien add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new change_chain i_tcp_new fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn change_chain i_sshorvpn So and in here you can allow or deny ssh-specific anyway you want to, add, remove and change, use "-m recent" and hitcounts etc., and all without recompilation. (Having real address and/or CIDR tables which could be managed separately would be cool though.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: restrict access
Hans Harder wrote in : |or when you have no root access... You will not make it through. \o/ --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)