Re: dynamically configuring ssh ip address
On 4/15/07, Maxim Veksler [EMAIL PROTECTED] wrote: On 4/15/07, Ehud Karni [EMAIL PROTECTED] wrote: On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote: That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since they are passed from the client. Maybe a getpeername(2) on stdin/stdout can be used as a more secure way to obtain the client's IP. You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is taken from the TCP stack, not from the client (same as getpeername). Just when did this list go crazy? There's a solution fitting your problem - dynamic DNS (with DNSSEC). Why hack something when any modern DNS server supports it through configuration?
Re: dynamically configuring ssh ip address
On 16/04/07, Ilya Konstantinov [EMAIL PROTECTED] wrote: Just when did this list go crazy? There's a solution fitting your problem - dynamic DNS (with DNSSEC). Why hack something when any modern DNS server supports it through configuration? When not having access to the DNS server to enable it (or knowing whether it supports this at all - stinky MS stuff). On the other hand - maybe I can install a local one on my desktop machine and update it with dnssec - any recommendations in that area (among the options available as Debian Etch packages)? --Amos
Re: dynamically configuring ssh ip address
On 4/16/07, Amos Shapira [EMAIL PROTECTED] wrote: On 16/04/07, Ilya Konstantinov [EMAIL PROTECTED] wrote: Just when did this list go crazy? There's a solution fitting your problem - dynamic DNS (with DNSSEC). Why hack something when any modern DNS server supports it through configuration? When not having access to the DNS server to enable it (or knowing whether it supports this at all - stinky MS stuff). Microsoft's DNS server ain't particularly bad (and its management tools are certainly better than Bind's). Don't knock it if you don't know it. On the other hand - maybe I can install a local one on my desktop machine and update it with dnssec - any recommendations in that area (among the options available as Debian Etch packages)? Bind (Debian bind9 package) will do just fine.
Re: dynamically configuring ssh ip address
On Fri, 13 Apr 2007 21:51:59 +1000, Amos Shapira wrote: Also, my question was less about how to get the data - ssh with a special identiy and a limited command looks easier and more secure - but more on how to get the ip address used by the ssh client at work. It is very VERY simple, just use the SSH_CLIENT env variable. Here is a script I use to have my HOME IP saved: #! /bin/sh -ex # # Saves IP of ssh caller (use env var: SSH_CLIENT) to file ip_no # # -- IP=`echo $SSH_CLIENT | cut -d -f1` if [ $IP != ] ; then echo $IP ip_no fi date +%Y-%m-%d %H:%M ip set on $SYS ip_log ## save-ssh-ip.sh ## Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: dynamically configuring ssh ip address
On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote: That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since they are passed from the client. Maybe a getpeername(2) on stdin/stdout can be used as a more secure way to obtain the client's IP. You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is taken from the TCP stack, not from the client (same as getpeername). Ehud. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: dynamically configuring ssh ip address
On 4/15/07, Ehud Karni [EMAIL PROTECTED] wrote: On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote: That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since they are passed from the client. Maybe a getpeername(2) on stdin/stdout can be used as a more secure way to obtain the client's IP. You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is taken from the TCP stack, not from the client (same as getpeername). Yes, I was thinking about this one. Assuming you do get SSH_CLIENT passed to you by the client that connects, the fact he is passing your anything means the client has already passed the authentication phase! I would say that if it was a rouge client you have now bigger problems then him faking his source IP address to wary about. This to imply that I trust the openssh folks to not leave such obvious holes in their software implementation and I assume SSH_CLIENT is safe to rely on. Ehud. Maxim. -- Ehud Karni Tel: +972-3-7966-561 /\ Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign Insurance agencies (USA) voice mail and X Against HTML Mail http://www.mvs.co.il FAX: 1-815-5509341 / \ GnuPG: 98EA398D http://www.keyserver.net/Better Safe Than Sorry -- Cheers, Maxim Veksler Free as in Freedom - Do u GNU ? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: dynamically configuring ssh ip address
On 16/04/07, Maxim Veksler [EMAIL PROTECTED] wrote: Yes, I was thinking about this one. Assuming you do get SSH_CLIENT passed to you by the client that connects, the fact he is passing your anything means the client has already passed the authentication phase! I would say that if it was a rouge client you have now bigger problems then him faking his source IP address to wary about. This to imply that I trust the openssh folks to not leave such obvious holes in their software implementation and I assume SSH_CLIENT is safe to rely on. So where exactly is the string of this envariable set? In the server using the output of getpeername or in the client? Even if the client passed the authentication phase then it means they have my private key. I can still make life difficult for them by not allowing them to reconfigure my .ssh/config to just any IP address they like by forcing them to connect from that address. Anyway, here is the script I came up with. It uses the SSH_CONNECTION envariable since a quick attempt to use getpeername on STDIN or STDOUT (and their fileno()) in perl didn't work. I also test the sanity of the IP address I get so it feel relatively safe. It gets executed whenever a particular SSH ID key is used to connect to my work desktop as described in a previous post. The script is careful not to output anything to the client in order to minimize information for potential attackers. The forwarding of the STDERR is more for testing proposes, STDERR/STDIN/STDOUT can be simply closed if you trust the script. #!/usr/bin/perl open STDERR, /tmp/stderr; print STDERR (scalar localtime), \n; chdir /home/myhome/.ssh or die chdir: $!\n; my $ip = (split ' ', $ENV{SSH_CONNECTION})[0]; $ip =~ /^10\.20\.76\.([0-9]{1,3})$/ or die Bad IP: \$ip\\n; $1 0 $1 256 or die Bad IP host: \$1\\n; # can be more restrictive with the VPN ip range print STDERR DEBUG: \$ip\ ok\n; open TEMPLATE, config.template or die template: $!\n; open CONFIG, config.new or die new: $!\n; while (TEMPLATE) { s/--VPN--/$ip/o; print CONFIG; } close TEMPLATE; close CONFIG; rename config, config.old or die rename: $!\n; rename config.new, config or die rename: $!\n; exit 0; config.template is exactly the same as my normal .ssh/config file except that it has an entry with --VPN-- as the HostName in it, like this: Host home HostName --VPN-- User On my home machine, the ppp/ip-up.d script has a line that simply does: ssh -i /home/amos/.ssh/update-vpn [EMAIL PROTECTED] Which just triggers the script above. And now I can do ssh home from work and get connected over the VPN. Thanks to everyone for your suggestions, I might get around to getting a static VPN address one day. Cheers, --Amos
Re: dynamically configuring ssh ip address
On 14/04/07, Maxim Veksler [EMAIL PROTECTED] wrote: I assume you are aware of the way you run commands on the server with ssh. Example for those who don't: [EMAIL PROTECTED]:/$ ssh localhost echo ssh-server-side: \$SSH_CLIENT ssh-server-side: 127.0.0.1 45116 22 [EMAIL PROTECTED]:/$ CLIENT_SIDE_VAR='This is simple bash interpretation' [EMAIL PROTECTED]:/$ ssh localhost echo $CLIENT_SIDE_VAR This is simple bash interpretation [EMAIL PROTECTED]:/$ echo STDIN redirection example | ssh localhost cat STDIN redirection example You can also combine them all into one ssh invocation: [EMAIL PROTECTED]:/$ echo STDIN redirection example | ssh localhost echo ssh-server-side: \$SSH_CLIENT; echo $CLIENT_SIDE_VAR; cat ssh-server-side: 127.0.0.1 45116 22 This is simple bash interpretation STDIN redirection example Thanks for trying to help but this is a bad example, security wise and in practical terms: 1. I want an automatic process (/etc/ppp/ip-up.d/script) to be able to connect over ssh to a remote site, that process won't have access to the passphrase so I need to provide it with an identity which isn't protected by one. 2. Since the identity used is not cryptographically protected, it is very dangerous to allow it to do just anything on the remote machine. SSH provides a good way to overcome this: 1. Create a new specialized identiy without a passphrase: $ ssh-keygen -b 2048 -C test -f ~/.ssh/test 2. Copy it over to the remote machine and add options to its line in authorized_keys (ssh-copy-id makes this copying easy, but it leaves the key unlimited until you edit the .ssh/authorized_keys file). Here is an example from the remote .ssh/authorized_keys: from=10.0.0.*,command=date,no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa (key here) Now whenever I execute ssh -i /home/amos/.ssh/test [EMAIL PROTECTED] I'll get the output of date and the connection will be closed: $ ssh -i /home/amos/.ssh/test [EMAIL PROTECTED] Sat Apr 14 15:46:59 EST 2007 Connection to 10.0.0.5 closed. Any other command passed to ssh is simply ignored (though I notice a slight difference in the output when this is attempted - it looks like newlines are translated to CRLF, maybe it's a bug with sshd?): $ ssh -i /home/amos/.ssh/test [EMAIL PROTECTED] cat /etc/passwd Sat Apr 14 15:53:35 EST 2007 Two more points: 1. The sshd manual (were authorized_keys is documented) says that the from options takes DNS host names, it doesn't mention that IP address work too, as demonstrated above. 2. In my particular case, I'd create a script which reads the SSH_CLIENT or SSH_CONNECTION envariables and verifies that they make sense (quad-dot, from a VPN ip range) before using it. If I go the trivial way and just trust any input passed from the client and someone manages to break into my home machine he'll be able to redefine my connection back home from work to connect to his server of choice (host key can be stolen while he's on my machine so sshd won't warn me). That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since they are passed from the client. Maybe a getpeername(2) on stdin/stdout can be used as a more secure way to obtain the client's IP. Cheers, --Amos
Re: dynamically configuring ssh ip address
On 4/13/07, Amos Shapira [EMAIL PROTECTED] wrote: Is this the only way to do this? Is there a more elegant way I'm missing? Yes, subscribe to yet another dynamic IP name service for the work IP. If your sysadmin at work is nice enough and you have an internal DNS server, you could pretty easily update it with a DNSSEC key and 'nsupdate'. (We currently use MS VPN, maybe once I get around to switch to OpenVPN I'll have more control over this and be able to dynamically assign host names based on the user used to login to the VPN? Is this possible with MS VPN?) This is probably the basic Windows RAS Service. In this case, just go to Active Directory Users and Computers, select your user, go to the Dial-in tab and fill out the Assign a static IP input box.
Re: dynamically configuring ssh ip address
On 13/04/07, Ilya Konstantinov [EMAIL PROTECTED] wrote: On 4/13/07, Amos Shapira [EMAIL PROTECTED] wrote: Is this the only way to do this? Is there a more elegant way I'm missing? Yes, subscribe to yet another dynamic IP name service for the work IP. If your sysadmin at work is nice enough and you have an internal DNS server, you could pretty easily update it with a DNSSEC key and 'nsupdate'. I am the system manager. I inherited the network a couple of months ago and going forward hope to transform it to an open network based on Linux, though there might be some parts (hopefully small island) which I won't be able to convert (e.g. almost everyone else will want to stick to Windows desktops, and to Exchange Server). (We currently use MS VPN, maybe once I get around to switch to OpenVPN I'll have more control over this and be able to dynamically assign host names based on the user used to login to the VPN? Is this possible with MS VPN?) This is probably the basic Windows RAS Service. In this case, just go to Active Directory Users and Computers, select your user, go to the Dial-in tab and fill out the Assign a static IP input box. This is one part of the system I don't have access to (only the CEO and CTO can touch the Active Directory). Is there a chance to get a DNS record dynamically updated to the right IP address instead of having to allocate a static IP address? Thanks, --Amos
Re: dynamically configuring ssh ip address
Amos Shapira wrote: On 13/04/07, *Moshe Leibovitch* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: It may sound too simplistic, but you can mail it to a shell alias which will run a script. Thanks for the idea, but I can only access mail at work through Outlook. Can't you configure your client/outlook account to automatically send a mail to another machine in the internal network? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: dynamically configuring ssh ip address
On 4/13/07, Amos Shapira [EMAIL PROTECTED] wrote: (We currently use MS VPN, maybe once I get around to switch to OpenVPN I'll have more control over this and be able to dynamically assign host names based on the user used to login to the VPN? Is this possible with MS VPN?) This is probably the basic Windows RAS Service. In this case, just go to Active Directory Users and Computers, select your user, go to the Dial-in tab and fill out the Assign a static IP input box. This is one part of the system I don't have access to (only the CEO and CTO can touch the Active Directory). Is there a chance to get a DNS record dynamically updated to the right IP address instead of having to allocate a static IP address? Yep, just as I described: make your company's DNS server accept your DNSSEC key for updating your home machine's A record. Assuming you have access to yoru company's DNS server, of course, since according to you, you're not allowed to touch the AD...
Re: dynamically configuring ssh ip address
On 13/04/07, Yehoshua (Shay) O'Hayon Suchar [EMAIL PROTECTED] wrote: Amos Shapira wrote: On 13/04/07, *Moshe Leibovitch* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: It may sound too simplistic, but you can mail it to a shell alias which will run a script. Thanks for the idea, but I can only access mail at work through Outlook. Can't you configure your client/outlook account to automatically send a mail to another machine in the internal network? I suppose I can but ssh sounds so much easier and stright-forward, without dependence on having Outlook running all the time... --Amos
Re: dynamically configuring ssh ip address
On 4/14/07, Amos Shapira [EMAIL PROTECTED] wrote: On 13/04/07, Yehoshua (Shay) O'Hayon Suchar [EMAIL PROTECTED] wrote: Amos Shapira wrote: On 13/04/07, *Moshe Leibovitch* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: It may sound too simplistic, but you can mail it to a shell alias which will run a script. Thanks for the idea, but I can only access mail at work through Outlook. Can't you configure your client/outlook account to automatically send a mail to another machine in the internal network? I suppose I can but ssh sounds so much easier and stright-forward, without dependence on having Outlook running all the time... I assume you are aware of the way you run commands on the server with ssh. Example for those who don't: [EMAIL PROTECTED]:/$ ssh localhost echo ssh-server-side: \$SSH_CLIENT ssh-server-side: 127.0.0.1 45116 22 [EMAIL PROTECTED]:/$ CLIENT_SIDE_VAR='This is simple bash interpretation' [EMAIL PROTECTED]:/$ ssh localhost echo $CLIENT_SIDE_VAR This is simple bash interpretation [EMAIL PROTECTED]:/$ echo STDIN redirection example | ssh localhost cat STDIN redirection example You can also combine them all into one ssh invocation: [EMAIL PROTECTED]:/$ echo STDIN redirection example | ssh localhost echo ssh-server-side: \$SSH_CLIENT; echo $CLIENT_SIDE_VAR; cat ssh-server-side: 127.0.0.1 45116 22 This is simple bash interpretation STDIN redirection example --Amos Maxim. -- Cheers, Maxim Veksler Free as in Freedom - Do u GNU ? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]