On 16/04/07, Maxim Veksler <[EMAIL PROTECTED]> wrote:
Yes, I was thinking about this one. Assuming you do get SSH_CLIENT passed to you by the client that connects, the fact he is passing your anything means the client has already passed the authentication phase! I would say that if it was a rouge client you have now bigger problems then him faking his source IP address to wary about. This to imply that I trust the openssh folks to not leave such obvious holes in their software implementation and I assume SSH_CLIENT is safe to rely on.
So where exactly is the string of this envariable set? In the server using the output of getpeername or in the client? Even if the client passed the authentication phase then it means "they" have my private key. I can still make life difficult for them by not allowing them to reconfigure my .ssh/config to just any IP address they like by forcing them to connect from that address. Anyway, here is the script I came up with. It uses the SSH_CONNECTION envariable since a quick attempt to use getpeername on STDIN or STDOUT (and their fileno()) in perl didn't work. I also test the sanity of the IP address I get so it feel relatively safe. It gets executed whenever a particular SSH ID key is used to connect to my work desktop as described in a previous post. The script is careful not to output anything to the client in order to minimize information for potential attackers. The forwarding of the STDERR is more for testing proposes, STDERR/STDIN/STDOUT can be simply closed if you trust the script. #!/usr/bin/perl open STDERR, ">>/tmp/stderr"; print STDERR (scalar localtime), "\n"; chdir "/home/myhome/.ssh" or die "chdir: $!\n"; my $ip = (split ' ', $ENV{SSH_CONNECTION})[0]; $ip =~ /^10\.20\.76\.([0-9]{1,3})$/ or die "Bad IP: \"$ip\"\n"; $1 > 0 && $1 < 256 or die "Bad IP host: \"$1\"\n"; # can be more restrictive with the VPN ip range print STDERR "DEBUG: \"$ip\" ok\n"; open TEMPLATE, "config.template" or die "template: $!\n"; open CONFIG, ">config.new" or die "new: $!\n"; while (<TEMPLATE>) { s/--VPN--/$ip/o; print CONFIG; } close TEMPLATE; close CONFIG; rename "config", "config.old" or die "rename: $!\n"; rename "config.new", "config" or die "rename: $!\n"; exit 0; "config.template" is exactly the same as my normal .ssh/config file except that it has an entry with --VPN-- as the HostName in it, like this: Host home HostName --VPN-- User .... On my home machine, the ppp/ip-up.d script has a line that simply does: ssh -i /home/amos/.ssh/update-vpn [EMAIL PROTECTED] Which just triggers the script above. And now I can do "ssh home" from work and get connected over the VPN. Thanks to everyone for your suggestions, I might get around to getting a static VPN address one day. Cheers, --Amos