On 16/04/07, Maxim Veksler <[EMAIL PROTECTED]> wrote:
Yes, I was thinking about this one. Assuming you do get SSH_CLIENT
passed to you by the client that connects, the fact he is passing your
anything means the client has already passed the authentication phase!
I would say that if it was a rouge client you have now bigger problems
then him faking his source IP address to wary about. This to imply
that I trust the openssh folks to not leave such obvious holes in
their software implementation and I assume SSH_CLIENT is safe to rely
on.
So where exactly is the string of this envariable set? In the server using
the output of getpeername or in the client?
Even if the client passed the authentication phase then it means "they" have
my private key. I can still make life difficult for them by not allowing
them to reconfigure my .ssh/config to just any IP address they like by
forcing them to connect from that address.
Anyway, here is the script I came up with. It uses the SSH_CONNECTION
envariable since a quick attempt to use getpeername on STDIN or STDOUT (and
their fileno()) in perl didn't work. I also test the sanity of the IP
address I get so it feel relatively safe. It gets executed whenever a
particular SSH ID key is used to connect to my work desktop as described in
a previous post.
The script is careful not to output anything to the client in order to
minimize information for potential attackers. The forwarding of the STDERR
is more for testing proposes, STDERR/STDIN/STDOUT can be simply closed if
you trust the script.
#!/usr/bin/perl
open STDERR, ">>/tmp/stderr";
print STDERR (scalar localtime), "\n";
chdir "/home/myhome/.ssh" or die "chdir: $!\n";
my $ip = (split ' ', $ENV{SSH_CONNECTION})[0];
$ip =~ /^10\.20\.76\.([0-9]{1,3})$/ or die "Bad IP: \"$ip\"\n";
$1 > 0 && $1 < 256 or die "Bad IP host: \"$1\"\n";
# can be more restrictive with the VPN ip range
print STDERR "DEBUG: \"$ip\" ok\n";
open TEMPLATE, "config.template" or die "template: $!\n";
open CONFIG, ">config.new" or die "new: $!\n";
while (<TEMPLATE>)
{
s/--VPN--/$ip/o;
print CONFIG;
}
close TEMPLATE;
close CONFIG;
rename "config", "config.old" or die "rename: $!\n";
rename "config.new", "config" or die "rename: $!\n";
exit 0;
"config.template" is exactly the same as my normal .ssh/config file except
that it has an entry with --VPN-- as the HostName in it, like this:
Host home
HostName --VPN--
User ....
On my home machine, the ppp/ip-up.d script has a line that simply does:
ssh -i /home/amos/.ssh/update-vpn [EMAIL PROTECTED]
Which just triggers the script above.
And now I can do "ssh home" from work and get connected over the VPN.
Thanks to everyone for your suggestions, I might get around to getting a
static VPN address one day.
Cheers,
--Amos
