Re: dynamically configuring ssh ip address

2007-04-16 Thread Ilya Konstantinov

On 4/16/07, Amos Shapira <[EMAIL PROTECTED]> wrote:


On 16/04/07, Ilya Konstantinov <[EMAIL PROTECTED]> wrote:
>
> Just when did this list go crazy? There's a solution fitting your
> problem - dynamic DNS (with DNSSEC). Why hack something when any modern DNS
> server supports it through configuration?
>

When not having access to the DNS server to enable it (or knowing whether
it supports this at all - stinky MS stuff).



Microsoft's DNS server ain't particularly bad (and its management tools are
certainly better than Bind's). Don't knock it if you don't know it.

On the other hand - maybe I can install a local one on my desktop machine

and update it with dnssec - any recommendations in that area (among the
options available as Debian Etch packages)?



Bind (Debian "bind9" package) will do just fine.


Re: dynamically configuring ssh ip address

2007-04-16 Thread Amos Shapira

On 16/04/07, Ilya Konstantinov <[EMAIL PROTECTED]> wrote:


Just when did this list go crazy? There's a solution fitting your problem
- dynamic DNS (with DNSSEC). Why hack something when any modern DNS server
supports it through configuration?



When not having access to the DNS server to enable it (or knowing whether it
supports this at all - stinky MS stuff).

On the other hand - maybe I can install a local one on my desktop machine
and update it with dnssec - any recommendations in that area (among the
options available as Debian Etch packages)?

--Amos


Re: dynamically configuring ssh ip address

2007-04-16 Thread Ilya Konstantinov

On 4/15/07, Maxim Veksler <[EMAIL PROTECTED]> wrote:


On 4/15/07, Ehud Karni <[EMAIL PROTECTED]> wrote:
> On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote:
> >
> > That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION
since
> > they are passed from the client. Maybe a getpeername(2) on
stdin/stdout can
> > be used as a more secure way to obtain the client's IP.
>
> You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is
> taken from the TCP stack, not from the client (same as getpeername).



Just when did this list go crazy? There's a solution fitting your problem -
dynamic DNS (with DNSSEC). Why hack something when any modern DNS server
supports it through configuration?


Re: dynamically configuring ssh ip address

2007-04-15 Thread Amos Shapira

On 16/04/07, Maxim Veksler <[EMAIL PROTECTED]> wrote:


Yes, I was thinking about this one. Assuming you do get SSH_CLIENT
passed to you by the client that connects, the fact he is passing your
anything means the client has already passed the authentication phase!
I would say that if it was a rouge client you have now bigger problems
then him faking his source IP address to wary about. This to imply
that I trust the openssh folks to not leave such obvious holes in
their software implementation and I assume SSH_CLIENT is safe to rely
on.



So where exactly is the string of this envariable set? In the server using
the output of getpeername or in the client?
Even if the client passed the authentication phase then it means "they" have
my private key. I can still make life difficult for them by not allowing
them to reconfigure my .ssh/config to just any IP address they like by
forcing them to connect from that address.

Anyway, here is the script I came up with. It uses the SSH_CONNECTION
envariable since a quick attempt to use getpeername on STDIN or STDOUT (and
their fileno()) in perl didn't work. I also test the sanity of the IP
address I get so it feel relatively safe. It gets executed whenever a
particular SSH ID key is used to connect to my work desktop as described in
a previous post.

The script is careful not to output anything to the client in order to
minimize information for potential attackers. The forwarding of the STDERR
is more for testing proposes, STDERR/STDIN/STDOUT can be simply closed if
you trust the script.

#!/usr/bin/perl

open STDERR, ">>/tmp/stderr";
print STDERR (scalar localtime), "\n";
chdir "/home/myhome/.ssh" or die "chdir: $!\n";
my $ip = (split ' ', $ENV{SSH_CONNECTION})[0];
$ip =~ /^10\.20\.76\.([0-9]{1,3})$/ or die "Bad IP: \"$ip\"\n";
$1 > 0 && $1 < 256 or die "Bad IP host: \"$1\"\n";
# can be more restrictive with the VPN ip range
print STDERR "DEBUG: \"$ip\" ok\n";

open TEMPLATE, "config.template" or die "template: $!\n";
open CONFIG, ">config.new" or die "new: $!\n";
while ()
{
 s/--VPN--/$ip/o;
 print CONFIG;
}
close TEMPLATE;
close CONFIG;

rename "config", "config.old" or die "rename: $!\n";
rename "config.new", "config" or die "rename: $!\n";
exit 0;

"config.template" is exactly the same as my normal .ssh/config file except
that it has an entry with --VPN-- as the HostName in it, like this:

Host home
   HostName --VPN--
   User 

On my home machine, the ppp/ip-up.d script has a line that simply does:
ssh -i /home/amos/.ssh/update-vpn [EMAIL PROTECTED]

Which just triggers the script above.

And now I can do "ssh home" from work and get connected over the VPN.

Thanks to everyone for your suggestions, I might get around to getting a
static VPN address one day.

Cheers,

--Amos


Re: dynamically configuring ssh ip address

2007-04-15 Thread Maxim Veksler

On 4/15/07, Ehud Karni <[EMAIL PROTECTED]> wrote:

On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote:
>
> That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since
> they are passed from the client. Maybe a getpeername(2) on stdin/stdout can
> be used as a more secure way to obtain the client's IP.

You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is
taken from the TCP stack, not from the client (same as getpeername).



Yes, I was thinking about this one. Assuming you do get SSH_CLIENT
passed to you by the client that connects, the fact he is passing your
anything means the client has already passed the authentication phase!
I would say that if it was a rouge client you have now bigger problems
then him faking his source IP address to wary about. This to imply
that I trust the openssh folks to not leave such obvious holes in
their software implementation and I assume SSH_CLIENT is safe to rely
on.


Ehud.



Maxim.



--
 Ehud Karni   Tel: +972-3-7966-561  /"\
 Mivtach - Simon  Fax: +972-3-7966-667  \ /  ASCII Ribbon Campaign
 Insurance agencies   (USA) voice mail and   X   Against   HTML   Mail
 http://www.mvs.co.il  FAX:  1-815-5509341  / \
 GnuPG: 98EA398D Better Safe Than Sorry





--
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]



Re: dynamically configuring ssh ip address

2007-04-15 Thread Ehud Karni
On Sat, 14 Apr 2007 16:18:20 +1000, Amos Shapira wrote:
>
> That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since
> they are passed from the client. Maybe a getpeername(2) on stdin/stdout can
> be used as a more secure way to obtain the client's IP.

You are mistaken. You can trust the SSH_CLIENT/SSH_CONNECTION, it is
taken from the TCP stack, not from the client (same as getpeername).

Ehud.


--
 Ehud Karni   Tel: +972-3-7966-561  /"\
 Mivtach - Simon  Fax: +972-3-7966-667  \ /  ASCII Ribbon Campaign
 Insurance agencies   (USA) voice mail and   X   Against   HTML   Mail
 http://www.mvs.co.il  FAX:  1-815-5509341  / \
 GnuPG: 98EA398D Better Safe Than Sorry

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]



Re: dynamically configuring ssh ip address

2007-04-15 Thread Ehud Karni
On Fri, 13 Apr 2007 21:51:59 +1000, Amos Shapira wrote:
>
> Also, my question was  less about how to get the data - ssh with a special
> identiy and a limited command looks easier and more secure - but more on how
> to get the ip address used by the ssh client at work.

It is very VERY simple, just use the SSH_CLIENT env variable.
Here is a script I use to have my HOME IP saved:


#! /bin/sh -ex
#
# Saves IP of ssh caller (use env var: SSH_CLIENT) to file ip_no
#
# --

IP=`echo $SSH_CLIENT | cut "-d " -f1`
if [ "$IP" != "" ] ; then
echo "$IP" > ip_no
fi

date "+%Y-%m-%d %H:%M ip set on $SYS" >> ip_log

## save-ssh-ip.sh ##

Ehud.


--
 Ehud Karni   Tel: +972-3-7966-561  /"\
 Mivtach - Simon  Fax: +972-3-7966-667  \ /  ASCII Ribbon Campaign
 Insurance agencies   (USA) voice mail and   X   Against   HTML   Mail
 http://www.mvs.co.il  FAX:  1-815-5509341  / \
 GnuPG: 98EA398D Better Safe Than Sorry

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]



Re: dynamically configuring ssh ip address

2007-04-13 Thread Amos Shapira

On 14/04/07, Maxim Veksler <[EMAIL PROTECTED]> wrote:


I assume you are aware of the way you run commands on the server with ssh.

Example for those who don't:

[EMAIL PROTECTED]:/$ ssh localhost "echo ssh-server-side: \$SSH_CLIENT"
ssh-server-side: 127.0.0.1 45116 22

[EMAIL PROTECTED]:/$ CLIENT_SIDE_VAR='This is simple bash interpretation'
[EMAIL PROTECTED]:/$ ssh localhost "echo $CLIENT_SIDE_VAR"
This is simple bash interpretation

[EMAIL PROTECTED]:/$ echo "STDIN redirection example" | ssh localhost "cat"
STDIN redirection example

You can also combine them all into one ssh invocation:

[EMAIL PROTECTED]:/$ echo "STDIN redirection example" | ssh localhost
"echo ssh-server-side: \$SSH_CLIENT; echo $CLIENT_SIDE_VAR; cat"
ssh-server-side: 127.0.0.1 45116 22
This is simple bash interpretation
STDIN redirection example



Thanks for trying to help but this is a bad example, security wise and in
practical terms:

1. I want an automatic process (/etc/ppp/ip-up.d/script) to be able to
connect over ssh to a remote site, that process won't have access to the
passphrase so I need to provide it with an identity which isn't protected by
one.
2. Since the identity used is not cryptographically protected, it is very
dangerous to allow it to do just anything on the remote machine.

SSH provides a good way to overcome this:

1. Create a new specialized identiy without a passphrase:

$ ssh-keygen -b 2048 -C test -f ~/.ssh/test

2. Copy it over to the remote machine and add options to its line in
authorized_keys (ssh-copy-id makes this copying easy, but it leaves the key
unlimited until you edit the .ssh/authorized_keys file). Here is an example
from the remote .ssh/authorized_keys:

from="10.0.0.*",command="date",no-port-forwarding,no-X11-forwarding,no-pty
ssh-rsa  (key here)

Now whenever I execute "ssh -i /home/amos/.ssh/test [EMAIL PROTECTED]"
I'll get the output of date and the connection will be closed:
$ ssh -i /home/amos/.ssh/test [EMAIL PROTECTED]
Sat Apr 14 15:46:59 EST 2007
   Connection to 10.0.0.5 closed.

Any other command passed to ssh is simply ignored (though I notice a slight
difference in the output when this is attempted - it looks like newlines are
translated to "CRLF", maybe it's a bug with sshd?):

$ ssh -i /home/amos/.ssh/test [EMAIL PROTECTED] cat /etc/passwd
Sat Apr 14 15:53:35 EST 2007

Two more points:

1. The sshd manual (were authorized_keys is documented) says that the "from"
options takes DNS host names, it doesn't mention that IP address work too,
as demonstrated above.

2. In my particular case, I'd create a script which reads the SSH_CLIENT or
SSH_CONNECTION envariables and verifies that they make sense  (quad-dot,
from a VPN ip range) before using it. If I go the trivial way and just trust
any input passed from the client and someone manages to break into my home
machine he'll be able to redefine my connection back home from work to
connect to his server of choice (host key can be stolen while he's on my
machine so sshd won't warn me).

That said, I'm not sure that I can trust SSH_CLIENT/SSH_CONNECTION since
they are passed from the client. Maybe a getpeername(2) on stdin/stdout can
be used as a more secure way to obtain the client's IP.

Cheers,

--Amos


Re: dynamically configuring ssh ip address

2007-04-13 Thread Maxim Veksler

On 4/14/07, Amos Shapira <[EMAIL PROTECTED]> wrote:

On 13/04/07, Yehoshua (Shay) O'Hayon Suchar <[EMAIL PROTECTED]> wrote:
> Amos Shapira wrote:
>
> > On 13/04/07, *Moshe Leibovitch* <[EMAIL PROTECTED]
> > > wrote:
> >
> > It may sound too simplistic, but you can mail it to a shell alias
> > which will run a script.
> >
> >
> > Thanks for the idea, but I can only access mail at work through Outlook.
> >
> Can't you configure your client/outlook account to automatically send a
> mail to another machine in the internal network?

I suppose I can but ssh sounds so much easier and stright-forward, without
dependence on having Outlook running all the time...



I assume you are aware of the way you run commands on the server with ssh.

Example for those who don't:

[EMAIL PROTECTED]:/$ ssh localhost "echo ssh-server-side: \$SSH_CLIENT"
ssh-server-side: 127.0.0.1 45116 22

[EMAIL PROTECTED]:/$ CLIENT_SIDE_VAR='This is simple bash interpretation'
[EMAIL PROTECTED]:/$ ssh localhost "echo $CLIENT_SIDE_VAR"
This is simple bash interpretation

[EMAIL PROTECTED]:/$ echo "STDIN redirection example" | ssh localhost "cat"
STDIN redirection example

You can also combine them all into one ssh invocation:

[EMAIL PROTECTED]:/$ echo "STDIN redirection example" | ssh localhost
"echo ssh-server-side: \$SSH_CLIENT; echo $CLIENT_SIDE_VAR; cat"
ssh-server-side: 127.0.0.1 45116 22
This is simple bash interpretation
STDIN redirection example



--Amos



Maxim.

--
Cheers,
Maxim Veksler

"Free as in Freedom" - Do u GNU ?

=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]



Re: dynamically configuring ssh ip address

2007-04-13 Thread Amos Shapira

On 13/04/07, Yehoshua (Shay) O'Hayon Suchar <[EMAIL PROTECTED]> wrote:


Amos Shapira wrote:

> On 13/04/07, *Moshe Leibovitch* <[EMAIL PROTECTED]
> > wrote:
>
> It may sound too simplistic, but you can mail it to a shell alias
> which will run a script.
>
>
> Thanks for the idea, but I can only access mail at work through Outlook.
>
Can't you configure your client/outlook account to automatically send a
mail to another machine in the internal network?



I suppose I can but ssh sounds so much easier and stright-forward, without
dependence on having Outlook running all the time...

--Amos


Re: dynamically configuring ssh ip address

2007-04-13 Thread Ilya Konstantinov

On 4/13/07, Amos Shapira <[EMAIL PROTECTED]> wrote:


(We currently use MS VPN, maybe once I get around to switch to OpenVPN
> > I'll have more control over this and be able to dynamically assign host
> > names based on the user used to login to the VPN? Is this possible with MS
> > VPN?)
>
>
> This is probably the basic Windows RAS Service. In this case, just go to
> Active Directory Users and Computers, select your user, go to the Dial-in
> tab and fill out the "Assign a static IP" input box.
>

This is one part of the system I don't have access to (only the CEO and
CTO can touch the Active Directory).
Is there a chance to get a DNS record dynamically updated to the right IP
address instead of having to allocate a static IP address?



Yep, just as I described: make your company's DNS server accept your DNSSEC
key for updating your home machine's A record. Assuming you have access to
yoru company's DNS server, of course, since according to you, you're not
allowed to touch the AD...


Re: dynamically configuring ssh ip address

2007-04-13 Thread Yehoshua (Shay) O'Hayon Suchar
Amos Shapira wrote:

> On 13/04/07, *Moshe Leibovitch* <[EMAIL PROTECTED]
> > wrote:
>
> It may sound too simplistic, but you can mail it to a shell alias
> which will run a script.
>
>
> Thanks for the idea, but I can only access mail at work through Outlook.
>
Can't you configure your client/outlook account to automatically send a
mail to another machine in the internal network?


=
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]



Re: dynamically configuring ssh ip address

2007-04-13 Thread Amos Shapira

On 13/04/07, Ilya Konstantinov <[EMAIL PROTECTED]> wrote:


On 4/13/07, Amos Shapira <[EMAIL PROTECTED]> wrote:
>
> Is this the only way to do this? Is there a more elegant way I'm
> missing?


Yes, subscribe to yet another "dynamic IP name" service for the work IP.
If your sysadmin at work is nice enough and you have an internal DNS server,
you could pretty easily update it with a DNSSEC key and 'nsupdate'.



I am the system manager. I inherited the network a couple of months ago and
going forward hope to transform it to an open network based on Linux, though
there might be some parts (hopefully small island) which I won't be able to
convert (e.g. almost everyone else will want to stick to Windows desktops,
and to Exchange Server).

(We currently use MS VPN, maybe once I get around to switch to OpenVPN I'll

> have more control over this and be able to dynamically assign host names
> based on the user used to login to the VPN? Is this possible with MS VPN?)


This is probably the basic Windows RAS Service. In this case, just go to
Active Directory Users and Computers, select your user, go to the Dial-in
tab and fill out the "Assign a static IP" input box.



This is one part of the system I don't have access to (only the CEO and CTO
can touch the Active Directory).
Is there a chance to get a DNS record dynamically updated to the right IP
address instead of having to allocate a static IP address?

Thanks,

--Amos


Re: dynamically configuring ssh ip address

2007-04-13 Thread Amos Shapira

On 13/04/07, Moshe Leibovitch <[EMAIL PROTECTED]> wrote:


It may sound too simplistic, but you can mail it to a shell alias
which will run a script.



Thanks for the idea, but I can only access mail at work through Outlook.

Also, my question was  less about how to get the data - ssh with a special
identiy and a limited command looks easier and more secure - but more on how
to get the ip address used by the ssh client at work.

Cheers,

--Amos


Re: dynamically configuring ssh ip address

2007-04-13 Thread Ilya Konstantinov

On 4/13/07, Amos Shapira <[EMAIL PROTECTED]> wrote:


Is this the only way to do this? Is there a more elegant way I'm missing?



Yes, subscribe to yet another "dynamic IP name" service for the work IP. If
your sysadmin at work is nice enough and you have an internal DNS server,
you could pretty easily update it with a DNSSEC key and 'nsupdate'.

(We currently use MS VPN, maybe once I get around to switch to OpenVPN I'll

have more control over this and be able to dynamically assign host names
based on the user used to login to the VPN? Is this possible with MS VPN?)



This is probably the basic Windows RAS Service. In this case, just go to
Active Directory Users and Computers, select your user, go to the Dial-in
tab and fill out the "Assign a static IP" input box.