[erlang-questions] erlang ssh and port forwarding

[Max Lapshin]

Hi.

I'm writing ssh proxy in erlang:  https://github.com/flussonic/ssh-proxy

It is required for our support team:  engineers need to login to customers servers but I want to make a revocation of access.

So this is a proxy that will hide our team private key from whole team (except me).

There is a working POC, but I've got a problem:

port forwarding do not work:

debug1: Connection to port 9080 forwarding to localhost port 80 requested.

debug1: channel 3: new [direct-tcpip]

channel 3: open failed: administratively prohibited: Not allowed

debug1: channel 3: free: direct-tcpip: listening port 9080 for localhost port 80, connect from ::1 port 54743 to ::1 port 9080, nchannels 4

Is something not ready in erlang ssh?

[Ali Sabil]

Hi Max,

I did the same thing some months ago, and I did dive into the Erlang ssh implementation a bit.

I didn't have a need for port forwarding, but as far as I can remember they are not implemented by the ssh application because all `ssh global requests` are denied:

https://github.com/erlang/otp/blob/177eab3b67d9840c75d9986cd8870a84414bcacb/lib/ssh/src/ssh_connection.erl#L654

Best,

Ali

_______________________________________________
erlang-questions mailing list
erlang-q...@erlang.org
http://erlang.org/mailman/listinfo/erlang-questions

[Hans Nilsson R]

Hi,

there was a start of tcp port forwarding, but since it makes me feel uneasy to have unfinished code hanging around in security software I removed it in commit 7efc9c9460baa78dba0bc63e300890df5a97812f
Thu Apr 28 16:35:23 2016 +0200

There are currently no plans to implement port-forwarding or X11-forwarding.

/Hans

[Max Lapshin]

Hi, Hans.

Yes, found this commit.

Perhaps it is possible to return it as a pluggable thing?

Port forwarding is a very important thing for such a daemon.  Would you accept a pull request that makes possible it via some behaviour in daemon options?

[Max Lapshin]

-handle_msg(#ssh_msg_channel_open{channel_type = "forwarded-tcpip" = Type,

-                                sender_channel = RemoteId,

-                                initial_window_size = RWindowSz,

-                                maximum_packet_size = RPacketSz,

I see in this commit forwarded-tcpip, but do not see here direct-tcpip.  Have you implemented it?

[Eric des Courtis]

I need this functionality also. Please consider having a way to plug this functionality back in.

Eric

[Hans Nilsson R]

I don't know any implementation of direct-tcpip.

And pull requests are always welcome! But as usual, remember doc and test(s)...

Making it pluggable would be excellent. I have not studied the implemntation
I removed with that in mind, but if it could be done as a subsystem like sftp
it would be great.

/Hans

> Perhaps it is possible to return it as a pluggable thing?

> Port forwarding is a very important thing for such a daemon. Would you
> accept a pull request that makes possible it via some behaviour in daemon
> options?

[Max Lapshin]

Ok, so our tool is working and already deployed as a very MVP for us:

https://github.com/flussonic/ssh-proxy

It allows to revoke access to a server via ssh proxying approach.

We will have to dig in ssh implementation in erlang and think how to add direct-tcpip support there.