SSH forwarding according to user

thalesmaia · September 20, 2019, 7:26pm

Maybe my question is a bit silly, however here is my problem. I'm building a IoT network with different devices. Each device can be accessed through SSH. However, they are all behind my OpenWRT router.

Is there a way to SSH into the public IP. When OpenWRT check the request with a specific user it redirects to the internal IP? In other words, is it possible to port forward 22 according to the user?

ssh john at openwrt_public_ip -> John at 192.168.1.100
ssh michael at openwrt_public_ip -> michael at 192.168.1.101
ssh jessy at openwrt_public_ip -> jessy at 192.168.1.102

My problem is that I have multiple users accessing their devices and I'm having lot of trouble creating port variations for each device.

John at 192.168.1.100 -p 2221
michael at 192.168.1.101 -p 2222
jessy at 192.168.1.102 -p 2223

jeff · September 20, 2019, 7:48pm

One challenge is that the user name is not revealed to intermediate hosts, only to the target host, so "strictly speaking", you can't switch at a router based on the user name.

You potentially could do something with OpenSSH (man ssh_config and look at host matching and things like ProxyJump) and/or binding commands instead of a shell (the user "logs in" to the OpenWrt ssh server, which then runs an ssh command, instead of a shell).

slh · September 20, 2019, 8:22pm

I have used ssh extensively to tunnel and proxy connections in the past, these days I'd just install a VPN server (strongswan, wireguard, openvpn) and use that instead.

thalesmaia · September 20, 2019, 8:34pm

Hello @jeff, do you have any reference about it where I can read more?

Hi @slh, I've implemented openvpn before, however once they are inside, they can mesh up and discover other devices. Any suggestion to avoid that?

jeff · September 20, 2019, 8:41pm

Not too many closely related references (and none that I know of that address this directly), as it seems far too fragile and complex a solution to a use case that isn't clear to me.

Any of a number of references on key-based SSH authentication. One I quickly found is:

https://research.kudelskisecurity.com/2013/05/14/restrict-ssh-logins-to-a-single-command/

The challenge is that user names are intended for authentication at the destination host, not for routing along the way. It seems a lot easier to tell john that he should use ssh -p 100 john@example.com to get to "his" device, than it would be to implement some seemingly crazy hack to create two SSH sessions automatically, just to extract a user name.

vgaetera · September 21, 2019, 3:35am

Use a separate zone with restrictive policy and no forwarding.
Add individual forwarding rules for each client.

However, note that it can't help if the destination host is not isolated enough.

jeff · September 21, 2019, 4:40pm

Putting each destination device on its own VLAN would be an approach (with appropriate firewalling). Even limiting ssh access from the outside doesn’t prevent Target 1 from being used as a jump point to Target 2 without something between the two that restricts access.

system · October 3, 2019, 2:07am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.