Saturday, 2 February 2019

sshd - transfer information about the connection from ssh client to ssh server


suppose I have the following ssh session:


userA@boxA -> userB@boxB -> userC@boxC

now, from boxC, as userC, I would like to have the information that the ssh connection came from userB@boxB which in turn came from userA@boxA.


now I have the following ssh session along with the first ssh session:


userD@boxD -> userB@boxB

from boxB, as userB, I would like to have the information that the connection came from userD@boxD and that there is a second ssh session coming from userA@boxA.


is this information available and accessible as user? is it even available at all?


if not, is there any "easy" way to make this information available? with easy I mean without hacking and recompiling sshd, and without having to have root access on the machines.



Answer



The official way to send environment variables from client to server is through SendEnv and AcceptEnv. The problem is that you need root access on the server to configure AcceptEnv. Most servers are configured to accept no or only a few predetermined variables.


I found two tricks to send environment variables from client to server, both work without needing root access on the server.



ssh -t server SSH_ORIGIN=$USERNAME@$HOSTNAME bash

this will connect to server and then execute the command SSH_ORIGIN=$USERNAME@$HOSTNAME bash, with $USERNAME and $HOSTNAME already replaced on the client side. then, on the server side, you can further process the information contained in the variable SSH_ORIGIN.


the -t is needed otherwise bash will be started on the server without a tty (try it, you will see).


a slight modification will allow to pass the information transitively down a longer ssh chain.


ssh -t server SSH_ORIGIN=$USERNAME@$HOSTNAME:$SSH_ORIGIN bash

discussion:



  • bash is started as an interactive non-login shell (.profile is not read).

  • bash is run twice (.bashrc is read twice). once by sshd and once by the user command.

  • it will always start bash, ignoring your default shell on the server.



first you must generate a ssh key and transfer that to ~/.ssh/authorized_keys on the server. then prepend the line with command="$SHELL". see the sshd manpage for more information on this.


connect to ssh server using the command:


ssh -t server SSH_ORIGIN=$USERNAME@$HOSTNAME

this will connect to the server but this time the variable assignment is not executed. instead, the string is stored in the environment variable $SSH_ORIGINAL_COMMAND. then the command provided in ~/.ssh/authorized_keys is executed. once you are in the shell you can process the information contained in $SSH_ORIGINAL_COMMAND.


as above, you can make this transitive:


ssh -t server SSH_ORIGIN=$USERNAME@$HOSTNAME:$SSH_ORIGIN

discussion:



  • it will start the default shell on the server.

  • it will always start the default shell on the server. any command you give to the ssh command will be ignored and stored in $SSH_ORIGINAL_COMMAND. if you want to execute a command over ssh you can use a different ssh key or have your shell init file to detect and execute $SSH_ORIGINAL_COMMAND.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...