1

I have created a jumphost/bastion, that will act just as that - a jumphost to certain hosts:ports.

I am aware of that I can limit users/groups with the following:

Match User Alice
   PermitOpen some.host.tld:80 another.host.tld:22 third.host.tld:443

And due some requirements, I need to be able to utilize SOCKS-proxies. This is enabled by the following:

   PermitTTY yes
   PermitTunnel yes
   AllowTcpForwarding yes

This works as expected.

However.. How do I ensure that only the application that the client specifically allowed is the only application (such as Firefox) is using the SOCK-proxy and not some random other application on the client? Can I limit the sessions/applications using the connection on the SSH-server?

I did try with "MaxSessions 1", but sadly it does not seems to apply on SOCKS-proxies.

Orphans
  • 1,396
  • 2
  • 18
  • 30
  • https://serverfault.com/a/336091/164840 – Marcel Oct 21 '22 at 11:54
  • https://github.com/TooTallNate/node-socks-proxy-agent – Marcel Oct 21 '22 at 11:54
  • duplicate of https://serverfault.com/questions/336067/how-can-i-setup-a-socks-proxy-over-ssh-with-password-based-authentication-on-cen/ – Marcel Oct 21 '22 at 11:55
  • https://stackoverflow.com/questions/6054092/how-to-add-authentication-to-a-socks5-proxy-server – Marcel Oct 21 '22 at 11:55
  • I would not argue that this is a duplicate, since the question is more broad. However, I should narrow it down be more clear about what I mean. – Orphans Oct 22 '22 at 14:00
  • 1
    There's a solution here: https://serverfault.com/questions/914808/how-to-forbid-connecting-to-localhost-for-ssh-socks5-proxy - maybe it fits your needs? – Marcel Oct 25 '22 at 08:38
  • @Marcel can you add that into your answer below, so I can mark that as a solution? This seems indeed like the best way to do it for now. – Orphans Oct 27 '22 at 12:48

1 Answers1

1

One way of authenticating the usage of the socks5 is to have a reverse proxy with basic auth forwarding traffic to it, but you won't be able to protect it against usage by other users that can see the port in the loopback device locally. The Dynamic Port Forwarding from SSH will trust anyone with access to the machine it's listening on. But maybe, if you manage to have -D to listen to a unix domain socket, you might be able to set user+group permissions to the named pipe and have some form of security against non root users. But ssh's user manual don't mention any unix domain socket forwarding for dynamic port forwarding (-D) for socks4/5 usage. I think it's a long shot. You should trust people logged into the machine.

There's a solution here: how to forbid connecting to localhost for ssh socks5 proxy

Marcel
  • 1,730
  • 10
  • 15