Re: Fully transparent SSH proxy

[Aris Adamantiadis <aris@xxxxxxxxxxxx>]

Hi Andrea,

What you suggest will be possible with the next API (in git master).
Currently, there is no public API to hook the parsing of packets. Which
libssh version are you using ? did you modify something ?

There are several layers on which you can do that. You could for
instance use the channel layer (using ssh_messages) to proxy the
messages; this has the advantages of permitting more fine-grained
selection of the authorized functionnalities.

Of course there is something that cannot work at all: public key
authentication. Are you using it ? Using password authentication in my
opinion is a big way backward in the security of the systems you're
trying to protect. I can see workarounds, let me know if you wish to
discuss it.

Aris

Andrea Moretto a écrit :
> Hi there!
> 
>  I would like to implement a FULLY TRANSPARENT SSH proxy using libssh.
> I am aware that an SSH proxy is a breach in a SSH secured system (MITM),
> but in my environment the security (and the identification) is granted
> by an underlying VPN.
> 
> By "proxy" I mean an application that has both SSH server and SSH client
> parts. As soon a new connection is accepted from the server, a new "forwarded"
> SSH session is opened towards the destination.
> 
> I have actually done most of the code, but I am not sure I am forwarding all
> the packets to the destination. Is there a way to forward "blindly" all the
> payload to the forwarded SSH session?
> 
> Thanks in advance!
> 
> Andrea Moretto
> moretto.andrea@xxxxxxxxx
> -------------------------------------------------------
> CONFIDENTIALITY NOTICE
> This message and its attachments are addressed solely to the persons
> above and may contain confidential information. If you have received
> the message in error, be informed that any use of the content hereof
> is prohibited. Please return it immediately to the sender and delete
> the message.
> -------------------------------------------------------
> 
>