0

This is my use case:

I have a bunch of hosts behind load-balancers and clients SSH through the load-balancer. The LB internally creates a new connection so the connection with the end-host has the LB`s IP addres. In order to know who started the request, load-balancer is set up to forward the client IP address in a header. Im not entirely familiar with how the forwarding works, but based on my understanding a magic number is added to the header, followed by the length of the field and then the field itself containing the ClientIP.

Is there a way to tell the SSHD to retrieve the forwarded client IP ? Im sorry if the details are little confusing, im not familiar with the networking part but my team has this use case and would like to know how to have the SSHD retrieve the CIP (client IP) from the TCP packet.

broun
  • 187
  • 2
  • 2
  • 8

1 Answers1

0

If the load balancing was operating in DSR mode, the sshd process would see only the client IP and never the IP of the load balancer. I assume there is something in your networking setup preventing the use of DSR, so you have to use other methods.

There are different protocol layers at which the client IP could be inserted in a header.

  • IP layer: not a good idea as this is totally different between IPv4 and IPv6.
  • TCP layer: could work, but I see no such option on the official list of TCP options.
  • HTTP layer: X-Forwarded-For is widely used for this, but being HTTP specific, you cannot use that with ssh.

Using tools such as tcpdump or wireshark, you can inspect traffic to find out which header is used to communicate the client IP. A suitable tcpdump command to run on the server could look like this tcpdump -pni eth0 -s0 -Uw /tmp/ssh-traffic.pcap 'port 22'

The output file can then be analyzed using either tcpdump or wireshark.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • Looks like the IP is embedded in the TCP layer. May be this could help: I was asked for a magic number (some random number), and the CIP presence is determined based on the presence of the magic number in the header. – broun Apr 25 '14 at 07:05
  • The only way that could be embedded in the TCP layer is through a TCP option. None of the options on the official list, which I linked to appear to be appropriate for that. The IP could be communicated through one of the unauthorized usages mentioned. Using wireshark it is possible to tell, if that is the case. – kasperd Apr 25 '14 at 08:05