Redirecting SSH on login, however SFTP does not work

3

4

I'm trying to set up a SSH proxy for our users using an automated jumpbox. The user logs in and gets automatically SSHed off to his container/vm, which works great. Regretfully, SFTP which tunnels over it does not. I'm sure this has to do with how I've set it up as it's basically just piping term back and not doing the tunneling properly.

/etc/passwd

redtest:x:1002:1002::/home/redtest:/usr/bin/redtest

/usr/bin/redtest

#!/bin/bash
/usr/bin/ssh redtest -t -F ~/.ssh/config

/home/redtest/.ssh/config

Host redtest
        HostName redtest1
        User root
        IdentityFile ~/.ssh/id_rsa

What's the correct way to set something like this up, or is this even possible? The logins are one to one with the containers. Appreciate a nudge in the right direction!

sashman13

Posted 2015-06-16T20:43:33.777

Reputation: 33

http://superuser.com/questions/96489/ssh-tunnel-via-multiple-hops, does the answer suggesting a proxycommand help you here? – Paul – 2015-06-16T20:51:46.430

Appreciate the reply. My first attempt was with tunneling and that worked pretty well when I ran it command line. Since the tunnel needs to be user specific, I don't think I can put it into the main ssh config. Hence the SSH -> SSH on login -> End system. The second SSH is breaking the tunnel. This may just be not possible. – sashman13 – 2015-06-16T21:42:12.593

Answers

4

When a remote ssh client requests to run a command on the server, the OpenSSH server launches the local user's shell with the "-c" option to run the command. It runs the equivalent of this:

$SHELL -c 'the requested command'

Eg, if the remote user ran:

ssh user@somehost 'rm -rf /'

and "user@somehost" had /bin/bash as his shell, then the server would run the equivalent of:

/bin/bash -c 'rm -rf /'

SFTP is a little more complicated, but you end up in the same place. The remote client requests the server to run the "sftp" subsystem. In the server's sshd_config file, you probably have a line like this:

Subsystem sftp /path/to/sftp-server

That line says "When a client requests the 'sftp' subsystem, run /path/to/sftp-server" sftp-server is a program included with OpenSSH which implements the server part of the SFTP protocol. So when an ssh client connects and requests the sftp subsystem, the server ends up running:

$SHELL -c /path/to/sftp-server

(There is a special case called "internal-sftp" which I won't go into here.)

Now, you've written a script named /usr/bin/redtest and set it to be the user's shell. So when a remote user tries to run sftp, the server will end up running:

/usr/bin/redtest -c /path/to/sftp-server

Your redtest script ignores its command line and just starts a plain ssh session to the target server. It never runs the sftp-server program on the target server.

To make this work, you need to make redtest start sftp-server on the target host when redtest is run in this fashion. If you're not too picky about what the user runs on the target host, then something like this ought to work:

#!/bin/bash
if [ "$1" = "-c" ]
then
    /usr/bin/ssh redtest -F ~/.ssh/config "$2"
else
    /usr/bin/ssh redtest -t -F ~/.ssh/config
fi

This will pass through any command requested by the client, not just sftp. This shouldn't be a problem, since users apparently have root command-line access to the target servers anyway.

You may run into a problem here if the jump host and the target host don't have the sftp-server program in the same place. The ssh server on the jump host will try to run sftp-server using the path from the jump host's config, which may not be correct for the target host. You'll have to make sure sftp-server can be invoked on the target host, using the path in the jump host's sshd_config.

If you want to make the redtest script more sophisticated, you could arrange for it to run something like this when the remote user tries to run sftp:

/usr/bin/ssh redtest -F ~/.ssh/config -s sftp

The -s and sftp arguments specifically request to run the sftp subsystem on the target host.

Kenster

Posted 2015-06-16T20:43:33.777

Reputation: 5 474

What a great answer, and both the passing of the command and requesting the subsystem worked perfectly. Was just reading about this and am glad to hear your explanation on how it's called. Relieved it's such as simple solution. I was just testing with a root user and not all have root priv, but I'm hoping that doesn't matter as the target box is using their account on the ssh. – sashman13 – 2015-06-16T22:53:20.167

Asked: 2015-06-16T20:43:33.777

Viewed: 886 times

Active: 2015-06-16T22:17:37.867