search

gliderlabs / ssh

Easy SSH servers in Golang
https://godoc.org/github.com/gliderlabs/ssh
BSD 3-Clause "New" or "Revised" License
3.56k stars 433 forks source link

Intercept remote port forwarding connections and filter out by IP #233

Open willdot opened 3 weeks ago

willdot commented 3 weeks ago

When using a ForwardedTCPHandler as a request handler for remote port forwarding, it would be nice to be able to reject connections unless their IP is "allowed".

This can be done with an intercept handler which can be set on the ForwardedTCPHandler type and then used within HandleSSHRequest().

It could accept a net.Addr() and return a true/false result. If true, the incoming connection can be continued as normal but if false, the connection can be closed and thus be rejected.

Use case for this is I'm creating a tool (like Ngrok) that will allow a command such as ssh -R some-domain:5000:localhost:3000 some-domain -p 2222 to be run locally which will allow people to make requests to http://some-domain:5000 and it will forward the request to an app running locally. However by doing so, anyone could get hold of that URL and send requests to me..... By allowing an intercept functionality this can be limited by IP address.

mohammed90 commented 3 weeks ago

Kadeessh, a Caddy plugin built atop this amazing lib , can do that by implementing a custom module that implements a specific interface. The filter by remote IP isn't implemented yet, but it can be easily done in a few lines.

If you nerdsnipe me enough, I might just it soon 😄 the development on Kadeessh is slow due poverty in time and feedback. I've been trying to revive it.

smlx commented 3 weeks ago

Isn't this already possible by inspecting the Context passed to the RequestHandler?

willdot commented 3 weeks ago

Kadeessh, a Caddy plugin built atop this amazing lib , can do that by implementing a custom module that implements a specific interface. The filter by remote IP isn't implemented yet, but it can be easily done in a few lines.

If you nerdsnipe me enough, I might just it soon 😄 the development on Kadeessh is slow due poverty in time and feedback. I've been trying to revive it.

I thought there may have been a Caddy implementation of what I'm trying to do, but attempting to write a service myself 😝

willdot commented 3 weeks ago

Isn't this already possible by inspecting the Context passed to the RequestHandler?

If you mean the Forwarded Request Handler, that only fires when the SSH tunnel is created, and inside that is a constant for loop that fires when someone visits the "tunnelled" address. So the IP for that will be the person that is setting up the remote port forward, not the person that is calling the tunnel address.