Solved PF forwarding

fullauto2012

fullauto2012

Wondering if anyone had any ideas on how to forward traffic to certain internal machines based on user account?

I'm going to have 2 machines running behind my firewall, each with about 80 user accounts and I would like the firewall (PF) to forward the traffic to port 22 on their machine based on which user they are...

Any Ideas?
 
SSH traffic is encrypted including the user credentials so that information is not available on the firewall. Even if it was available PF does not look into the data payload on the traffic it filters so it wouldn't be possible even in that scenario.
 
It is a fairly advanced config for pf, but you could look at authpf(8), to load per-user rules dynamically, based on them first authenticating to the firewall. That does more or less provide a solution, but it is moderately complex (for both you and the users). Alternatively, a solution could possibly be found by having them ssh into the firewall, followed by clever use of ForceCommand in /etc/ssh/sshd_config to automagically ssh into the appropriate user server (possibly using HostbasedAuthentication between the firewall and user server).
 
Is it possible to use ForceCommand on a per user basis? All my users will have basic sh shells. Where would I enter that?
 
fullauto2012 said:
Is it possible to use ForceCommand on a per user basis? All my users will have basic sh shells. Where would I enter that?
Click to expand...
Have a look at Match in sshd_config(5) for one way of implementing different ForceCommand options. Alternatively, point it at a script where you can implement whatever logic / lookups you want. Yet another alternative springs to mind, you could implement a special user shell (i.e. change /bin/sh (or whatever) to /usr/local/bin/ssh-proxy-shell (you need to create this yourself, implementing whatever logic you require) in passwd(5) on the firewall box which does the onward ssh).

If you need these sessions to support scp(1) or sftp(1), rather than simple interactive shells, it might get more challenging / interesting to implement.
 
You must log in or register to reply here.
Back
Top