1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • Is there a quick/simple way to check if ssh has a remote port forwarded

    From Chris Green@21:1/5 to All on Wed Sep 16 13:10:58 2020
    If I have opened an ssh connection to a remote server is there any way
    to check if the session includes remote port forwarding?

    It would be easy if the port forwarding had been done from the command
    line, e.g. if the command was 'ssh -R 12345:localhost:54321 server'
    one could simply use ps or psgrep to see if there's a "-R 12345" in
    there.

    However I can't see any way to do it if the remote forward has been
    done by "RemoteForward 12345 localhost:54321" in the ssh config file.
    Is there anything one can check to see the internal configuration of a
    running ssh process?

    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Chris Green on Wed Sep 16 11:34:48 2020
    On 9/16/20 6:10 AM, Chris Green wrote:
    If I have opened an ssh connection to a remote server is there any
    way to check if the session includes remote port forwarding?

    I'm not aware of anything reliable.

    You might be able to tell after the fact if there are established
    connections from loopback (as the user that ran the outbound ssh
    connection) to loopback.

    It would be easy if the port forwarding had been done from the command
    line, e.g. if the command was 'ssh -R 12345:localhost:54321 server' one
    could simply use ps or psgrep to see if there's a "-R 12345" in there.

    That relies on being able to see the command in ps's output. There are
    a number of ways that make this unreliable. Admittedly, many of which
    are darker grey in color.

    However I can't see any way to do it if the remote forward has been
    done by "RemoteForward 12345 localhost:54321" in the ssh config file.

    There is also the fact that you can dynamically alter the port
    forwarding mid-session. So yet another way, thus thing you would need
    to check.

    Is there anything one can check to see the internal configuration of
    a running ssh process?

    I think that you would have to enumerate the process space of the other
    running client ssh processes. Something that I expect is non-trivial
    and that OpenSSH is probably going to be hostile and try to protect against.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to Grant Taylor on Wed Sep 16 11:38:23 2020
    On 9/16/20 11:34 AM, Grant Taylor wrote:
    That relies on being able to see the command in ps's output.  There are
    a number of ways that make this unreliable.  Admittedly, many of which
    are darker grey in color.

    This is a very good example of where responding to something / defending against something can be very different depending on the intentions
    behind whom you're trying to detect.

    White hat could likely be persuaded to always use the command line
    options and not do anything to obfuscate them.

    Black hat could easily do a number of things to avoid detection.
    Including running a program on either end to convert between a {TCP,UDP}
    socket and a Unix socket which can be forwarded through SSH without
    using port forwarding on either end.



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Green@21:1/5 to Grant Taylor on Wed Sep 16 20:50:48 2020
    Grant Taylor <[email protected]> wrote:
    On 9/16/20 11:34 AM, Grant Taylor wrote:
    That relies on being able to see the command in ps's output.  There are
    a number of ways that make this unreliable.  Admittedly, many of which
    are darker grey in color.

    This is a very good example of where responding to something / defending against something can be very different depending on the intentions
    behind whom you're trying to detect.

    White hat could likely be persuaded to always use the command line
    options and not do anything to obfuscate them.

    Black hat could easily do a number of things to avoid detection.
    Including running a program on either end to convert between a {TCP,UDP} socket and a Unix socket which can be forwarded through SSH without
    using port forwarding on either end.

    In this case, if I understand what you mean, it's 'white hat' and
    'white hat'. :-) It's only me running these ssh processes and it's
    only me wanting to know about port forwarding.

    If it goes wrong the result it pretty benign, I have an ssh that goes
    wrong or an unwanted message.

    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)