Score:1

How do I ensure that a SOCK5-proxy is not used by malicious applications?

cn flag

I have created a jumphost/bastion, that will act just as that - a jumphost to certain hosts:ports.

I am aware of that I can limit users/groups with the following:

Match User Alice
   PermitOpen some.host.tld:80 another.host.tld:22 third.host.tld:443

And due some requirements, I need to be able to utilize SOCKS-proxies. This is enabled by the following:

   PermitTTY yes
   PermitTunnel yes
   AllowTcpForwarding yes

This works as expected.

However.. How do I ensure that only the application that the client specifically allowed is the only application (such as Firefox) is using the SOCK-proxy and not some random other application on the client? Can I limit the sessions/applications using the connection on the SSH-server?

I did try with "MaxSessions 1", but sadly it does not seems to apply on SOCKS-proxies.

Marcel avatar
gb flag
https://serverfault.com/a/336091/164840
Marcel avatar
gb flag
https://github.com/TooTallNate/node-socks-proxy-agent
Marcel avatar
gb flag
duplicate of https://serverfault.com/questions/336067/how-can-i-setup-a-socks-proxy-over-ssh-with-password-based-authentication-on-cen/
Marcel avatar
gb flag
https://stackoverflow.com/questions/6054092/how-to-add-authentication-to-a-socks5-proxy-server
Orphans avatar
cn flag
I would not argue that this is a duplicate, since the question is more broad. However, I should narrow it down be more clear about what I mean.
Marcel avatar
gb flag
There's a solution here: https://serverfault.com/questions/914808/how-to-forbid-connecting-to-localhost-for-ssh-socks5-proxy - maybe it fits your needs?
Orphans avatar
cn flag
@Marcel can you add that into your answer below, so I can mark that as a solution? This seems indeed like the best way to do it for now.
Score:1
gb flag

One way of authenticating the usage of the socks5 is to have a reverse proxy with basic auth forwarding traffic to it, but you won't be able to protect it against usage by other users that can see the port in the loopback device locally. The Dynamic Port Forwarding from SSH will trust anyone with access to the machine it's listening on. But maybe, if you manage to have -D to listen to a unix domain socket, you might be able to set user+group permissions to the named pipe and have some form of security against non root users. But ssh's user manual don't mention any unix domain socket forwarding for dynamic port forwarding (-D) for socks4/5 usage. I think it's a long shot. You should trust people logged into the machine.

There's a solution here: how to forbid connecting to localhost for ssh socks5 proxy

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.