SSH Port Tunneling With Authorization

Question

Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?

I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.

Is there any way of achieving this?

Answer 1

Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.

But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.

• What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.

• Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).

• You can set up a VPN and only allow access to port 3306 from the VPN interface.

• Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.

• A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.

The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.

So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.

Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)

• install a SSHd server on the Windows machine on some nonstandard port.
• configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
• create a (limited) user on the Windows machine to allow Linux to connect.
• install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
• tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.

...and you're done.

Who can connect to the database now?

• any user on that one Windows machine. This should mean only the Web server user (*).
• any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
• an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.

^{(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.}