4.25.2.8. Manipulating the keys of public-key authentication

The Zorp SSH proxy can use different keys in the server-side connection and the client-side connection. To use this feature, you have to derive a custom proxy class from the SshProxy class, and override the mapUserKey function. In the mapUserKey function, you can check the public key of the client, and return the private key that will be used in the server-side connection. Using this function you can set every connection to use a single key on the server side, change the type of the key from RSA to DSA, or restrict access of certain channels only to the selected users.

The mapUserKey function receives the blob_type and blob parameters that contain the type of the key (ssh-dss for DSA keys, ssh-rss for RSA keys) and the public key of the client. The function can return None to reject the connection, or a key type and a private key that will be used to authenticate on the target server.

Example 4.48. Modifying the keypair used in public-key authentication

The following proxy class accepts only connections that use a specific DSA public key, and uses a different RSA key-pair on the server side.

class KeymappingSshProxy(SshProxy):
        def config(self):
                SshProxy.config(self)
        def mapUserKey(self, blob_type, blob):
                if blob_type != 'ssh-dss' or blob != """ssh-dss
                AAAAB3NzaC1kc3MAAACBANhSxBWzv4kLvnBEV9sJX4rQkNtTxARJUP4l0u71Nu..."""
                        return None
                return ('ssh-rss', """-----BEGIN RSA PRIVATE KEY-----
                MIIEogIBAAKCAQEAz/U9WbGjeQfEj4nUoqSImQpKIPoNPIPQG2IPGTRC/ROc+VeQ
                D/ax8n7wB3PF/1DB0WpHK5j075yJ6TPCPqFDYLOWOM41sBhyHsGCiGyDuNCOaRal
                ....
                -----END RSA PRIVATE KEY-----""")