The SSH proxy can use different keys in the server-side
connection and the client-side connection. To use this feature,
you have to derive a custom proxy class from the SshProxy class, and
override the mapUserKey
function. In the
mapUserKey
function, you can check the public
key of the client, and return the private key that will be used in the
server-side connection. Using this function you can set
every connection to use a single key on the server side, change the type
of the key from RSA to DSA, or restrict access of certain
channels only to the selected users.
The mapUserKey
function receives the
blob_type
and blob
parameters
that contain the type of the key (ssh-dss
for
DSA keys, ssh-rss
for RSA keys) and the public key of
the client. The function can return None
to reject the connection, or a key type and a private key that will
be used to authenticate on the target server.
Example 4.38. Modifying the keypair used in public-key authentication |
---|
The following proxy class accepts only connections that use a specific DSA public key, and uses a different RSA key-pair on the server side. class KeymappingSshProxy(SshProxy): def config(self): SshProxy.config(self) def mapUserKey(self, blob_type, blob): if blob_type != 'ssh-dss' or blob != """ssh-dss AAAAB3NzaC1kc3MAAACBANhSxBWzv4kLvnBEV9sJX4rQkNtTxARJUP4l0u71Nu...""" return None return ('ssh-rss', """-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAz/U9WbGjeQfEj4nUoqSImQpKIPoNPIPQG2IPGTRC/ROc+VeQ D/ax8n7wB3PF/1DB0WpHK5j075yJ6TPCPqFDYLOWOM41sBhyHsGCiGyDuNCOaRal .... -----END RSA PRIVATE KEY-----""") |
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu