The SSH proxy can use different keys in the server-side
connection and the client-side connection. To use this feature,
you have to derive a custom proxy class from the SshProxy class, and
override the mapUserKey function. In the
mapUserKey function, you can check the public
key of the client, and return the private key that will be used in the
server-side connection. Using this function you can set
every connection to use a single key on the server side, change the type
of the key from RSA to DSA, or restrict access of certain
channels only to the selected users.
The mapUserKey function receives the
blob_type and blob parameters
that contain the type of the key (ssh-dss for
DSA keys, ssh-rss for RSA keys) and the public key of
the client. The function can return None
to reject the connection, or a key type and a private key that will
be used to authenticate on the target server.
| Example 4.38. Modifying the keypair used in public-key authentication |
|---|
|
The following proxy class accepts only connections that use a specific DSA public key, and uses a different RSA key-pair on the server side. class KeymappingSshProxy(SshProxy):
def config(self):
SshProxy.config(self)
def mapUserKey(self, blob_type, blob):
if blob_type != 'ssh-dss' or blob != """ssh-dss
AAAAB3NzaC1kc3MAAACBANhSxBWzv4kLvnBEV9sJX4rQkNtTxARJUP4l0u71Nu..."""
return None
return ('ssh-rss', """-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAz/U9WbGjeQfEj4nUoqSImQpKIPoNPIPQG2IPGTRC/ROc+VeQ
D/ax8n7wB3PF/1DB0WpHK5j075yJ6TPCPqFDYLOWOM41sBhyHsGCiGyDuNCOaRal
....
-----END RSA PRIVATE KEY-----""")
|
Copyright: © 2021 Balasys IT Security
Send your comments to support@balasys.hu
