Can AsyncSSH capture data during port forwarding?

[zgxkbtl]

First of all, many thanks to all the contributors of asyncssh.
I have successfully experienced the port forwarding feature by override this part of the code:

def server_requested(self, listen_host: str, listen_port: int) -> _NewListener:
    return True

And using:

ssh -p 8022 -R 0:localhost:8000 guest@localhost

However, I would like to know which IPs have accessed which resources on localhost:8000, in order to implement monitoring or capture logs. Can this feature be directly implemented using asyncssh?

[ronf]

It doesn't look like this is possible in AsyncSSH right now using only public APIs. You'd need to be able to provide an alternate coroutine which runs when a connection is received on the listening port. The closest I think you can come right now is:

class MySSHServer(asyncssh.SSHServer):
    async def forward_local_port(self, listen_host, listen_port):
        async def tunnel_connection(session_factory, orig_host, orig_port):
            print(f'New connection from {orig_host}:{orig_port}')

            return await self._conn.create_connection(
                session_factory, listen_host, listen_port, orig_host, orig_port)

        loop = asyncio.get_event_loop()

        return await create_tcp_forward_listener(
            self._conn, loop, tunnel_connection, listen_host, listen_port)

    def connection_made(self, conn):
        self._conn = conn

    def server_requested(self, listen_host, listen_port):
        return self.forward_local_port(listen_host, listen_port)

async def start_server():
    await asyncssh.create_server(MySSHServer, '', 8022,
                                 server_host_keys=['ssh_host_key'],
                                 authorized_client_keys='ssh_user_ca')

loop = asyncio.get_event_loop()

try:
    loop.run_until_complete(start_server())
except (OSError, asyncssh.Error) as exc:
    sys.exit('SSH server failed: ' + str(exc))

loop.run_forever()

In particular, see how the server_requested() call now returns an SSHListener instead of True. The code which does this in the forward_local_port() function here is taken from SSHConnection's forward_local_port() method, but replacing the tunnel_connection function with one that can log the orig_host and orig_port.

Unfortunately, the function create_tcp_forward_listener() is not currently part of the AsyncSSH public API, so it's possible the details of this or the implementation of the forward_local_port() function in SSHConnection could change in the future.

Since server_requested() is a callback, I'm not seeing a very clean way to provide something to run when new connections arrive. The intent of the current callback was to just look at the listening host/port requested by the client and return if that was acceptable or not. Once an SSHListener was returned, though, it is expected to handle everything under the covers.

[zgxkbtl]

Thank you for your response. I would like to know if there are any plans to incorporate this feature.

[ronf]

I think it could be a useful feature, but I'll need a bit of time to figure out if there's a clean way to fit it into the current code.

My current thinking is that I could add an extra optional accept_handler argument to forward_local_port() of a callable/coroutine which took arguments of orig_host and orig_port and returned a bool about whether to accept the connection or not. This would be a place where you'd also be able to do logging of what connections were attempted, and whether they were accepted or not.

On the server side, I'm thinking that the server_requested() function could be extended to support returning this same callable/coroutine. It's already the case today that returning True in server_requested() actually ends up calling forward_local_port(), so returning a callable/coroutine could just pass that function on to forward_local_port().

A full solution would probably also need to make similar changes to the UNIX domain socket forwarding, and the cross-over functions where you forward between TCP and UNIX domain sockets.

If I get something working, I'll let you know.

[ronf]

Ok - here's a first cut at the solution described above:

--- a/asyncssh/connection.py
+++ b/asyncssh/connection.py
@@ -225,6 +225,9 @@ _ListenerArg = Union[bool, SSHListener]
 _ProxyCommand = Optional[Sequence[str]]
 _RequestPTY = Union[bool, str]

+_TCPAcceptHandler = Callable[[str, int], MaybeAwait[bool]]
+_UNIXAcceptHandler = Callable[[], MaybeAwait[bool]]
+
 _TCPServerHandlerFactory = Callable[[str, int], SSHSocketSessionFactory]
 _UNIXServerHandlerFactory = Callable[[], SSHSocketSessionFactory]

@@ -2886,10 +2889,10 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         return SSHForwarder(cast(SSHForwarder, peer))

     @async_context_manager
-    async def forward_local_port(self, listen_host: str,
-                                 listen_port: int,
-                                 dest_host: str,
-                                 dest_port: int) -> SSHListener:
+    async def forward_local_port(
+            self, listen_host: str, listen_port: int,
+            dest_host: str, dest_port: int,
+            accept_handler: Optional[_TCPAcceptHandler] = None) -> SSHListener:
         """Set up local port forwarding

            This method is a coroutine which attempts to set up port
@@ -2906,10 +2909,17 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
                The hostname or address to forward the connections to
            :param dest_port:
                The port number to forward the connections to
+           :param accept_handler:
+               A `callable` or coroutine which takes arguments of the
+               original host and port of the client and decides whether
+               or not to allow connection forwarding, returning `True` to
+               accept the connection and begin forwarding or `False` to
+               reject and close it.
            :type listen_host: `str`
            :type listen_port: `int`
            :type dest_host: `str`
            :type dest_port: `int`
+           :type accept_handler: `callable` or coroutine

            :returns: :class:`SSHListener`

@@ -2923,6 +2933,21 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
                     Tuple[SSHTCPChannel[bytes], SSHTCPSession[bytes]]:
             """Forward a local connection over SSH"""

+            if accept_handler:
+                result = accept_handler(orig_host, orig_port)
+
+                if inspect.isawaitable(result):
+                    result = await cast(Awaitable[bool], result)
+
+                if not result:
+                    self.logger.info('Request for TCP forwarding from '
+                                     '%s to %s denied by application',
+                                     (orig_host, orig_port),
+                                     (dest_host, dest_port))
+
+                    raise ChannelOpenError(OPEN_ADMINISTRATIVELY_PROHIBITED,
+                                           'Connection forwarding denied')
+
             return (await self.create_connection(session_factory,
                                                  dest_host, dest_port,
                                                  orig_host, orig_port))
@@ -5737,6 +5762,10 @@ class SSHServerConnection(SSHConnection):
             if listener is True:
                 listener = await self.forward_local_port(
                     listen_host, listen_port, listen_host, listen_port)
+            elif callable(listener):
+                listener = await self.forward_local_port(
+                    listen_host, listen_port,
+                    listen_host, listen_port, listener)
         except OSError:
             self.logger.debug1('Failed to create TCP listener')
             self._report_global_response(False)

Here's an example of using this not he client side, where the handler only accepts connections from 127.0.0.1:

import asyncio, asyncssh, sys

async def accept_handler(orig_host: str, orig_port: int) -> bool:
    return orig_host == '127.0.0.1'

async def run_client():
    async with asyncssh.connect('localhost') as conn:
        listener = await conn.forward_local_port('', 8080, 'www.google.com', 80,
                                                 accept_handler)
        await listener.wait_closed()

try:
    asyncio.get_event_loop().run_until_complete(run_client())
except (OSError, asyncssh.Error) as exc:
    sys.exit('SSH connection failed: ' + str(exc))

Here's an example of using it on the server side:

import asyncio, asyncssh, sys

async def accept_handler(orig_host: str, orig_port: int) -> bool:
    return orig_host == '127.0.0.1'

class MySSHServer(asyncssh.SSHServer):
    def server_requested(self, listen_host: str, listen_port: int) -> bool:
        return accept_handler

async def start_server() -> None:
    await asyncssh.create_server(MySSHServer, '', 8022,
                                 server_host_keys=['ssh_host_key'],
                                 authorized_client_keys='ssh_user_ca')

loop = asyncio.get_event_loop()

try:
    loop.run_until_complete(start_server())
except (OSError, asyncssh.Error) as exc:
    sys.exit('SSH server failed: ' + str(exc))

loop.run_forever()

I still need to fill in the UNIX domain socket equivalent of the code above, and some of the crossover cases, but you can give this a try if you want to experiment with it.

[ronf]

This feature is now checked into the "develop" branch as commit 70f65eb. For now, this new accept_handler is available in forward_local_port() and forward_local_port_to_path(), as well as being available as a return value in server_requested(). I didn't implement this for forward_local_path(), forward_local_path_to_port(), or unix_server_requested(), as there's no additional client information to check or log when accepting UNIX domain socket connections.

[ronf]

This feature is included in the just-released AsyncSSH 2.14.0. Let me know if you have any problems with it.