国产av日韩一区二区三区精品,成人性爱视频在线观看,国产,欧美,日韩,一区,www.成色av久久成人,2222eeee成人天堂

Home System Tutorial LINUX SFTP Port Forwarding: Enabling Suppressed Functionality

SFTP Port Forwarding: Enabling Suppressed Functionality

Mar 17, 2025 am 09:43 AM

SFTP Port Forwarding: Enabling Suppressed Functionality

introduction

The SSH protocol supports three major categories of remote server activities: a) command execution (including login shell), b) network forwarding and operation, and c) file transfer.

OpenSSH maintainers have determined that sftp and scp have no legal purpose for port forwarding (via the -L and -R options). During file transfer using these utilities, a flag that explicitly disables these features is passed unconditionally to the child SSH executable.

Some users may indeed need these features. An obvious subset is the penetration testers whose task is to verify that this feature is explicitly disabled on a public SFTP server.

Here are two techniques to enable these suppressed features by modifying the string of the sftp binary itself, or redirecting through a shell that can easily edit the command line. Depending on the platform's functionality, either technology may be required to achieve this goal.

Suppress details

First, it is important to find the running process of interest. The shell function below will display the PID that matches the shell pattern (note that this is not a regular expression). This runs under Debian dash (and most other common shells) and relies on the ps option of BSD:

 <code>pps () { local a= b= c= IFS=$'\r'; ps ax | while read -ra do [ "$b" ] || c=1; for b; do case "$a" in *"$b"*) c=1;; esac; done; [ "$c" ] && printf '%s\n' "$a" && c=; done; }</code>

Start a traditional SFTP session to check the processes associated with it:

 <code>$ id uid=1001(aturing) gid=1001(aturing) groups=1001(aturing)... $ sftp aturing@sftp.victimandum.com aturing@sftp.victimandum.com's password: Connected to sftp.victimandum.com. sftp></code>

We assume that the local UNIX user above has the same username account on the remote SFTP server.

After the session is run, a local process search for the user name will display the child SSH process generated by SFTP:

 <code>$ pps aturing PID TTY STAT TIME COMMAND 9666 pts/0 S 0:00 sftp aturing@sftp.victimandum.com 9667 pts/0 S 0:00 /usr/bin/ssh -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings yes -oForwardAgent no -l aturing -s -- sftp.victimandum.com sftp</code>

The ClearAllForwardings yes parameter above will suppress any forwarding attempt without taking any action to break it.

The -L and -R port forwarding flags do not exist as valid options for the SFTP command line, but we can use the -S option to explicitly trigger them to specify a custom SSH handler, in this case the mail server:

 <code>$ cat portssh #!/bin/sh exec ssh -L2525:smtp.victimandum.com:25 "$@"</code>

If forwarding suppression is not in place, this SFTP call is sufficient to establish a forwarding connection:

 <code>$ sftp -S ./portssh -oClearAllForwardings\ no aturing@sftp.victimandum.com aturing@sftp.victimandum.com's password: Connected to sftp.victimandum.com. sftp></code>

Now you can see forwarding attempts in the child SSH process:

 <code>$ pps aturing PID TTY STAT TIME COMMAND 9897 pts/0 S 0:00 sftp -S ./portssh -oClearAllForwardings no aturing@sftp.victimandum.com 9898 pts/0 S 0:00 ssh -L2525:smtp.victimandum.com:25 -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings yes -o ClearAllForwardings no -oForwardAgent no -l aturing -s -- sftp.victimandum.com sftp</code>

However, attempting to contact the remote mail server through the local forwarding port is unsuccessful due to explicit override:

 <code>$ nc localhost 2525 $</code>

This unconditional suppression is visible in the source code:

 <code>$ sed -n /X11/,/Forwardings/p openssh-8.7p1/sftp.c addargs(&args, "-oForwardX11 no"); addargs(&args, "-oPermitLocalCommand no"); addargs(&args, "-oClearAllForwardings yes");</code>

These static strings are also visible in compiled binary files:

 <code>$ strings /usr/bin/sftp | grep [-]o[CFP] -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings yes -oForwardAgent no -oPort %d</code>

Finally, the documentation clearly states that this suppression is intentional and gives reasonable reasons:

 <code>$ man ssh_config | sed -n /ClearAllForwardings/,/default/p ClearAllForwardings Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is primarily useful when used from the ssh(1) command line to clear port forwardings set in configura‐ tion files, and is automatically set by scp(1) and sftp(1). The argument must be yes or no (the default).</code>

Change compiled strings

For those who want to disable the default ClearAllForwardings yes configuration, one option is to use sed to edit the strings in the SFTP binary directly (assuming the platform's sed is binary-safe):

 <code>$ sed 's/AllForwardings yes/AllForwardings no /' sftp.noclearforward</code>

This direct modification is much easier than compiling new binary files.

We can confirm that the string has been modified successfully:

 <code>$ strings ./sftp.noclearforward | grep [-]o[CFP] -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings no -oForwardAgent no -oPort %d</code>

Although the content and checksum of the modified SFTP will be different, any existing Linux BuildID sha1 will remain the same (but do not submit support tickets when using edited SFTP):

 <code>$ file /usr/bin/sftp ./sftp.noclearforward /usr/bin/sftp: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d7e77e24d5fac0fdc89e62a4c9c656091f2c4a33, for GNU/Linux 3.2.0, stripped ./sftp.noclearforward: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d7e77e24d5fac0fdc89e62a4c9c656091f2c4a33, for GNU/Linux 3.2.0, stripped $ sha1sum /usr/bin/sftp ./sftp.noclearforward d8bdaf0b4642b9c324f9c2e0aeee2d9578fbe383 /usr/bin/sftp b12dda8ecfd7bd2847919b5531aea7c03364c123 ./sftp.noclearforward $ sha256sum /usr/bin/sftp ./sftp.noclearforward 986eecdfc654c9b3ff3fd0dce59690d47cf56be96a4b98a04a3682aef95d3f52 /usr/bin/sftp c8f99ce33fc129250c11dc6dbb8a01112e01124e470a92d0acefb955fd17d670 ./sftp.noclearforward</code>

You can call the modified SFTP binary to enable port forwarding:

 <code>$ chmod 755 sftp.noclearforward $ ./sftp.noclearforward -S ./portssh aturing@sftp.victimandum.com aturing@sftp.victimandum.com's password: Connected to sftp.victimandum.com. sftp></code>

Now you can see the modified settings in the child process:

 <code>$ pps aturing PID TTY STAT TIME COMMAND 9991 pts/0 S 0:00 ./sftp.noclearforward -S ./portssh aturing@sftp.victimandum.com 9992 pts/0 S 0:00 ssh -L2525:smtp.victimandum.com:25 -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings no -oForwardAgent no -l aturing -s -- sftp.victimandum.com sftp</code>

This feature is enabled and run on a remote server and can verify connections in a separate shell:

 <code>$ nc localhost 2525 220 smtp.victimandum.com Microsoft ESMTP MAIL Service, Version: 1.2.3456.78901 ready at Sun, 1 Jan 2023 01:23:45 -0100 ^C</code>

When forwarding is disabled on the server, the client will receive a notification indicating this status when the connection attempts:

 <code>channel 3: open failed: administratively prohibited: open failed</code>

The SFTP administrator assigned an untrusted account should be likely to verify that the server configuration explicitly disables forwarding and command execution.

Beyond POSIX Shell

While the dash and POSIX standards provide set -- as a way to reset command line parameters, more advanced features are provided in bash and ksh93:

 <code>$ cat ynargs #!/bin/bash echo "${@//yes/no}"</code>

Quick test confirms successful editing:

 <code>$ ./ynargs -oForwardX11 no -oPermitLocalCommand yes -oClearAllForwardings yes -oForwardAgent no -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings no -oForwardAgent no</code>

Note that the above ${@//.../...} is not a valid POSIX and cannot run in dash or any shell (mksh, oksh) derived from pdksh. Many platforms do not bundle shells with this feature (such as Android and OpenBSD, although there are ways to add them); for restricted platforms, binary editing techniques may be more direct than installing alternative shells.

To take advantage of this feature with a powerful shell, we create a directory and then create an SSH wrapper in it to clear the problem settings:

 <code>$ cat ~/switcharoo/ssh #!/bin/bash exec /usr/bin/ssh "${@//yes/no}"</code>

Then set the directory before system SSH in $PATH:

 <code>$ export PATH=~/switcharoo:$PATH $ which ssh ~/switcharoo/ssh</code>

Then, we call system SFTP in this modified environment:

 <code>$ /usr/bin/sftp -S ./portssh aturing@sftp.victimandum.com aturing@sftp.victimandum.com's password: Connected to sftp.victimandum.com. sftp></code>

We observed that the shell resets the problem parameters:

 <code>$ pps aturing PID TTY STAT TIME COMMAND 10058 pts/0 S 0:00 /usr/bin/sftp -S ./portssh aturing@sftp.victimandum.com 10059 pts/0 S 0:00 /usr/bin/ssh -L2525:smtp.victimandum.com:25 -oForwardX11 no -oPermitLocalCommand no -oClearAllForwardings no -oForwardAgent no -l aturing -s -- sftp.victimandum.com sftp</code>

Reconfirmed the local connection to the forwarding port:

 <code>$ nc localhost 2525 220 smtp.victimandum.com Microsoft ESMTP MAIL Service, Version: 1.2.3456.78901 ready at Sun, 1 Jan 2023 01:23:45 -0100 ^C</code>

As a final demonstration, a complete SMTP exchange can be performed using the following script:

 <code>$ cat awkmail #!/bin/gawk -f BEGIN { smtp="/inet/tcp/0/localhost/2525"; ORS="\r\n"; r=ARGV[1]; s=ARGV[2]; sbj=ARGV[3]; # /bin/awkmail to from subj 0) print |& smtp print "." |& smtp; smtp |& getline j; print j print "quit" |& smtp; smtp |& getline j; print j close(smtp) } # /inet/protocol/local-port/remote-host/remote-port</code>

We can use this script to send our own mail to a remote recipient that the target SMTP server can access:

 <code>$ ./awkmail jatanasoff@victimandum.com aturning@localhost awkmail Queued mail for delivery</code>

In highly controlled environments, the presence of these functions is not optimal.

Server Restrictions

It is understandable that SFTP administrators do not want to allow their users to make arbitrary TCP connections with the help of the server, which can put sensitive networks at risk. Limiting this activity is a cautious security setting.

A common restrictive configuration is to add untrusted SFTP users to a group and then constrain the activity of this group in sshd_config:

 <code>Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no</code>

This recommended configuration is usually sufficient to prevent all forwarding attempts.

It is recommended to add DisableForwarding yes:

 <code>$ man sshd_config | sed -n /DisableForwarding/,/configurations/p DisableForwarding Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. This option overrides all other forwarding- related options and may simplify restricted configurations.</code>

This is left to the administrator for practice.

in conclusion

Too strict SFTP client settings can lead to some degree of server management blindness. SFTP client restrictions are easily circumvented through a variety of methods.

For SFTP server administrators, it is important to know where they are restricted and where they are restricted, and do not rely on clients to protect the server from arbitrary TCP control. The client is controlled by the user, and if the configuration is wrong, it is difficult to implement TCP commands to the server. Any test should be done without extensive forwarding in user ssh_config, pay attention to the warnings in the document.

While this feature may have a conceivable legal purpose, abuse will be rare.

These issues are not new, as variants of site exec have been present in plaintext FTP for decades. SFTP is not a simple alternative to plaintext file transfer, it also has many easy-to-use features.

Hopefully administrators can use these methods to verify the security of their servers so as not to be caught off guard.

The above is the detailed content of SFTP Port Forwarding: Enabling Suppressed Functionality. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undress AI Tool

Undress AI Tool

Undress images for free

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux Jul 05, 2025 am 09:25 AM

LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support

Clear Linux Distro - Optimized for Performance and Security Clear Linux Distro - Optimized for Performance and Security Jul 02, 2025 am 09:49 AM

Clear Linux OS is the ideal operating system for people – ahem system admins – who want to have a minimal, secure, and reliable Linux distribution. It is optimized for the Intel architecture, which means that running Clear Linux OS on AMD sys

7 Ways to Speed Up Firefox Browser in Linux Desktop 7 Ways to Speed Up Firefox Browser in Linux Desktop Jul 04, 2025 am 09:18 AM

Firefox browser is the default browser for most modern Linux distributions such as Ubuntu, Mint, and Fedora. Initially, its performance might be impressive, however, with the passage of time, you might notice that your browser is not as fast and resp

How to Hide Files and Directories in Linux How to Hide Files and Directories in Linux Jun 26, 2025 am 09:13 AM

Do you sometimes share your Linux desktop with family, friends, or coworkers? If so, you may want to hide some personal files and folders. The challenge is figuring out how to conceal these files on a Linux system.In this guide, we will walk through

How to create a self-signed SSL certificate using OpenSSL? How to create a self-signed SSL certificate using OpenSSL? Jul 03, 2025 am 12:30 AM

The key steps for creating a self-signed SSL certificate are as follows: 1. Generate the private key, use the command opensslgenrsa-outselfsigned.key2048 to generate a 2048-bit RSA private key file, optional parameter -aes256 to achieve password protection; 2. Create a certificate request (CSR), run opensslreq-new-keyselfsigned.key-outselfsigned.csr and fill in the relevant information, especially the "CommonName" field; 3. Generate the certificate by self-signed, and use opensslx509-req-days365-inselfsigned.csr-signk

How to extract a .tar.gz or .zip file? How to extract a .tar.gz or .zip file? Jul 02, 2025 am 12:52 AM

Decompress the .zip file on Windows, you can right-click to select "Extract All", while the .tar.gz file needs to use tools such as 7-Zip or WinRAR; on macOS and Linux, the .zip file can be double-clicked or unzip commanded, and the .tar.gz file can be decompressed by tar command or double-clicked directly. The specific steps are: 1. Windows processing.zip file: right-click → "Extract All"; 2. Windows processing.tar.gz file: Install third-party tools → right-click to decompress; 3. macOS/Linux processing.zip file: double-click or run unzipfilename.zip; 4. macOS/Linux processing.tar

Where are system logs located in Linux? Where are system logs located in Linux? Jun 24, 2025 am 12:15 AM

Logs in Linux systems are usually stored in the /var/log directory, which contains a variety of key log files, such as syslog or messages (record system logs), auth.log (record authentication events), kern.log (record kernel messages), dpkg.log or yum.log (record package operations), boot.log (record startup information); log content can be viewed through cat, tail-f or journalctl commands; application logs are often located in subdirectories under /var/log, such as Apache's apache2 or httpd directory, MySQL log files, etc.; at the same time, it is necessary to note that log permissions usually require s

How to Burn CD/DVD in Linux Using Brasero How to Burn CD/DVD in Linux Using Brasero Jul 05, 2025 am 09:26 AM

Frankly speaking, I cannot recall the last time I used a PC with a CD/DVD drive. This is thanks to the ever-evolving tech industry which has seen optical disks replaced by USB drives and other smaller and compact storage media that offer more storage

See all articles