0

I have many hosts with dynamic IP addresses that need to be able to access content on a certain local web site at different times that I determine. The times for allowed access are always different. I manage all the hosts that will connect.

When I want a host to be able to access the private web site, I will initiate an SSH tunnel from each host to an account on the web host. Now, the user would be able to access the contents of the web site through http://localhost. When that machine should no longer be able to access the web site, the tunnel will be closed.

On the private web site, I can run PHP scripts/Python/CGI/etc. I need to be able to identify the host that connected because the information that I provide will be different based on the host that connected. If I do a hostname lookup in say, PHP, I, of course, get the hostname of the web server. That will happen for every client connection. I want to be able to access the client hostname. Even worse, the client will have a dynamic hostname. I don't really care about that name. I have a fixed name for each host that is in a file on the system - eg. /etc/fixedhostname.

What information could I store when I create the SSH connection so that from PHP/CGI/Python/etc. I could query the hostname of the connected host.

UPDATE:
Just so there's less mystery to my question... The clients are student machines (run by me) in different computer labs. The web server gives test questions for in lab tests. Different labs may be handling different tests at the same time. I want to come up with a way to figure out the "real" source host (without asking the student). I could pass it in: http://localhost?host=myhost, but then a student in a different test could see the question from another test by just changing the URL. I could encode hostname, then decode it, but the student could still share the URL. Only hosts in test mode would be able to access the web server. Initially, I wanted to do this with OpenVPN, but I figured that creating a CA and managing all the different keys just for the sole purpose of managing access to a web site seemed like overkill, but maybe it's not.. I figured SSH might be easier. I initially figured I might be able to just pass some information in that PHP might be able to access to determine the real identity of the host machine.

Improve this question
3
  • Just let the client tell you its host name and IP? You're likely running a script anyway to do the request. Collect that information and include it int he request.
    – Seth
    Commented Jun 23, 2017 at 9:26
  • I would consider.modifying the way DHCP works and dynamically assigning static IPs - and assign these IPs into subnets which map to rooms. (You can then run the software without fancy hacks and limit per room. ). This is good for network management generally, but, of course, can be defeated by faking a MAC address. (Using vlans/room would solve that but be cumbersome).
    – davidgo
    Commented Jun 23, 2017 at 19:42
  • Unfortunately. I don't control the DHCP server. The students get an IP from the university DHCP server. They do get a private IP, but when they communicate with the web server, NAT is used, so the web server can't see who they are.
    – Jason
    Commented Jun 25, 2017 at 17:06

3 Answers 3

Reset to default
1

If your students connect from Linux based machines you can use this connection script:

#!/bin/bash ssh student@webserver -R 5000:localhost:22 ssh user@localhost sh -c 'hostname >> hostnames.txt; date >> hostnames.txt' ssh student@webserver -L 80:localhost:80

Here are two ssh commands.

The first is used to write information about student's machine hostname and timestamp of his connection into hostname.txt file at the webserver machine. student@webserver is ssh address for your students to login into your webserver via ssh, and user@localhost is address to login to the students's machine from webserver via reverse tunnel. This reverse connection should be done using ssh keys in order to get rid of password invocation (just use ssh-keygen -r RSA and ssh-copy-id [email protected] commands from webserver to create key-based authentication).

The second ssh command is used for building main tunnel in order that student can connect to webserver's 80 port using localhost:80 i.e. http://localhost/ on his local machine.

You can combine remote commands (hostname and date) into some remote script to prevent its possible alteration by students. Also, you can add some IP related information to hostname.txt file using greped ifconfig command or the like.

In case your students connect from Windows based machines you can install lightweight freeSSHd server into Windows in service mode and key-based authentication for reverse tunnel connections.

Improve this answer
0

Assuming it's OK to use https you could create a CA and use client side certificates, where each client has a unique certificate with properties that can be logged (eg common_name.)

That said, I wonder if a better strategy might be to forgo SSH tunnels and use OpenVPN instead. In that way you can give each device it's own (private) static IP and you can control the times of access using iptables rules. It also means you can use standard PHP directives like $_SERVER["remote_addr"] making programming easier. You can also then stick with http (while still benefiting from encryption) and it's much easier to work with programmatically on the client side.

Improve this answer
3
  • I was thinking of using OpenVPN for the project, but since it's only web traffic to one site, I thought it might be overkill. However, I essentially need to connect 100 clients to one site, and no matter what resources I give the virtual machine, it probably won't be enough. It might turn out to be the best solution. I figured it couldn't hurt to ask :) Thanks..
    – Jason
    Commented Jun 23, 2017 at 13:27
  • Based on your update, why not create 1-time codes to be mapped to tests, and hand these out at start of class? This would identify a potential cheater if used more then once, and could be limited to 1 time use.
    – davidgo
    Commented Jun 23, 2017 at 19:45
  • This might work, but it would be more ideal if I could solve the problem without requiring any codes. :)
    – Jason
    Commented Jun 25, 2017 at 17:07
0

the user would be able to access the contents of the web site through http://localhost.

You could use a domain name like lvh.me (short for "local virtual host", I think) instead of localhost. Someone registered this as a global DNS mapping to 127.0.0.1 (so, no need for any hacking in the hosts file) and it supports subdomains, like http://user1.lvh.me Or, if you don't trust the user to try other subdomains then use some random hard-to-guess subdomain. Finally, in your server side code, use the Host header to see who's connecting.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .