Recently I’ve been looking into OTP ssh package, and I’ve noticed there is a support for port-forwarding built-in into the ssh:daemon/3. I know there is a way to implement a custom ssh shell. I’m wondering if there is a similar customization option for TCP/IP tunnelling? Has anyone maybe tried to do it and could point me to the correct place?
I know that one can setup a functioning port forwarding over ssh - that’s built-in and works just fine.
What I’m looking for is a way to provide a customized behaviour, for example:
User want to open a tunnel from server like ssh -R foobar:80:localhost:4444 and I’d like to capture that request and for example modify host/port part from foobar:80 to foobar.my.local.net:1234 .
Thanks for your response. Auditing functionality is one aspect. The idea is to build a ssh reverse tunneling reverse proxy. My servers are not accessible from the outside, so they should open a tunnel on to erlang server forwarding their port 22 locally, which can be securely accessed from the admins via a ssh reverse proxy - to not been required to share private keys or have many public keys per server. For this reason the ssh reverse proxy needs to know, which tunnel/local port belongs to whom.
To implement the desired behaviour, I’m redefining the module ssh_tcpip_forward_acceptor to accept opening tunnel only under valid conditions. Is redefining of modules a good approach?