For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shaheryar's avatar
Shaheryar
Icon for Nimbostratus rankNimbostratus
Aug 07, 2018

iRule to pass original client IP in SSH proxy

We have planned to perform SSH load balancing on our F5 ADC. In our scenario it is mandatory for us to perform SNAT and hence original IP cannot be recorded on the servers. We need an iRule to forwar...
application delivery
BIG-IP
iRules
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
Aug 07, 2018

The solutions provided in the other post don't seem to work. I've tried to change the client identification string by using the iRule below, but it will prevent the client from connecting. The following error shows:

ssh_dispatch_run_fatal: Connection to 10.23.98.218: incorrect signature

It seems the client identification string is used during the key exchange, to prevent MITM attacks.

when CLIENT_ACCEPTED {
    TCP::collect
}

when CLIENT_DATA {
    set payload [TCP::payload]
    
    if { [scan [TCP::payload] {%[^-]-%[^-]-%s} protocol protocolVersion softwareVersion ] == 3 } {
       log local0. "DEBUG: protocol = $protocol"
       log local0. "DEBUG: protocolVersion = $protocolVersion"
       log local0. "DEBUG: softwareVersion = $softwareVersion"
       
       set clientIP [IP::client_addr]
       
        use format: SSH-2.0-softwareversion SP comments CR LF
       set newPayload "$protocol-$protocolVersion-$softwareVersion $clientIP\r\n"
       
       TCP::payload replace 0 [TCP::payload length] $newPayload
    }
    
    TCP::release
}

I think it's impossible to forward the originating client IP-address when using SNAT.