Using opkssh behind a foreward proxy.

[NeilDavisNPS]

Hello.

opkssh: 0.8.0
Linux: Oracle Linux 9

I have a working installation of opkssh using a non public entraID authenticator. All good.
I have then deployed to a single server that sits behind a forward proxy, and whilst I have set /etc/opk/config.yml as per the doc/config.md, I seem unable to see traffic hitting the forward proxy initiated on behalf of opkssh.

I set the config.yml to use http://localhost:3128
I created a reverse tunnel -R3128:localhost:3128 to local container running nginx as a forward proxy. When I tail the container logs, I see nothing. I know this works as when I explicitly set "https_proxy=http://localhost:3128 curl -v https://www.bbc.co.uk" I see a response.

Is there some setting I have missed to make opkssh use a forward proxy when attempting to verify the certificate?

Thanks

[NeilDavisNPS]

Hello.

opkssh: 0.8.0 Linux: Oracle Linux 9

I have a working installation of opkssh using a non public entraID authenticator. All good. I have then deployed to a single server that sits behind a forward proxy, and whilst I have set /etc/opk/config.yml as per the doc/config.md, I seem unable to see traffic hitting the forward proxy initiated on behalf of opkssh.

I set the config.yml to use http://localhost:3128 I created a reverse tunnel -R3128:localhost:3128 to local container running nginx as a forward proxy. When I tail the container logs, I see nothing. I know this works as when I explicitly set "https_proxy=http://localhost:3128 curl -v https://www.bbc.co.uk" I see a response.

Is there some setting I have missed to make opkssh use a forward proxy when attempting to verify the certificate?

Thanks

Updated.

On a new server, provisioned in OCI by myself, tunnelling the proxy via a reverse tunnel works fine.

Running on a company server with a proliferation of various http(s)_proxy settings, it does not. Something is interfering , but as yet, I have not been able to figure that out.

[NeilDavisNPS]

This has been solved. The simple answer is to check selinux and specifically the audit log.
Running ausearch -m avc -ts recent when it failed reveals the following entry:

time->Mon Aug 25 15:57:57 2025
type=PROCTITLE msg=audit(1756137477.082:1788): proctitle=2F7573722F6C6F63616C2F62696E2F6F706B73736800766572696679006F706300414141414B47566A5A484E684C584E6F59544974626D6C7A644841794E54597459325679644331324D4446416233426C626E4E7A6143356A6232304141414167576C496E47744B714832374A6645764C35344A69336558474F643757584733
type=SYSCALL msg=audit(1756137477.082:1788): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=c0000ca72c a2=10 a3=0 items=0 ppid=14525 pid=14539 auid=4294967295 uid=983 gid=985 euid=983 suid=983 fsuid=983 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm="opkssh" exe="/usr/local/bin/opkssh" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1756137477.082:1788): avc:  denied  { name_connect } for  pid=14539 comm="opkssh" dest=3128 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket permissive=0

A quick test by setting selinux to permissive mode allowed the plugin to verify the user via the forward proxy.

The following will provide a more permanent solution.

# Create a file called opkssh_connect_squid.te
cat << 'EOF' > opkssh_connect_squid.te
module opkssh_connect_squid 1.0;

require {
    type sshd_t;
    type squid_port_t;
    class tcp_socket name_connect;
}

# Allow opkssh (running in sshd_t) to connect to squid_port_t
allow sshd_t squid_port_t:tcp_socket name_connect;
EOF
-------------------------------------------------------------------------------------------------------------------------------------------------------
# Compile the module
checkmodule -M -m -o opkssh_connect_squid.mod opkssh_connect_squid.te

# Package it as a SELinux module
semodule_package -o opkssh_connect_squid.pp -m opkssh_connect_squid.mod

# Install the module
semodule -i opkssh_connect_squid.pp

-----------------------------------------------------------------------------------------------------------------------------------------------------
Or, all at once....

# Generate a policy module from the audit log
ausearch -m avc -ts today | audit2allow -M opkssh_connect_squid

[SweBarre]

Hi @NeilDavisNPS

I've created a draft PR to make a more permanent solution for this use case, it's discussed here #328 and the PR is here #332
It would be great if you could test that on your solution to see if it works.
Get the SELinux Type Enforcement

curl -Lo /tmp/opkssh.te https://raw.githubusercontent.com/SweBarre/opkssh/refs/heads/dynamic_selinux_module/opkssh.te

remove old installed opkssh SELinux modules

for mod in "$(semodule -l | grep opkssh)"; do semodule -r "$mod"; done

Compile SELinux module

checkmodule -M -m -o /tmp/opkssh.mod /tmp/opkssh.te

Compile SELinux module

semodule_package -o /tmp/opkssh.pp -m /tmp/opkssh.mod

Install the SELinux module

semodule -i /tmp/opkssh.pp

list options available for the opkssh SELinux module

getsebool -a | grep opkssh
opkssh_enable_home --> off
opkssh_enable_proxy --> off
opkssh_enable_squid --> off

Enable the squid rule (also enable the home policy if you are using that)

setsebool -P opkssh_enable_squid on

And test if that works.
Would really appreciate it

[NeilDavisNPS]

Hello Jonas, I have followed your instructions, and I am still able to authenticate via the forward proxy when using opkssh; your changes work in this environment. I hope you do not mind the email response rather then directly via github. Here is the complete output, together with the one warning message. # curl -Lo /tmp/opkssh.te https://raw.githubusercontent.com/SweBarre/opkssh/refs/heads/dynamic_selinux_module/opkssh.te % Total % Received % Xferd Average Speed Time Time Time Current ⦙ ⦙ ⦙ ⦙Dload Upload Total Spent Left Speed 100 1007 100 1007 0 0 4397 0 --:--:-- --:--:-- --:--:-- 4416 # for mod in "$(semodule -l | grep opkssh)"; do semodule -r "$mod"; done libsemanage.semanage_module_key_set_name: Name is invalid. semodule: Failed on ! # semodule -l | grep opkssh # checkmodule -M -m -o /tmp/opkssh.mod /tmp/opkssh.te # semodule_package -o /tmp/opkssh.pp -m /tmp/opkssh.mod # semodule -i /tmp/opkssh.pp # getsebool -a | grep opkssh opkssh_enable_home --> off opkssh_enable_proxy --> off opkssh_enable_squid --> off # setsebool -P opkssh_enable_squid on # getsebool -a | grep opkssh opkssh_enable_home --> off opkssh_enable_proxy --> off opkssh_enable_squid --> on Regards Neil Davis NEC Software Solutions Please consider the environment before printing this email [cid:15528965-5f28-4e5a-a0ef-19c7c7e901c9]

…

________________________________ From: Jonas Forsberg ***@***.***> Sent: 06 September 2025 6:09 PM To: openpubkey/opkssh ***@***.***> Cc: Neil Davis ***@***.***>; Mention ***@***.***> Subject: Re: [openpubkey/opkssh] Using opkssh behind a foreward proxy. (Discussion #313) CAUTION: This email is from an external source, which means the sender is not from NECSWS. DO NOT click links or open attachments if you were not expecting the email. Only open these if you are sure the sender is genuine, and the content is safe. If you are not sure DO NOT open any links or attachments. If you think it is suspicious, click 'Report Phishing' in Outlook. Hi @NeilDavisNPS<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fNeilDavisNPS&umid=dce91e3e-f239-415c-9b81-af712b2718fe&rct=1757178569&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-279733466a1afd36b89375c0482342808541e636> I've created a draft PR to make a more permanent solution for this use case, it's discussed here #328<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fopenpubkey%2fopkssh%2fissues%2f328&umid=dce91e3e-f239-415c-9b81-af712b2718fe&rct=1757178569&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-ef0ef5a1482e0814ca57f63620b672a386eeb002> and the PR is here #332<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fopenpubkey%2fopkssh%2fpull%2f332&umid=dce91e3e-f239-415c-9b81-af712b2718fe&rct=1757178569&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-fae465a437099e085054208872763d4ecdc06f6f> It would be great if you could test that on your solution to see if it works. Get the SELinux Type Enforcement curl -Lo /tmp/opkssh.te https://raw.githubusercontent.com/SweBarre/opkssh/refs/heads/dynamic_selinux_module/opkssh.te remove old installed opkssh SELinux modules for mod in "$(semodule -l | grep opkssh)"; do semodule -r "$mod"; done Compile SELinux module checkmodule -M -m -o /tmp/opkssh.mod /tmp/opkssh.te Compile SELinux module semodule_package -o /tmp/opkssh.pp -m /tmp/opkssh.mod Install the SELinux module semodule -i /tmp/opkssh.pp list options available for the opkssh SELinux module getsebool -a | grep opkssh opkssh_enable_home --> off opkssh_enable_proxy --> off opkssh_enable_squid --> off Enable the squid rule (also enable the home policy if you are using that) setsebool -P opkssh_enable_squid on And test if that works. Would really appreciate it — Reply to this email directly, view it on GitHub<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fopenpubkey%2fopkssh%2fdiscussions%2f313%23discussioncomment%2d14328003&umid=dce91e3e-f239-415c-9b81-af712b2718fe&rct=1757178569&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-4aafcab985e3c5a9afc7b59d596fd16d9faeff00>, or unsubscribe<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fnotifications%2funsubscribe%2dauth%2fAPZ4BEE2KTHB7WE3SYIWCNT3RMIMJAVCNFSM6AAAAACD5C322WVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMZSHAYDAMY&umid=dce91e3e-f239-415c-9b81-af712b2718fe&rct=1757178569&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-b20538862eb30e6a698430c177dab5b4c47d196e>. You are receiving this because you were mentioned.Message ID: ***@***.***> This email is sent on behalf of NEC Software Solutions UK Limited and its associated companies (together "NEC Software Solutions") and is strictly confidential and intended solely for the addressee(s). Full details of those companies can be found at https://www.necsws.com/group-company-details/ If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact NEC Software Solutions immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. NEC Software Solutions has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.

[SweBarre]

Thanks

semodule: Failed on !

Don't know why that error appeared, it works on my machine (tm) :)

Again, thanks for checking that the controlling at runtime with SELinux booleans works.
Cheers,
//Jonas

[NeilDavisNPS]

Hi, It may have been an artefact of the selinux change I made, prior to your more complete module. I ran the same commands on an install where only those made by the install script had been run, and the warning was absent. And if I subsequently run the command to remove the module after following your installations steps, the warning is absent too. So I'd conclude it was something I had done. Regards Neil Davis NEC Software Solutions Please consider the environment before printing this email [cid:6438a5f5-f782-4d53-bdc5-8b38c2d53dd7]

…

________________________________ From: Jonas Forsberg ***@***.***> Sent: 08 September 2025 11:44 AM To: openpubkey/opkssh ***@***.***> Cc: Neil Davis ***@***.***>; Mention ***@***.***> Subject: Re: [openpubkey/opkssh] Using opkssh behind a foreward proxy. (Discussion #313) CAUTION: This email is from an external source, which means the sender is not from NECSWS. DO NOT click links or open attachments if you were not expecting the email. Only open these if you are sure the sender is genuine, and the content is safe. If you are not sure DO NOT open any links or attachments. If you think it is suspicious, click 'Report Phishing' in Outlook. Thanks semodule: Failed on ! Don't know why that error appeared, it works on my machine (tm) :) Again, thanks for checking that the controlling at runtime with SELinux booleans works. Cheers, //Jonas — Reply to this email directly, view it on GitHub<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fopenpubkey%2fopkssh%2fdiscussions%2f313%23discussioncomment%2d14339001&umid=529e5709-0624-4ca2-b072-93a8a68f3733&rct=1757328287&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-b045a0590a200994c7bbe60343bd7dd908a1c514>, or unsubscribe<https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fgithub.com%2fnotifications%2funsubscribe%2dauth%2fAPZ4BEFA6KT73GD7Q4EVP233RVMZNAVCNFSM6AAAAACD5C322WVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMZTHEYDAMI&umid=529e5709-0624-4ca2-b072-93a8a68f3733&rct=1757328287&auth=c97f949d29e159b451e869bc0bd61c52842ec07c-37b1719005d202f5c46db59da5415294402dc1dd>. You are receiving this because you were mentioned.Message ID: ***@***.***> This email is sent on behalf of NEC Software Solutions UK Limited and its associated companies (together "NEC Software Solutions") and is strictly confidential and intended solely for the addressee(s). Full details of those companies can be found at https://www.necsws.com/group-company-details/ If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact NEC Software Solutions immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system. NEC Software Solutions has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.