On Sun, Jan 3, 2016 at 11:03 AM, Esben Nielsen <nielsen.esben@xxxxxxxxx> wrote: > Can a TCP server (running on the same host as the OpenSSH server) know > the user id/name of a user forwarding an TCP port ? > > I.e. if someone on some client machine does > ssh -L9999:localhost:9999 someuser@somehost > nc localhost 9999 > and a service accepts the connection on port localhost:9999 on > somehost, can it somehow safely read out the user name "someuser"? If sshd is running with PrivilegeSeparation (which it does by default) then the sshd for that connection will be running as "someuser". On Linux, your application can figure out what that user is by calling getsockopt with SO_PEERCRED on the socket (there's example code in https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-getpeereid.c) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev