Unfortunately, SO_PEERCRED only works of UNIX domain sockets. For local tcp connections the UID is returened as -1. A solution could be to make a mapping option in sshd_config along with OpenPermit, such forwarding to say localhost:4000 can be remapped to UNIX socket /var/forwards/4000. Esben Den søndag den 3. januar 2016 skrev Darren Tucker <dtucker@xxxxxxxxxx>: > On Sun, Jan 3, 2016 at 11:03 AM, Esben Nielsen <nielsen.esben@xxxxxxxxx > <javascript:;>> wrote: > > Can a TCP server (running on the same host as the OpenSSH server) know > > the user id/name of a user forwarding an TCP port ? > > > > I.e. if someone on some client machine does > > ssh -L9999:localhost:9999 someuser@somehost > > nc localhost 9999 > > and a service accepts the connection on port localhost:9999 on > > somehost, can it somehow safely read out the user name "someuser"? > > If sshd is running with PrivilegeSeparation (which it does by default) > then the sshd for that connection will be running as "someuser". On > Linux, your application can figure out what that user is by calling > getsockopt with SO_PEERCRED on the socket (there's example code in > > https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-getpeereid.c > ) > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -- Sendt fra Gmail Mobil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev