Re: User id for the forwarder ports

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, 3 Jan 2016, Esben Nielsen wrote:

> Hi,
> 
> Question:
> 
> Can a TCP server (running on the same host as the OpenSSH server) know
> the user id/name of a user forwarding an TCP port ?

No; there are a number of impediments to implementing it.

The SSH protocol doesn't support sending this information. It could
conceivably be added as an extension though. We'd need to be careful
in designing this - many users would be surprised if ssh started "leaking"
user identifiers across forwarding channels.

If the lack of protocol support was solved, another problem would be
how the information is relayed to the next application. I'm not aware of
a kernel mechanism to allow an application to fake a user identity
across a local socket.

Next problem: if one existed, it would almost certainly require root
privileges and sshd takes great care to get rid off root privileges
wherever possible. They certainly aren't used for port forwarding.

TLDR: doing this is hard (I haven't even gone into user/uid mapping
problems) and not likely to happen soon, sorry.

-d


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux