Re: User id for the forwarder ports

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I propose making options in sshd_config to set up a mapping for each port:
if the user tries to forward localhost:4000 you can specify in sshd_config
that it is a UNIX socket connect to say /var/sshforward/4000.sock.

Now the service can listen on /var/sshforward/4000.sock and use SO_PEERCRED
(which is not working on local top sockets on my system at least).

Esben

Den mandag den 4. januar 2016 skrev Damien Miller <djm@xxxxxxxxxxx>:

> On Sun, 3 Jan 2016, Esben Nielsen wrote:
>
> > Hi,
> >
> > Question:
> >
> > Can a TCP server (running on the same host as the OpenSSH server) know
> > the user id/name of a user forwarding an TCP port ?
>
> No; there are a number of impediments to implementing it.
>
> The SSH protocol doesn't support sending this information. It could
> conceivably be added as an extension though. We'd need to be careful
> in designing this - many users would be surprised if ssh started "leaking"
> user identifiers across forwarding channels.
>
> If the lack of protocol support was solved, another problem would be
> how the information is relayed to the next application. I'm not aware of
> a kernel mechanism to allow an application to fake a user identity
> across a local socket.
>
> Next problem: if one existed, it would almost certainly require root
> privileges and sshd takes great care to get rid off root privileges
> wherever possible. They certainly aren't used for port forwarding.
>
> TLDR: doing this is hard (I haven't even gone into user/uid mapping
> problems) and not likely to happen soon, sorry.
>
> -d
>
>
>

-- 
Sendt fra Gmail Mobil
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux