I propose making options in sshd_config to set up a mapping for each port: if the user tries to forward localhost:4000 you can specify in sshd_config that it is a UNIX socket connect to say /var/sshforward/4000.sock. Now the service can listen on /var/sshforward/4000.sock and use SO_PEERCRED (which is not working on local top sockets on my system at least). Esben Den mandag den 4. januar 2016 skrev Damien Miller <djm@xxxxxxxxxxx>: > On Sun, 3 Jan 2016, Esben Nielsen wrote: > > > Hi, > > > > Question: > > > > Can a TCP server (running on the same host as the OpenSSH server) know > > the user id/name of a user forwarding an TCP port ? > > No; there are a number of impediments to implementing it. > > The SSH protocol doesn't support sending this information. It could > conceivably be added as an extension though. We'd need to be careful > in designing this - many users would be surprised if ssh started "leaking" > user identifiers across forwarding channels. > > If the lack of protocol support was solved, another problem would be > how the information is relayed to the next application. I'm not aware of > a kernel mechanism to allow an application to fake a user identity > across a local socket. > > Next problem: if one existed, it would almost certainly require root > privileges and sshd takes great care to get rid off root privileges > wherever possible. They certainly aren't used for port forwarding. > > TLDR: doing this is hard (I haven't even gone into user/uid mapping > problems) and not likely to happen soon, sorry. > > -d > > > -- Sendt fra Gmail Mobil _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
