[Bug 3704] Implement an interface to capture port number of random remote port forwarding -R 0:localhost:22

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Jul 7 06:36:06 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3704

Nikola <root at nixsum.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |root at nixsum.net

--- Comment #1 from Nikola <root at nixsum.net> ---
As a third observer I'd like to suggest you try something else.

You can use a unix socket instead as it will be easier to track.

The below example assumes your "controller" uses pam_systemd for user
sessions.

I also assume you are using a separate user and ssh key for each IOT
client.

On the IOT client:

$ export remote_uid=`ssh iot_device_1 at debbie 'id -u'`
$ ssh iot_user_1 at controller -R
/run/user/$remote_uid/sshd.sock:localhost:22

On the controller to connect to the IOT device you can use:

# ssh -o "ProxyCommand socat - UNIX-CLIENT:/run/user/`id -u
iot_user_1`/sshd.sock" iot_user_1 at iot_device_1

This way you can always correlate a user to their forwarded socket and
they can only create a unix socket with their limited permissions.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list