[Bug 3802] Secure IP forwarding, check connecting user
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Mar 20 14:30:24 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3802
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The uid lookups are platform-specific, and only be useful for locally
originated connections. Assuming that's tractable, the next question
is what the control surfaces would look like?
Assuming this would be a subset of "GatewayPorts no" that allows only
the same user, it could be something like this on the server side in
decreasing levels of permissiveness:
GatewayPorts yes -> clientspecified -> no -> same-user
On the client side there's also GatewayPorts, but DynamicForward and
LocalForward can individually specify listen addresses. "GatewayPorts
sameuser" could restrict them all to localhost binds only.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list