User id for the forwarder ports

Darren Tucker dtucker at zip.com.au
Sun Jan 3 13:18:43 AEDT 2016


On Sun, Jan 3, 2016 at 11:03 AM, Esben Nielsen <nielsen.esben at gmail.com> wrote:
> Can a TCP server (running on the same host as the OpenSSH server) know
> the user id/name of a user forwarding an TCP port ?
>
> I.e. if someone on some client machine does
>   ssh -L9999:localhost:9999 someuser at somehost
>   nc localhost 9999
> and a service accepts the connection on port localhost:9999 on
> somehost, can it somehow safely read out the user name "someuser"?

If sshd is running with PrivilegeSeparation (which it does by default)
then the sshd for that connection will be running as "someuser".  On
Linux, your application can figure out what that user is by calling
getsockopt with SO_PEERCRED on the socket (there's example code in
https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-getpeereid.c)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list