User id for the forwarder ports

Esben Nielsen nielsen.esben at gmail.com
Mon Jan 4 17:26:22 AEDT 2016


Unfortunately, SO_PEERCRED only works of UNIX domain sockets. For local tcp
connections the UID is returened as -1.

A solution could be to make a mapping option in sshd_config  along with
OpenPermit, such forwarding to say localhost:4000 can be remapped to UNIX
socket /var/forwards/4000.

Esben

Den søndag den 3. januar 2016 skrev Darren Tucker <dtucker at zip.com.au>:

> On Sun, Jan 3, 2016 at 11:03 AM, Esben Nielsen <nielsen.esben at gmail.com
> <javascript:;>> wrote:
> > Can a TCP server (running on the same host as the OpenSSH server) know
> > the user id/name of a user forwarding an TCP port ?
> >
> > I.e. if someone on some client machine does
> >   ssh -L9999:localhost:9999 someuser at somehost
> >   nc localhost 9999
> > and a service accepts the connection on port localhost:9999 on
> > somehost, can it somehow safely read out the user name "someuser"?
>
> If sshd is running with PrivilegeSeparation (which it does by default)
> then the sshd for that connection will be running as "someuser".  On
> Linux, your application can figure out what that user is by calling
> getsockopt with SO_PEERCRED on the socket (there's example code in
>
> https://anongit.mindrot.org/openssh.git/tree/openbsd-compat/bsd-getpeereid.c
> )
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


-- 
Sendt fra Gmail Mobil


More information about the openssh-unix-dev mailing list