User id for the forwarder ports
Damien Miller
djm at mindrot.org
Mon Jan 4 18:36:43 AEDT 2016
On Sun, 3 Jan 2016, Esben Nielsen wrote:
> Hi,
>
> Question:
>
> Can a TCP server (running on the same host as the OpenSSH server) know
> the user id/name of a user forwarding an TCP port ?
No; there are a number of impediments to implementing it.
The SSH protocol doesn't support sending this information. It could
conceivably be added as an extension though. We'd need to be careful
in designing this - many users would be surprised if ssh started "leaking"
user identifiers across forwarding channels.
If the lack of protocol support was solved, another problem would be
how the information is relayed to the next application. I'm not aware of
a kernel mechanism to allow an application to fake a user identity
across a local socket.
Next problem: if one existed, it would almost certainly require root
privileges and sshd takes great care to get rid off root privileges
wherever possible. They certainly aren't used for port forwarding.
TLDR: doing this is hard (I haven't even gone into user/uid mapping
problems) and not likely to happen soon, sorry.
-d
More information about the openssh-unix-dev
mailing list