User id for the forwarder ports

Esben Nielsen nielsen.esben at gmail.com
Mon Jan 4 19:50:33 AEDT 2016


I propose making options in sshd_config to set up a mapping for each port:
if the user tries to forward localhost:4000 you can specify in sshd_config
that it is a UNIX socket connect to say /var/sshforward/4000.sock.

Now the service can listen on /var/sshforward/4000.sock and use SO_PEERCRED
(which is not working on local top sockets on my system at least).

Esben

Den mandag den 4. januar 2016 skrev Damien Miller <djm at mindrot.org>:

> On Sun, 3 Jan 2016, Esben Nielsen wrote:
>
> > Hi,
> >
> > Question:
> >
> > Can a TCP server (running on the same host as the OpenSSH server) know
> > the user id/name of a user forwarding an TCP port ?
>
> No; there are a number of impediments to implementing it.
>
> The SSH protocol doesn't support sending this information. It could
> conceivably be added as an extension though. We'd need to be careful
> in designing this - many users would be surprised if ssh started "leaking"
> user identifiers across forwarding channels.
>
> If the lack of protocol support was solved, another problem would be
> how the information is relayed to the next application. I'm not aware of
> a kernel mechanism to allow an application to fake a user identity
> across a local socket.
>
> Next problem: if one existed, it would almost certainly require root
> privileges and sshd takes great care to get rid off root privileges
> wherever possible. They certainly aren't used for port forwarding.
>
> TLDR: doing this is hard (I haven't even gone into user/uid mapping
> problems) and not likely to happen soon, sorry.
>
> -d
>
>
>

-- 
Sendt fra Gmail Mobil


More information about the openssh-unix-dev mailing list