[Bug 3802] Secure IP forwarding, check connecting user

bugzilla-daemon Wed, 19 Mar 2025 20:31:27 -0700

https://bugzilla.mindrot.org/show_bug.cgi?id=3802


Darren Tucker <dtuc...@dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtuc...@dtucker.net

--- Comment #1 from Darren Tucker <dtuc...@dtucker.net> ---
The uid lookups are platform-specific, and only be useful for locally
originated connections.  Assuming that's tractable, the next question
is what the control surfaces would look like?

Assuming this would be a subset of "GatewayPorts no" that allows only
the same user, it could be something like this on the server side in
decreasing levels of permissiveness:

   GatewayPorts yes -> clientspecified -> no -> same-user

On the client side there's also GatewayPorts, but DynamicForward and
LocalForward can individually specify listen addresses.  "GatewayPorts
sameuser" could restrict them all to localhost binds only.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3802] Secure IP forwarding, check connecting user

Reply via email to