bugzilla-daemon at mindrot.org
2025-Mar-20 00:12 UTC
[Bug 3802] New: Secure forwardings, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802
Bug ID: 3802
Summary: Secure forwardings, check connecting user
Product: Portable OpenSSH
Version: 9.9p2
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: psz at maths.usyd.edu.au
Openssh tries to keep port forwardings secure e.g. via the GatewayPorts
setting; -X may be secured with xauth, and forwarding UNIX sockets may
be safe. Still, IP forwarding is unsafe on multi-user machines: anyone
can connect to -L and -D forwardings when the ssh client machine is
multi-user, or to -R forwardings when the sshd server machine is
multi-user.
Please secure IP forwardings by checking the connecting user, ensuring
same user as that of the ssh client, or the one logged in to sshd.
These checks would be similar to say identd:
https://en.wikipedia.org/wiki/Ident_protocol
easy on Linux (via netlink calls or looking in /proc/net/tcp), and
probably possible on Windows and MacOS. (I do not know about others.)
If it would help, I may try to provide patches for Linux.
Thanks, Paul
--
Paul Szabo psz at maths.usyd.edu.au
www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics University of Sydney
Australia
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-20 00:16 UTC
[Bug 3802] Secure IP forwarding, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802
Paul Szabo <psz at maths.usyd.edu.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Secure forwardings, check |Secure IP forwarding, check
|connecting user |connecting user
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-20 02:21 UTC
[Bug 3802] Secure IP forwarding, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802
Paul Szabo <psz at maths.usyd.edu.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |psz at maths.usyd.edu.au
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-20 03:30 UTC
[Bug 3802] Secure IP forwarding, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The uid lookups are platform-specific, and only be useful for locally
originated connections. Assuming that's tractable, the next question
is what the control surfaces would look like?
Assuming this would be a subset of "GatewayPorts no" that allows only
the same user, it could be something like this on the server side in
decreasing levels of permissiveness:
GatewayPorts yes -> clientspecified -> no -> same-user
On the client side there's also GatewayPorts, but DynamicForward and
LocalForward can individually specify listen addresses. "GatewayPorts
sameuser" could restrict them all to localhost binds only.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-20 03:58 UTC
[Bug 3802] Secure IP forwarding, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802 --- Comment #2 from Paul Szabo <psz at maths.usyd.edu.au> --- Yes, both to GatewayPorts=sameuser, and to "assuming that's tractable". -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-25 22:42 UTC
[Bug 3802] Secure IP forwarding, check connecting user
https://bugzilla.mindrot.org/show_bug.cgi?id=3802 --- Comment #3 from Paul Szabo <psz at maths.usyd.edu.au> --- It this likely to be implemented? Would it help if I (tried to) provide patches for Linux? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.