chisel icon indicating copy to clipboard operation
chisel copied to clipboard
verified publisher icon jpillora

Using auth.json file with target verification

Open efi-valkyrie opened this issue 1 year ago • 2 comments

Hi

I'm using a reversed chisel server with an auth.json file, for example:

{
      "user1:123": ["R:0.0.0.0:5555"]
}

On some remote machine I'm running chisel client with the following command: .\chisel client --auth "user1:123" <my-server-ip> R:0.0.0.0:5555:<remote-server-ip>

Everything works fine with this setup and the chisel client is authenticated and is limited to 0.0.0.0:5555 only, however I would also like to limit the remote server (<remote-server-ip>) so that the chisel server will only allow port forwarding to closed set of remotes per user, is there a way to do it as well?

Thanks

efi-valkyrie avatar Dec 25 '24 10:12 efi-valkyrie

I believe the remotes list is a list of regular expressions

On Wed, 25 Dec 2024 at 9:19 pm, efiwaissman @.***> wrote:

Hi

I'm using a reversed chisel server with an auth.json file, for example:

{ "user1:123": ["R:0.0.0.0:5555"] }

On some remote machine I'm running chisel client with the following command: .\chisel client --auth "user1:123" R:0.0.0.0:5555 :

Everything works fine with this setup and the chisel client is authenticated and is limited to 0.0.0.0:5555 only, however I would also like to limit the remote server () so that the chisel server will only allow port forwarding to closed set of remotes per user, is there a way to do it as well?

Thanks

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/543, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X4YPKBCO4H5LHUPL6WT2HKBDPAVCNFSM6AAAAABUF2NT2GVHI2DSMVQWIX3LMV43ASLTON2WKOZSG42TQNZQG4ZDEMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

jpillora avatar Dec 25 '24 10:12 jpillora

@jpillora Thanks for the quick replay. Yeah I saw that its a regex, but my question is whether it can be used to match against the remote host (and port) when working in reverse port forwarding mode (i.e., using the R:<local>:<remote> syntax).

According to the documentation:

...
Addresses will always come in the form "<remote-host>:<remote-port>" 
for normal remotes and "R:<local-interface>:<local-port>" for reverse port 
forwarding remotes. This file will be automatically reloaded on change.

So to clarify, looking at the definition of a remote port forward in reverse mode: R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol> Will it be possible to match against the <remote-host>:<remote-port> part using the auth file?

Thanks again

efi-valkyrie avatar Dec 26 '24 06:12 efi-valkyrie