Using auth.json file with target verification

[efi-valkyrie]

Hi

I'm using a reversed chisel server with an auth.json file, for example:

{
      "user1:123": ["R:0.0.0.0:5555"]
}

On some remote machine I'm running chisel client with the following command:
.\chisel client --auth "user1:123" <my-server-ip> R:0.0.0.0:5555:<remote-server-ip>

Everything works fine with this setup and the chisel client is authenticated and is limited to 0.0.0.0:5555 only, however I would also like to limit the remote server (<remote-server-ip>) so that the chisel server will only allow port forwarding to closed set of remotes per user, is there a way to do it as well?

Thanks

[jpillora]

I believe the remotes list is a list of regular expressions

…

On Wed, 25 Dec 2024 at 9:19 pm, efiwaissman ***@***.***> wrote: Hi I'm using a reversed chisel server with an auth.json file, for example: { "user1:123": ["R:0.0.0.0:5555"] } On some remote machine I'm running chisel client with the following command: .\chisel client --auth "user1:123" <my-server-ip> R:0.0.0.0:5555 :<remote-server-ip> Everything works fine with this setup and the chisel client is authenticated and is limited to 0.0.0.0:5555 only, however I would also like to limit the remote server (<remote-server-ip>) so that the chisel server will only allow port forwarding to closed set of remotes per user, is there a way to do it as well? Thanks — Reply to this email directly, view it on GitHub <#543>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE2X4YPKBCO4H5LHUPL6WT2HKBDPAVCNFSM6AAAAABUF2NT2GVHI2DSMVQWIX3LMV43ASLTON2WKOZSG42TQNZQG4ZDEMA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[efi-valkyrie]

@jpillora Thanks for the quick replay.
Yeah I saw that its a regex, but my question is whether it can be used to match against the remote host (and port) when working in reverse port forwarding mode (i.e., using the R:<local>:<remote> syntax).

According to the documentation:

...
Addresses will always come in the form "<remote-host>:<remote-port>" 
for normal remotes and "R:<local-interface>:<local-port>" for reverse port 
forwarding remotes. This file will be automatically reloaded on change.

So to clarify, looking at the definition of a remote port forward in reverse mode:
R:<local-interface>:<local-port>:<remote-host>:<remote-port>/<protocol>
Will it be possible to match against the <remote-host>:<remote-port> part using the auth file?

Thanks again