[client] Add port forwarding to ssh proxy

client/cmd/ssh.go

@@ -634,7 +634,11 @@ func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward
 		return err
 	}
 
-	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
+	if err := validateDestinationPort(remoteAddr); err != nil {
+		return fmt.Errorf("invalid remote address: %w", err)
+	}
+
+	log.Debugf("Local port forwarding: %s -> %s", localAddr, remoteAddr)
 
 	go func() {
 		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -652,7 +656,11 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 		return err
 	}
 
-	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
+	if err := validateDestinationPort(localAddr); err != nil {
+		return fmt.Errorf("invalid local address: %w", err)
+	}
+
+	log.Debugf("Remote port forwarding: %s -> %s", remoteAddr, localAddr)
 
 	go func() {
 		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -663,6 +671,35 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 	return nil
 }
 
+// validateDestinationPort checks that the destination address has a valid port.
+// Port 0 is only valid for bind addresses (where the OS picks an available port),
+// not for destination addresses where we need to connect.
+func validateDestinationPort(addr string) error {
+	if strings.HasPrefix(addr, "/") || strings.HasPrefix(addr, "./") {
+		return nil
+	}
+
+	_, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return fmt.Errorf("parse address %s: %w", addr, err)
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port %s: %w", portStr, err)
+	}
+
+	if port == 0 {
+		return fmt.Errorf("port 0 is not valid for destination address")
+	}
+
+	if port < 0 || port > 65535 {
+		return fmt.Errorf("port %d out of range (1-65535)", port)
+	}
+
+	return nil
+}
+
 // parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
 // Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
 func parsePortForwardSpec(spec string) (string, string, error) {

client/proto/daemon.proto

@@ -372,6 +372,7 @@ message SSHSessionInfo {
   string remoteAddress = 2;
   string command = 3;
   string jwtUsername = 4;
+  repeated string portForwards = 5;
 }
 
 // SSHServerState contains the latest state of the SSH server

client/server/server.go

@@ -1128,6 +1128,7 @@ func (s *Server) getSSHServerState() *proto.SSHServerState {
 			RemoteAddress: session.RemoteAddress,
 			Command:       session.Command,
 			JwtUsername:   session.JWTUsername,
+			PortForwards:  session.PortForwards,
 		})
 	}
 

client/ssh/auth/auth.go

@@ -98,19 +98,17 @@ func (a *Authorizer) Update(config *Config) {
 		len(config.AuthorizedUsers), len(machineUsers))
 }
 
-// Authorize validates if a user is authorized to login as the specified OS user
-// Returns nil if authorized, or an error describing why authorization failed
-func (a *Authorizer) Authorize(jwtUserID, osUsername string) error {
+// Authorize validates if a user is authorized to login as the specified OS user.
+// Returns a success message describing how authorization was granted, or an error.
+func (a *Authorizer) Authorize(jwtUserID, osUsername string) (string, error) {
 	if jwtUserID == "" {
-		log.Warnf("SSH auth denied: JWT user ID is empty for OS user '%s'", osUsername)
-		return ErrEmptyUserID
+		return "", fmt.Errorf("JWT user ID is empty for OS user %q: %w", osUsername, ErrEmptyUserID)
 	}
 
 	// Hash the JWT user ID for comparison
 	hashedUserID, err := sshuserhash.HashUserID(jwtUserID)
 	if err != nil {
-		log.Errorf("SSH auth denied: failed to hash user ID '%s' for OS user '%s': %v", jwtUserID, osUsername, err)
-		return fmt.Errorf("failed to hash user ID: %w", err)
+		return "", fmt.Errorf("hash user ID %q for OS user %q: %w", jwtUserID, osUsername, err)
 	}
 
 	a.mu.RLock()
@@ -119,40 +117,35 @@ func (a *Authorizer) Authorize(jwtUserID, osUsername string) error {
 	// Find the index of this user in the authorized list
 	userIndex, found := a.findUserIndex(hashedUserID)
 	if !found {
-		log.Warnf("SSH auth denied: user '%s' (hash: %s) not in authorized list for OS user '%s'", jwtUserID, hashedUserID, osUsername)
-		return ErrUserNotAuthorized
+		return "", fmt.Errorf("user %q (hash: %s) not in authorized list for OS user %q: %w", jwtUserID, hashedUserID, osUsername, ErrUserNotAuthorized)
 	}
 
 	return a.checkMachineUserMapping(jwtUserID, osUsername, userIndex)
 }
 
 // checkMachineUserMapping validates if a user's index is authorized for the specified OS user
 // Checks wildcard mapping first, then specific OS user mappings
-func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userIndex int) error {
+func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userIndex int) (string, error) {
 	// If wildcard exists and user's index is in the wildcard list, allow access to any OS user
 	if wildcardIndexes, hasWildcard := a.machineUsers[Wildcard]; hasWildcard {
 		if a.isIndexInList(uint32(userIndex), wildcardIndexes) {
-			log.Infof("SSH auth granted: user '%s' authorized for OS user '%s' via wildcard (index: %d)", jwtUserID, osUsername, userIndex)
-			return nil
+			return fmt.Sprintf("granted via wildcard (index: %d)", userIndex), nil
 		}
 	}
 
 	// Check for specific OS username mapping
 	allowedIndexes, hasMachineUserMapping := a.machineUsers[osUsername]
 	if !hasMachineUserMapping {
 		// No mapping for this OS user - deny by default (fail closed)
-		log.Warnf("SSH auth denied: no machine user mapping for OS user '%s' (JWT user: %s)", osUsername, jwtUserID)
-		return ErrNoMachineUserMapping
+		return "", fmt.Errorf("no machine user mapping for OS user %q (JWT user: %s): %w", osUsername, jwtUserID, ErrNoMachineUserMapping)
 	}
 
 	// Check if user's index is in the allowed indexes for this specific OS user
 	if !a.isIndexInList(uint32(userIndex), allowedIndexes) {
-		log.Warnf("SSH auth denied: user '%s' not mapped to OS user '%s' (user index: %d)", jwtUserID, osUsername, userIndex)
-		return ErrUserNotMappedToOSUser
+		return "", fmt.Errorf("user %q not mapped to OS user %q (index: %d): %w", jwtUserID, osUsername, userIndex, ErrUserNotMappedToOSUser)
 	}
 
-	log.Infof("SSH auth granted: user '%s' authorized for OS user '%s' (index: %d)", jwtUserID, osUsername, userIndex)
-	return nil
+	return fmt.Sprintf("granted (index: %d)", userIndex), nil
 }
 
 // GetUserIDClaim returns the JWT claim name used to extract user IDs