ssh: only export the port to localhost

matttbe · matttbe · commit 0d26e0e76dc3 · 2025-01-04T19:50:41.000+01:00
It doesn't seem safe to expose the socket to everybody around.

Restrict it to localhost only.

Please note that it also means other users on the same machine can still
connect to it. But they will need credentials / keys.

Signed-off-by: Matthieu Baerts (NGI0) &lt;matttbe@kernel.org&gt;
diff --git a/virtme/commands/run.py b/virtme/commands/run.py
@@ -1002,7 +1002,7 @@ def ssh_server(args, arch, qemuargs, kernelargs):
 
     # Setup a port forward network interface for the guest.
     qemuargs.extend(["-device", "%s,netdev=ssh" % (arch.virtio_dev_type("net"))])
-    qemuargs.extend(["-netdev", "user,id=ssh,hostfwd=tcp::%d-:22" % args.port])
+    qemuargs.extend(["-netdev", "user,id=ssh,hostfwd=tcp:127.0.0.1:%d-:22" % args.port])
 
 
 # Allowed characters in mount paths.  We can extend this over time if needed.
