Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

[PATCH] accept SOCKS request over the mux socket

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


sfandino at yahoo

Mar 4, 2009, 5:13 AM

Post #1 of 15 (1653 views)
Permalink
[PATCH] accept SOCKS request over the mux socket
Hi,

The attached patch extends the mux listener to accept SOCKS requests in
addition to the native mux commands.

The rationale behind is that creating tunnels attached to TCP ports is a
security hazard in multi-user machines where there is no way to control
who connects through the tunnels. On the other hand, The mux UNIX domain
socket binds to the file system and regular permissions can be used for
access control.

I have also created a small Perl script "snc", similar to netcat, that
uses this new feature. In the end, if this patch gets accepted, my idea
is to extend my Perl module Net::OpenSSH to use it.

Under the hood, the code I have added just looks at the first byte
coming from the mux connection. When it is a mux command, it corresponds
to the first byte for the packet length encoded as a 32bits integer in
network order and so, it is 0 (packet length is limited to 256KB). When
it is a SOCKS connection the first byte is 4 or 5 so we can easyly
distinguish both protocols.

I know it is somewhat hacky, but the alternatives I see are:

1) to use a dedicated socket for the SOCKS proxy

2) to extend the mux "protocol" with new commands offering equivalent
functionality.

I don't like (1) because, IMO, it would unnecessarily complicate ssh
usage. I don't like (2) because adapting a SOCKS client to use a UNIX
socket instead of a TCP one, should be much easier than implementing a
new protocol.

Cheers,

- Salva
Attachments: openssh-muxsocks-1.patch (3.58 KB)
  snc (3.06 KB)


sfandino at yahoo

Mar 10, 2009, 8:47 AM

Post #2 of 15 (1584 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
Hi

Salvador Fandino wrote:
> The attached patch extends the mux listener to accept SOCKS requests in
> addition to the native mux commands.

Attached to this mail you will find:

- an updated version of the patch that applies against the CVS version
of OpenSSH.

- a patch for dsocks-1.6 (http://www.monkey.org/~dugsong/dsocks/) that
adds support for connecting to the SOCKS server through an UNIX domain
socket.


For instance, with these patches applied, I can run:

$ ssh -M -S /tmp/mux 172.20.3.12 -N -f
$ LD_PRELOAD=/root/my-dsocks-1.6/libdsocks.so.1.0 \
DSOCKS_PROXY=/tmp/mux \
DSOCKS_NAMESERVER=172.20.4.17 \
lynx www.openbsd.org

And browse the web without opening a local listening port on my computer.

Cheers,

- Salva
Attachments: dsocks-unixsocket-0.patch (3.75 KB)
  openssh-muxsocks-3.patch (5.56 KB)


djm at mindrot

Mar 10, 2009, 5:24 PM

Post #3 of 15 (1596 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Tue, 10 Mar 2009, Salvador Fandino wrote:

> Hi
>
> Salvador Fandino wrote:
> > The attached patch extends the mux listener to accept SOCKS requests in
> > addition to the native mux commands.
>
> Attached to this mail you will find:
>
> - an updated version of the patch that applies against the CVS version of
> OpenSSH.
>
> - a patch for dsocks-1.6 (http://www.monkey.org/~dugsong/dsocks/) that adds
> support for connecting to the SOCKS server through an UNIX domain socket.

Please create a bug on https://bugzilla.mindrot.org/ and attach
your patches there so they can be tracked.

Thanks,
Damien
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mouring at eviladmin

Mar 10, 2009, 10:02 PM

Post #4 of 15 (1592 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Mar 10, 2009, at 10:47 AM, Salvador Fandino wrote:

> Hi
>
> Salvador Fandino wrote:
>> The attached patch extends the mux listener to accept SOCKS
>> requests in addition to the native mux commands.
>
> Attached to this mail you will find:
>
> - an updated version of the patch that applies against the CVS
> version of OpenSSH.
>
> - a patch for dsocks-1.6 (http://www.monkey.org/~dugsong/dsocks/)
> that adds support for connecting to the SOCKS server through an UNIX
> domain socket.
>
>
> For instance, with these patches applied, I can run:
>
> $ ssh -M -S /tmp/mux 172.20.3.12 -N -f
> $ LD_PRELOAD=/root/my-dsocks-1.6/libdsocks.so.1.0 \
> DSOCKS_PROXY=/tmp/mux \
> DSOCKS_NAMESERVER=172.20.4.17 \
> lynx www.openbsd.org
>
> And browse the web without opening a local listening port on my
> computer.
>


How does this differ from "ssh -D" ?? Which already makes SSH into a
SOCK4/5 server?

Seems like we're duplicating functionality unless there is something
else I'm missing.

- Ben

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


sfandino at yahoo

Mar 11, 2009, 1:48 AM

Post #5 of 15 (1587 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
hi

> How does this differ from "ssh -D" ?? Which already makes SSH into a SOCK4/5
> server?
>
> Seems like we're duplicating functionality unless there is something else I'm
> missing.

Actually, I am reusing the SOCKS4/5 code. The difference is that now request are also accepted over the multiplexing UNIX socket created when ssh is run in master mode.

The problem with INET sockets is that there is no way* to control who access then. Even if they are only bound to localhost, in multiuser machines, any local user can connect to them.

On the other hand, access to an UNIX socket can be controlled using just file permissions, so that, for instance, only the user running ssh could connect to it.

- Salva


* well, unless you add authentication support to the SOCKS4/5 code, but IMO, that would be something really complex to manage and to use.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mouring at eviladmin

Mar 11, 2009, 8:27 AM

Post #6 of 15 (1594 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Mar 11, 2009, at 3:48 AM, Salvador Fandino wrote:

>
> hi
>
>> How does this differ from "ssh -D" ?? Which already makes SSH into
>> a SOCK4/5
>> server?
>>
>> Seems like we're duplicating functionality unless there is
>> something else I'm
>> missing.
>
> Actually, I am reusing the SOCKS4/5 code. The difference is that now
> request are also accepted over the multiplexing UNIX socket created
> when ssh is run in master mode.
>
> The problem with INET sockets is that there is no way* to control
> who access then. Even if they are only bound to localhost, in
> multiuser machines, any local user can connect to them.
>
> On the other hand, access to an UNIX socket can be controlled using
> just file permissions, so that, for instance, only the user running
> ssh could connect to it.

I'm concerned that people will become confused since -M -S combo has
been resevered for multiple ssh terminal sessions over a single
tunnel. I'd rather see it more clear like:

ssh -D -M -S /tmp/mux 172.20.3.12 -N -f if you want multiple tunnels
+ SOCK support
ssh -D -S /tmp/mux .. if you just want SOCKS support instead of a PORT

Which means an error needs to be throw on

ssh -Dxxx -S xxxx

- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


sfandino at yahoo

Mar 11, 2009, 10:41 AM

Post #7 of 15 (1586 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
Hi



----- Original Message ----
> From: Ben Lindstrom <mouring [at] eviladmin>
> To: Salvador Fandino <sfandino [at] yahoo>
> Cc: openssh-unix-dev [at] mindrot
> Sent: Wednesday, March 11, 2009 4:27:14 PM
> Subject: Re: [PATCH] accept SOCKS request over the mux socket
>
> I'm concerned that people will become confused since -M -S combo has been
> resevered for multiple ssh terminal sessions over a single tunnel. I'd rather
> see it more clear like:
>
> ssh -D -M -S /tmp/mux 172.20.3.12 -N -f if you want multiple tunnels + SOCK
> support
> ssh -D -S /tmp/mux .. if you just want SOCKS support instead of a PORT

It makes sense to me, but I think that for the same reason, it would be better to use a different flag instead of -D, say -E

Cheers,

- Salva
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jmknoble at pobox

Mar 11, 2009, 11:21 AM

Post #8 of 15 (1577 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
Circa 2009-03-11 10:27 dixit Ben Lindstrom:

: I'm concerned that people will become confused since -M -S combo has
: been resevered for multiple ssh terminal sessions over a single
: tunnel. I'd rather see it more clear like:
:
: ssh -D -M -S /tmp/mux 172.20.3.12 -N -f if you want multiple tunnels
: + SOCK support
: ssh -D -S /tmp/mux .. if you just want SOCKS support instead of a PORT
:
: Which means an error needs to be throw on
:
: ssh -Dxxx -S xxxx

The above means that you can't separate permissions for the mux socket
and the SOCKS socket.

Better to create a dedicated SOCKS socket, no?

ssh -D /tmp/ssh-socks-socket ...

That is, '-D' may accept either an IP address or a filesystem path.
Reserve '-S' for use with multiplexing sockets. This way, one can:

ssh -D /tmp/ssh-socks-socket -M -S /tmp/ssh-mux-socket ...

and allow more than one user to use the SOCKS connection while keeping
the mux socket more private.

This also makes the '-D' syntax consistent and sensible.

--jim

--
jim knoble | jmknoble [at] pobox | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mouring at eviladmin

Mar 11, 2009, 11:58 AM

Post #9 of 15 (1577 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Mar 11, 2009, at 1:21 PM, Jim Knoble wrote:

> Circa 2009-03-11 10:27 dixit Ben Lindstrom:
>
> : I'm concerned that people will become confused since -M -S combo has
> : been resevered for multiple ssh terminal sessions over a single
> : tunnel. I'd rather see it more clear like:
> :
> : ssh -D -M -S /tmp/mux 172.20.3.12 -N -f if you want multiple
> tunnels
> : + SOCK support
> : ssh -D -S /tmp/mux .. if you just want SOCKS support instead of a
> PORT
> :
> : Which means an error needs to be throw on
> :
> : ssh -Dxxx -S xxxx
>
> The above means that you can't separate permissions for the mux socket
> and the SOCKS socket.
>
> Better to create a dedicated SOCKS socket, no?
>
> ssh -D /tmp/ssh-socks-socket ...
>
> That is, '-D' may accept either an IP address or a filesystem path.
> Reserve '-S' for use with multiplexing sockets. This way, one can:
>
> ssh -D /tmp/ssh-socks-socket -M -S /tmp/ssh-mux-socket ...
>
> and allow more than one user to use the SOCKS connection while keeping
> the mux socket more private.
>
> This also makes the '-D' syntax consistent and sensible.
>

That works for me. I just found the mutation and corruption of -M -S
to be a bit dodgy when we already have a -D that is clearly tagged as
being a socks4/5 server functionality flag.

- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


sfandino at yahoo

Mar 12, 2009, 9:22 AM

Post #10 of 15 (1555 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
----- Original Message ----
> From: Jim Knoble <jmknoble [at] pobox>
> To: Ben Lindstrom <mouring [at] eviladmin>
> Cc: Salvador Fandino <sfandino [at] yahoo>; openssh-unix-dev [at] mindrot
> Sent: Wednesday, March 11, 2009 7:21:54 PM
> Subject: Re: [PATCH] accept SOCKS request over the mux socket
>
> Circa 2009-03-11 10:27 dixit Ben Lindstrom:
>
> : I'm concerned that people will become confused since -M -S combo has
> : been resevered for multiple ssh terminal sessions over a single
> : tunnel. I'd rather see it more clear like:
> :
> : ssh -D -M -S /tmp/mux 172.20.3.12 -N -f if you want multiple tunnels
> : + SOCK support
> : ssh -D -S /tmp/mux .. if you just want SOCKS support instead of a PORT
> :
> : Which means an error needs to be throw on
> :
> : ssh -Dxxx -S xxxx
>
> The above means that you can't separate permissions for the mux socket
> and the SOCKS socket.
>
> Better to create a dedicated SOCKS socket, no?
>
> ssh -D /tmp/ssh-socks-socket ...
>
> That is, '-D' may accept either an IP address or a filesystem path.
> Reserve '-S' for use with multiplexing sockets. This way, one can:
>
> ssh -D /tmp/ssh-socks-socket -M -S /tmp/ssh-mux-socket ...
>
> and allow more than one user to use the SOCKS connection while keeping
> the mux socket more private.
>
> This also makes the '-D' syntax consistent and sensible.

I have attached a new patch to the request at...

https://bugzilla.mindrot.org/show_bug.cgi?id=1572

doing just that.

There is a problem with it and is that slashes already have an special meaning on tunnel specifications , they are used with IPv6 addresses.

My proposal (not implemented on the patch yet) would be to use {} to demarcate unix paths as in

$ ssh -D{/tmp/bar} ...

and

$ ssh -L{/tmp/foo}:host:22 ...

It will fail for -L{/tmp/name,with,commas}, but hey, this is not very common!

Cheers,

- Salva

>
> --jim
>
> --
> jim knoble | jmknoble [at] pobox | http://www.pobox.com/~jmknoble/
> (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
> (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


rob at nofocus

Mar 12, 2009, 12:06 PM

Post #11 of 15 (1558 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
>
> There is a problem with it and is that slashes already have an
> special meaning on tunnel specifications , they are used with IPv6
> addresses.
>
> My proposal (not implemented on the patch yet) would be to use {} to
> demarcate unix paths as in
>
> $ ssh -D{/tmp/bar} ...
>
> and
>
> $ ssh -L{/tmp/foo}:host:22 ...
>
> It will fail for -L{/tmp/name,with,commas}, but hey, this is not
> very common!
>
> Cheers,

Why not do something a little more flexible, and do something like

ssh -Lsocket=/tmp/foo:host:22

It certainly would never be confused with a standard port, and you'd
have a framework to expand to forwarding other sorts of things in the
future. Not to mention { } causes magic to happen in certain shells,
which may have unwanted side effects.

-rob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 12, 2009, 12:25 PM

Post #12 of 15 (1565 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Thu, Mar 12, 2009 at 12:06:48PM -0700, Robert Banz wrote:
> >
> > There is a problem with it and is that slashes already have an
> > special meaning on tunnel specifications , they are used with IPv6
> > addresses.
> >
> > My proposal (not implemented on the patch yet) would be to use {} to
> > demarcate unix paths as in
> >
> > $ ssh -D{/tmp/bar} ...
> >
> > and
> >
> > $ ssh -L{/tmp/foo}:host:22 ...
> >

Many moons ago I wrote a patch to do exactly this:

http://www.25thandclement.com/~william/projects/streamlocal.html

I think that was before mux sockets were even available. At the time,
patching OpenSSH to grok domain sockets in all the right places was a
gigantic PITA. Nobody showed interest in the patch, perhaps because it was
quite large. The patch works, though; running 24/7 on tens of thousands of
boxes as we speak.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jmknoble at pobox

Mar 12, 2009, 3:31 PM

Post #13 of 15 (1559 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
Circa 2009-03-12 11:22 dixit Salvador Fandino:

: > From: Jim Knoble <jmknoble [at] pobox>
: > Sent: Wednesday, March 11, 2009 7:21:54 PM
: >
: > ssh -D /tmp/ssh-socks-socket ...
:
: I have attached a new patch to the request at...
:
: https://bugzilla.mindrot.org/show_bug.cgi?id=1572
:
: doing just that.
:
: There is a problem with it and is that slashes already have an special
: meaning on tunnel specifications , they are used with IPv6 addresses.

The syntax you're speaking of is (from ssh(1)):

IPv6 addresses can be specified with an alternative syntax:
[bind_address/]port/host/hostport
or by enclosing the address in square brackets.

There's a key difference between that syntax and the Unix-domain socket
path: The leading slash of an absolute path. That is:

# Listen on IPv6 address ::1 on port 2222, forward across the
# ssh link to address ::1, port 22

ssh -L ::1/2222/::1/22

# Listen on a Unix domain socket at /tmp/my-ssh-forward-sock, and
# forward across the ssh link to address 127.0.0.1, port 22

ssh -L /tmp/my-ssh-forward-sock:127.0.0.1:22

# Listen on a Unix domain socket at /tmp/my-ssh-forward-sock, and
# forward across the ssh link to address ::1, port 22
# TODO: Does this work: -L [::1]:2222:[::1]:22

ssh -L /tmp/my-ssh-forward-sock:[::1]:22

# Syntax error (too many ':')

ssh -L /::1/2222/::1/22

In words: If the first character of the argument to -L is '/', it's a
filesystem path, and ':' is required to be the sub-argument separator.
Remote IPv6 addresses must be enclosed in square brackets. Otherwise,
the syntax is the same as before.

Are there plans to implement domain sockets for '-R'? If so:

# Listen on the remote address ::1 on port 2222, forward back across
# the ssh link to address ::1, port 22

ssh -R ::1/2222/::1/22

# Listen on the remote address 127.0.0.1 on port 2222, forward back
# across the ssh link to the socket at /tmp/my-service-sock on the
# host ssh is running on

ssh -R 127.0.0.1:2222:/tmp/my-service-sock

# Listen on the remote address ::1 on port 2222, forward back across
# the ssh link to the socket at /tmp/my-service-sock on the host ssh
# is running on

ssh -R [::1]:2222:/tmp/my-service-sock

# Syntax error (probably produces either "tmp: host not found" or
# "my-service-sock: unknown port")

ssh -R ::1/2222/tmp/my-service-sock

In words, if '/' is used as the subargument separator, then Unix domain
sockets cannot be specified. If ':' is used, remote IPv6 addresses
must be specified in square brackets, and if the first character of the
"local" host specification is '/', then it's a Unix domain socket.

If you want Unix domain sockets to be used with -L or -R on the remote
end as well, that works the same as above, only with -L and -R reversed.
To forward between Unix domain sockets on both ends, you get:

ssh -L /tmp/ssh-forward-sock:/tmp/my-service-sock

(I.e., only 2 subarguments, separated by ':'). Same for -R. Obviously,
sshd would have to be patched to support that.

Anything i missed, for -L or -R?

--
jim knoble | jmknoble [at] pobox | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 12, 2009, 5:51 PM

Post #14 of 15 (1544 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On Thu, Mar 12, 2009 at 05:31:35PM -0500, Jim Knoble wrote:
<snip>
> Are there plans to implement domain sockets for '-R'? If so:
>
> # Listen on the remote address ::1 on port 2222, forward back across
> # the ssh link to address ::1, port 22
>
> ssh -R ::1/2222/::1/22
>
> # Listen on the remote address 127.0.0.1 on port 2222, forward back
> # across the ssh link to the socket at /tmp/my-service-sock on the
> # host ssh is running on
>
> ssh -R 127.0.0.1:2222:/tmp/my-service-sock

First of all, you have to modify the wire protocol to request remote domain
socket forwarding. When I did it, it was relatively simple. But...

Second of all, there are security issues with domain sockets. One of the
pains of domain sockets in general is you can't simply set SO_REUSEADDR. To
make them practical, you have to (at least provide the option to) unlink()
the path. Otherwise broken connections and other regular happenstances will
make live miserable to make use of the capability. And for all but the most
convoluted solutions, there are still races and other uncertainties.

<snip>
> In words, if '/' is used as the subargument separator, then Unix domain
> sockets cannot be specified. If ':' is used, remote IPv6 addresses
> must be specified in square brackets, and if the first character of the
> "local" host specification is '/', then it's a Unix domain socket.
>
> If you want Unix domain sockets to be used with -L or -R on the remote
> end as well, that works the same as above, only with -L and -R reversed.
> To forward between Unix domain sockets on both ends, you get:
>
> ssh -L /tmp/ssh-forward-sock:/tmp/my-service-sock
>
> (I.e., only 2 subarguments, separated by ':'). Same for -R. Obviously,
> sshd would have to be patched to support that.
>

The way I implemented it was I re-wrote the the -L and -R parser to be more
generic, using a small state machine rather than ad-hoc string parsing. The
most straight-forward syntax would be to require domain paths to be between
braces; then there's no conflict (unless your path contains brances, but you
can escape those), and you don't even necessarily need to require absolute
paths, because the brace syntax can bootstrap you into a new syntax domain.
For instance:

-R[/tmp/remote-foo]:[/tmp/local-bar]

Or perhaps:

-R[unix://some/relative/path/remote-foo]:[unix:///tmp/local-bar]

(I'm unfamiliar with the sftp spec, but I bet there's a useful syntax there,
too.)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jmknoble at pobox

Mar 12, 2009, 11:00 PM

Post #15 of 15 (1547 views)
Permalink
Re: [PATCH] accept SOCKS request over the mux socket [In reply to]
On 2009-03-12 19:51, William Ahern wrote:

: The way I implemented it was I re-wrote the the -L and -R parser to be
: more generic, using a small state machine rather than ad-hoc string
: parsing. The most straight-forward syntax would be to require domain
: paths to be between braces; then there's no conflict (unless your path
: contains brances, but you can escape those), and you don't even
: necessarily need to require absolute paths, because the brace syntax
: can bootstrap you into a new syntax domain. For instance:
:
: -R[/tmp/remote-foo]:[/tmp/local-bar]

This is interesting. Salvo had proposed using curly braces '{' and '}'
for this, which may be necessary, as IPv6 addresses are curently allowed
to be inside square brackets '[' and ']'. Haven't looked at the code,
though.

: Or perhaps:
:
: -R[unix://some/relative/path/remote-foo]:[unix:///tmp/local-bar]

Aha. Thanks, William, for pointing out what I missed: the possibility
of relative paths for the remote end.

This is very interesting, and obviously URI-style specifiers are
relatively commonplace these days. I would get rid of the '//' after
the ':', as it is supposed to denote a host, but with Unix domain
sockets, the host is implied to be one of the hosts at either end of the
SSH connection. Thus:

-R[unix:some/relative/path/remote-foo]:[unix:/tmp/local-bar]

should be sufficient. I don't mind the extra typing associated with the
square brackets and the URI-style specifier, as i suspect this usage
wouldn't be terribly commonplace anyway. It also allows square brackets
to be used without conflicting with the optional square brackets around
IPv6 addresses. I'm in favor of this.

--
jim knoble | jmknoble [at] pobox | http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.