Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Unix socket forwarding

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


tanguy+openssh at ortolo

Mar 5, 2012, 1:21 AM

Post #1 of 13 (3630 views)
Permalink
Unix socket forwarding

Hello,

There is one option I would love to see with OpenSSH: generic Unix
socket forwarding. Something like that:
$ ssh -L /tmp/pulse-2L9K88eMlGn7/native:/tmp/pulse-42 remotehost
(and the same with -R)

The code should already be here, since OpenSSH already implements two
specific cases of Unix socket forwarding: X11 and SSH agent forwarding.
Having an option for generic Unix socket forwarding would allow for any
number of other cases, including audio server, PGP agent, keyring server
or whatever.

Regards,

--
Tanguy Ortolo
Attachments: signature.asc (0.82 KB)


dkg at fifthhorseman

Mar 5, 2012, 9:43 AM

Post #2 of 13 (3576 views)
Permalink
Re: Unix socket forwarding [In reply to]

Hi Tanguy--

On 03/05/2012 04:21 AM, Tanguy Ortolo wrote:
> There is one option I would love to see with OpenSSH: generic Unix
> socket forwarding.

I agree this would be useful.

It's probably best to follow up on this request at its upstream bugzilla
entry [0].

If someone interested could make a revision of the patch at [1] that
applies (and builds and tests) cleanly against the current version of
OpenSSH, that would be great.

--dkg

[0] https://bugzilla.mindrot.org/show_bug.cgi?id=1256
[1] http://www.25thandclement.com/~william/projects/streamlocal.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 5, 2012, 11:44 AM

Post #3 of 13 (3580 views)
Permalink
Re: Unix socket forwarding [In reply to]

On Mon, Mar 05, 2012 at 12:43:11PM -0500, Daniel Kahn Gillmor wrote:
> Hi Tanguy--
>
> On 03/05/2012 04:21 AM, Tanguy Ortolo wrote:
> > There is one option I would love to see with OpenSSH: generic Unix
> > socket forwarding.
>
> I agree this would be useful.
>
> It's probably best to follow up on this request at its upstream bugzilla
> entry [0].
>
> If someone interested could make a revision of the patch at [1] that
> applies (and builds and tests) cleanly against the current version of
> OpenSSH, that would be great.
>
> --dkg
>
> [0] https://bugzilla.mindrot.org/show_bug.cgi?id=1256
> [1] http://www.25thandclement.com/~william/projects/streamlocal.html

If there's real interest by the team to accept the feature, I'd be happy to
update my patch and workout any integration issues and misgivings. But for
years there's been nothing but stone cold silence concerning this feature.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dkg at fifthhorseman

Mar 5, 2012, 12:08 PM

Post #4 of 13 (3578 views)
Permalink
Re: Unix socket forwarding [In reply to]

On 03/05/2012 02:44 PM, William Ahern wrote:

> If there's real interest by the team to accept the feature, I'd be happy to
> update my patch and workout any integration issues and misgivings. But for
> years there's been nothing but stone cold silence concerning this feature.

While i understand your frustration, i think the way to demonstrate that
a feature is actively desired is to keep the patch up-to-date, and try
to encourage people to try it out and give feedback.

I'm not on the OpenSSH dev team, so i can't guarantee their responses,
but certainly having an active group of people using such a feature (and
having a well-written, up-to-date patch that simplifies things and
minimizes configuration complexity) would be a good thing.

Some devil-is-in-the-details questions:

0) Have you thought about how you'd expect the patch to interact with
the "no-port-forwarding" argument in authorized_keys files (see
sshd(8))? Do you want to introduce a new authorized_keys argument to
deal strictly with unix-domain sockets?

1) What about AllowTcpForwarding in sshd_config(5)? Will this patch
introduce a new configuration option for sshd_config?

2) Are all forwarded unix-domain sockets going to be of type
SOCK_STREAM, or is it possible to forward a SOCK_DGRAM (or
SOCK_SEQPACKET or SOCK_RAW) socket?

3) Should ssh be able to connect a local unix domain socket to a remote
TCP port? or vice versa? If so, how does that decision affect the
configuration option decisions you've made in (0) and (1)?

4) Given that the process is currently doable (albeit with some
command-line complexity) without implementing it directly in ssh (e,g,
http://www.debian-administration.org/users/dkg/weblog/68), are the
additional configuration complexities introduced into ssh worth the gain
for those of us who want to use the feature?

I don't mean these questions as discouragement; on the contrary, i think
having a clear and well-justified answer to these questions should make
a stronger argument for adoption of a patch that implements the feature.

--dkg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 5, 2012, 1:11 PM

Post #5 of 13 (3578 views)
Permalink
Re: Unix socket forwarding [In reply to]

On Mon, Mar 05, 2012 at 03:08:16PM -0500, Daniel Kahn Gillmor wrote:
> On 03/05/2012 02:44 PM, William Ahern wrote:
>
> > If there's real interest by the team to accept the feature, I'd be happy to
> > update my patch and workout any integration issues and misgivings. But for
> > years there's been nothing but stone cold silence concerning this feature.
>
> While i understand your frustration, i think the way to demonstrate that
> a feature is actively desired is to keep the patch up-to-date, and try
> to encourage people to try it out and give feedback.

I'm not frustrated. The patch has been used on tens of thousands of machines
across the globe for going on half a decade now without a single known
issue. It's always nicer, of course, to have a feature committed upstream,
but what can you do?

It's always more frustrating as a maintainer of a large project because
everybody and their cousin submits patches. You're often reticent to accept
even the good patches because it just adds to the overall cognitive burden.
I get that.

It just seems to me like the developers just aren't that interested in the
feature, period, and for whatever reasons they've silently kept that opinion
to themselves. That's a perfectly reasonable judgment call.

Whenever the subject comes up I renew my offer to revamp, but unless and
until there's some interest from the core developers I'm not going to spend
time on it. It's very time consuming integrating a large patch into an
upstream project; impossible, in fact, without feedback from the developers.

> I'm not on the OpenSSH dev team, so i can't guarantee their responses,
> but certainly having an active group of people using such a feature (and
> having a well-written, up-to-date patch that simplifies things and
> minimizes configuration complexity) would be a good thing.
>
> Some devil-is-in-the-details questions:

I'm intimately aware of the details. Outside of the core developers and a
small cadre of hackers I probably became more familiar with the OpenSSH
codebase than anyone else. It's an intrusive patch and required additions to
the underlying protocol, fixes to options parsing code, and a refactoring of
several data structures and related code. The fact that X11 forwarding
already exists--as pointed out by the OP--turns out to not matter one iota
because of the SSH protocol spec and the architecture of OpenSSH in
particular.

As for having an active group, that's hard to quantify. How would you define
the active group for port forwarding? You really can't. It's used by a
large, disparate group of people for all manner of random purposes. Domain
socket forwarding may in fact be a poor feature for inclusion given the
alternatives. The fact that everybody but the core developers think it's a
good idea, and yet I've been the only one to cook up a patch, tends to
suggest a lack of substantive demand. Or perhaps my patch sufficed for the
those who really needed the feature, which lessed pressure for inclusion or
addition upstream. Who knows?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dkg at fifthhorseman

Mar 5, 2012, 1:40 PM

Post #6 of 13 (3569 views)
Permalink
Re: Unix socket forwarding [In reply to]

On 03/05/2012 04:11 PM, William Ahern wrote:
> I'm intimately aware of the details. Outside of the core developers and a
> small cadre of hackers I probably became more familiar with the OpenSSH
> codebase than anyone else. It's an intrusive patch and required additions to
> the underlying protocol, fixes to options parsing code, and a refactoring of
> several data structures and related code. The fact that X11 forwarding
> already exists--as pointed out by the OP--turns out to not matter one iota
> because of the SSH protocol spec and the architecture of OpenSSH in
> particular.

yikes! I can see why something this hairy would make upstream shy. Are
the extensions to the protocol documented someplace? I couldn't find
them at http://www.25thandclement.com/~william/projects/streamlocal.html

> The fact that everybody but the core developers think it's a
> good idea, and yet I've been the only one to cook up a patch, tends to
> suggest a lack of substantive demand. Or perhaps my patch sufficed for the
> those who really needed the feature, which lessed pressure for inclusion or
> addition upstream. Who knows?

It's also possible that the feasibility of hooking ssh into a common
utility like socat satisfies the majority of users who want the
functionality but can't vet such a complex/complicated patch.

--dkg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 5, 2012, 3:36 PM

Post #7 of 13 (3565 views)
Permalink
Re: Unix socket forwarding [In reply to]

On Mon, Mar 05, 2012 at 04:40:22PM -0500, Daniel Kahn Gillmor wrote:
> On 03/05/2012 04:11 PM, William Ahern wrote:
> > I'm intimately aware of the details. Outside of the core developers and a
> > small cadre of hackers I probably became more familiar with the OpenSSH
> > codebase than anyone else. It's an intrusive patch and required additions to
> > the underlying protocol, fixes to options parsing code, and a refactoring of
> > several data structures and related code. The fact that X11 forwarding
> > already exists--as pointed out by the OP--turns out to not matter one iota
> > because of the SSH protocol spec and the architecture of OpenSSH in
> > particular.
>
> yikes! I can see why something this hairy would make upstream shy. Are
> the extensions to the protocol documented someplace? I couldn't find
> them at http://www.25thandclement.com/~william/projects/streamlocal.html
>

http://lists.mindrot.org/pipermail/openssh-unix-dev/2006-April/024201.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Mar 5, 2012, 4:04 PM

Post #8 of 13 (3564 views)
Permalink
Re: Unix socket forwarding [In reply to]

William Ahern wrote:
> I'm intimately aware of the details. Outside of the core developers
> and a small cadre of hackers I probably became more familiar with
> the OpenSSH codebase than anyone else. It's an intrusive patch and
> required additions to the underlying protocol, fixes to options
> parsing code, and a refactoring of several data structures and
> related code.

Each of these properties is enough motivation to reject the patch.


> The fact that X11 forwarding already exists--as pointed out by the
> OP--turns out to not matter one iota because of the SSH protocol
> spec and the architecture of OpenSSH in particular.

The spec is the bigger problem. Nobody likes private extensions..


> The fact that everybody but the core developers think it's a good idea,

Don't put words in my mouth please. I think it's a terrible idea
because of all the required changes.


> and yet I've been the only one to cook up a patch, tends to
> suggest a lack of substantive demand.

I think this is spot on. If I would need to do this I would indeed
use socat, possibly as an ssh subsystem.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


william at 25thandClement

Mar 5, 2012, 5:09 PM

Post #9 of 13 (3564 views)
Permalink
Re: Unix socket forwarding [In reply to]

On Tue, Mar 06, 2012 at 01:04:41AM +0100, Peter Stuge wrote:
> William Ahern wrote:
> > I'm intimately aware of the details. Outside of the core developers
> > and a small cadre of hackers I probably became more familiar with
> > the OpenSSH codebase than anyone else. It's an intrusive patch and
> > required additions to the underlying protocol, fixes to options
> > parsing code, and a refactoring of several data structures and
> > related code.
>
> Each of these properties is enough motivation to reject the patch.
>
>
> > The fact that X11 forwarding already exists--as pointed out by the
> > OP--turns out to not matter one iota because of the SSH protocol
> > spec and the architecture of OpenSSH in particular.
>
> The spec is the bigger problem. Nobody likes private extensions..
>
>
> > The fact that everybody but the core developers think it's a good idea,
>
> Don't put words in my mouth please.

Please excuse my hyperbole.

> I think it's a terrible idea because of all the required changes.

All things being equal, I'd agree with you. But all things aren't equal.
Forwarding support is more central to the function of SSH than any old
feature. It's an open-ended capability that increases the utility of ssh
manyfold.

And a ton of junk has gone into OpenSSH over the years, and continues to be
added. And many of my changes actually improved the quality of the code
base, IMNSHO. The patch reduced obsfuscation of socket handling in many
cases, and would have eased some of the changes in the intervening years.

Adding domain socket support is a sane generalization of the existing
system. Certainly saner than, say, adding tun/tap support ;)

I mean, how much more useful on a day-to-day basis is it to be able to
easily forward a MySQL or PostgreSQL domain socket (especially when, for
security reasons--e.g. socket credential authentication or minimal
dependency on a firewall to protect your data--you disable TCP access) than
it is to use SSH for an esoteric and ad hoc (albeit, sometimes very cool and
useful) VPN?

socat is _not_ convenient. It's not even portable. There's socat, nc,
netcat, and perhaps more often than not, nothing.

I think the _idea_ of adding domain socket support--even given the hairiness
of OpenSSH's code base--is quite defensible.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


dan at doxpara

Mar 5, 2012, 5:21 PM

Post #10 of 13 (3566 views)
Permalink
Re: Unix socket forwarding [In reply to]

>
>
> I think the _idea_ of adding domain socket support--even given the
> hairiness
> of OpenSSH's code base--is quite defensible.
>
>
For what it's worth, I'm now inclined to agree (specifically, the
mysql/postgresql domain sockets push me well over the edge).
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Mar 5, 2012, 6:01 PM

Post #11 of 13 (3567 views)
Permalink
Re: Unix socket forwarding [In reply to]

William Ahern wrote:
> > I think it's a terrible idea because of all the required changes.
>
> All things being equal, I'd agree with you. But all things aren't equal.
> Forwarding support is more central to the function of SSH than any old
> feature. It's an open-ended capability that increases the utility of ssh
> manyfold.

Mh. TCP isn't rocket science. I agree that it's handy sometimes, but
generally when you would want to use it, it's for users who need so
much handholding that you might as well write them a special purpose
SSH client instead.


> many of my changes actually improved the quality of the code base,
> IMNSHO. The patch reduced obsfuscation of socket handling in many
> cases, and would have eased some of the changes in the intervening
> years.

So maybe a good way to get the feature included is to submit these
preparatory improvements one by one, as opposed to everything in one
unhandlable monolith change.


> Adding domain socket support is a sane generalization of the existing
> system. Certainly saner than, say, adding tun/tap support ;)

Just because tun is foreign to you doesn't mean that it is so for
others. I used (programmed) tun for the first time some 15 years ago.


> I mean, how much more useful on a day-to-day basis is it to be able to
> easily forward a MySQL or PostgreSQL domain socket (especially when, for
> security reasons--e.g. socket credential authentication or minimal
> dependency on a firewall to protect your data--you disable TCP access)

Sure, peercred authentication is a neat trick and AF_UNIX forwarding
could simplify it remotely, but I still think that if you have this
need then adding socat to the system and configuring a subsystem is
really quite trivial for any systems administrator worth their title.


> than it is to use SSH for an esoteric and ad hoc (albeit, sometimes
> very cool and useful) VPN?

I don't know if I agree about esoteric and ad-hoc. tun is not new to
me, and any VPN can be connected or disconnected.


> socat is _not_ convenient. It's not even portable. There's socat,
> nc, netcat, and perhaps more often than not, nothing.

I disagree strongly. If AF_UNIX forwarding was in SSH protocol then
it would be easy to argue for supporting it. But since SSH is
specifically not only for UNIX and -like systems I'm happy that it
isn't in the protocol. socat is the needed abstraction and is
portable across "AIX, BSD, HP-UX, Linux, Solaris e.a. (UNIX)"
according to http://www.dest-unreach.org/socat/


> I think the _idea_ of adding domain socket support--even given the
> hairiness of OpenSSH's code base--is quite defensible.

Like tun channels I think AF_UNIX channels is a neat hack. But there
is obviously zero chance of inclusion unless the final patch to add
the feature is clean.

The obvious way is to break it down into a set of patches with clear
one-by-one improvements. I guess you know this already.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Paul-Ebermann at gmx

Mar 6, 2012, 2:42 PM

Post #12 of 13 (3564 views)
Permalink
Re: Unix socket forwarding [In reply to]

Peter Stuge skribis:

>> and yet I've been the only one to cook up a patch, tends to
>> suggest a lack of substantive demand.
>
> I think this is spot on. If I would need to do this I would indeed
> use socat, possibly as an ssh subsystem.

Would this be something like the sftp subsystem? Would we need special
client support then, or just some server configuration?


PaĆ­lo
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Nov 4, 2012, 5:28 PM

Post #13 of 13 (3166 views)
Permalink
Re: Unix socket forwarding [In reply to]

thread, rise from your grave!

On Mon, 5 Mar 2012, William Ahern wrote:

> If there's real interest by the team to accept the feature, I'd be happy to
> update my patch and workout any integration issues and misgivings. But for
> years there's been nothing but stone cold silence concerning this feature.

Hi,

I've finally found some time to work though long-standing feature requests
(so far: authorized_keys from a command, multiple required authentication),
and I'd like to take a proper look at Unix domain socket forwarding.

Is there a more current patch than the one on your website available? I'd
like to see if I can get it in for 6.2 if possible.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.