[Bug 3686] New: Remote-forwarding of Unix socket not possible with `AllowStreamLocalForwarding remote` but `AllowTcpForwarding no`
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed May 1 14:06:34 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3686
Bug ID: 3686
Summary: Remote-forwarding of Unix socket not possible with
`AllowStreamLocalForwarding remote` but
`AllowTcpForwarding no`
Product: Portable OpenSSH
Version: 8.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: macdjord at gmail.com
As a user, my expectation is that the SSHD options
AllowStreamLocalForwarding and AllowTcpForwarding are independent, with
AllowStreamLocalForwarding controlling whether incoming connections are
allowed to forward to or from Unix sockets and AllowTcpForwarding
controlling whether incoming connections are allowed to forward to or
from TCP ports. However, I discovered, while attempting to configure a
system, that it is not possible to allow remote forwarding of Unix
sockets while prohibiting forwarding of TCP sockets.
The following tests were all conducted with the commands `ssh -v -R
'/var/REDACTED/REDACTED.sock:localhost:8010' -N my-server` and
`/usr/sbin/sshd -Ded`.
With `AllowStreamLocalForwarding no` and `AllowTcpForwarding remote` or
`no`, the behaviour was as expected: the forwarding failed with a
message that streamlocal forwarding had been disabled.
Relevant SSH output:
debug1: Remote: Server has disabled streamlocal forwarding.
debug1: remote forward failure for: listen
/var/REDACTED/REDACTED.sock:-2, connect localhost:8010
Error: remote port forwarding failed for listen path
/var/REDACTED/REDACTED.sock
Relevant SSHD output:
debug1: server_input_global_request: rtype
streamlocal-forward at openssh.com want_reply 1
debug1: server_input_global_request: streamlocal-forward listen path
/var/REDACTED/REDACTED.sock
debug1: server_input_global_request: rtype no-more-sessions at openssh.com
want_reply 0
Connection closed by 172.23.0.2 port 50362
With `AllowStreamLocalForwarding remote` and `AllowTcpForwarding
remote`, the behaviour was also as expected: the forwarding was
successful and the connection continued until terminated manually.
Relevant SSH output:
debug1: Remote connections from /var/REDACTED/REDACTED.sock:-2
forwarded to local address localhost:8010
debug1: ssh_init_forwarding: expecting replies for 1 forwards
debug1: Requesting no-more-sessions at openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
debug1: Remote: /etc/sentinel_ssh/ssh_in-authorized_keys:1: key
options: command port-forwarding
debug1: Remote: /etc/sentinel_ssh/ssh_in-authorized_keys:1: key
options: command port-forwarding
debug1: remote forward success for: listen
/var/REDACTED/REDACTED.sock:-2, connect localhost:8010
debug1: forwarding_success: all expected forwarding replies received
Relevant SSHD output:
debug1: server_input_global_request: rtype
streamlocal-forward at openssh.com want_reply 1
debug1: server_input_global_request: streamlocal-forward listen path
/var/REDACTED/REDACTED.sock
debug1: Local forwarding listening on path /var/REDACTED/REDACTED.sock.
debug1: channel 0: new [unix listener]
debug1: server_input_global_request: rtype no-more-sessions at openssh.com
want_reply 0
But with `AllowStreamLocalForwarding remote` and `AllowTcpForwarding
no`, the behaviour was not as expected: the forwarding failed, with a
message that 'port forwarding refused'.
Relevant SSH output:
debug1: Remote: port forwarding refused
debug1: remote forward failure for: listen
/var/REDACTED/REDACTED.sock:-2, connect localhost:8010
Error: remote port forwarding failed for listen path
/var/REDACTED/REDACTED.sock
Relevant SSHD output:
debug1: server_input_global_request: rtype
streamlocal-forward at openssh.com want_reply 1
debug1: server_input_global_request: streamlocal-forward listen path
/var/REDACTED/REDACTED.sock
Received request from 172.23.0.2 port 53220 to remote forward to path
"/var/REDACTED/REDACTED.sock", but the request was denied.
debug1: server_input_global_request: rtype no-more-sessions at openssh.com
want_reply 0
Connection closed by 172.23.0.2 port 53220
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list