[Bug 3686] Remote-forwarding of Unix socket not possible with `AllowStreamLocalForwarding remote` but `AllowTcpForwarding no`
    bugzilla-daemon at mindrot.org 
    bugzilla-daemon at mindrot.org
       
    Wed Oct  1 00:18:10 AEST 2025
    
    
  
https://bugzilla.mindrot.org/show_bug.cgi?id=3686
bugs-openssh at antipoul.fr changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugs-openssh at antipoul.fr
--- Comment #1 from bugs-openssh at antipoul.fr ---
It's still happening in 9.6p1 at least.
I don't understand the permission logic, but it seems bogus.
In
https://github.com/openssh/openssh-portable/blob/master/channels.c#L4933
the function channel_connect_to_path checks permissions to match if
(path, PORT_STREAMLOCAL) is allowed, using open_match()
But open_match
(https://github.com/openssh/openssh-portable/blob/master/channels.c#L4413)
checks against port_to_connect, which is always -2 for unix socket
(https://github.com/openssh/openssh-portable/blob/master/misc.h#L155)
Of course it's not possible to specify negative port number in
PermitOpen directive (see
https://github.com/openssh/openssh-portable/blob/2c504a74ed81d13c8198a89ed1040d0fc5f73129/misc.c#L2053),
nor a path as a hostname.
I didn't dig into each details, but it seems that without
AllowTCPForwarding, AllowStreamLocalForwarding is useless. This could
be fixed by either:
- Mentioning in the documentation that AllowTcpForwarding is required
- Adding parsing for sockets in PermitListen and PermitOpen (which
would be the best ;) )
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
    
    
More information about the openssh-bugs
mailing list