[Bug 3686] Remote-forwarding of Unix socket not possible with `AllowStreamLocalForwarding remote` but `AllowTcpForwarding no`

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Oct 1 00:18:10 AEST 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3686

bugs-openssh at antipoul.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugs-openssh at antipoul.fr

--- Comment #1 from bugs-openssh at antipoul.fr ---
It's still happening in 9.6p1 at least.

I don't understand the permission logic, but it seems bogus.

In
https://github.com/openssh/openssh-portable/blob/master/channels.c#L4933
the function channel_connect_to_path checks permissions to match if
(path, PORT_STREAMLOCAL) is allowed, using open_match()

But open_match
(https://github.com/openssh/openssh-portable/blob/master/channels.c#L4413)
checks against port_to_connect, which is always -2 for unix socket
(https://github.com/openssh/openssh-portable/blob/master/misc.h#L155)

Of course it's not possible to specify negative port number in
PermitOpen directive (see
https://github.com/openssh/openssh-portable/blob/2c504a74ed81d13c8198a89ed1040d0fc5f73129/misc.c#L2053),
nor a path as a hostname.


I didn't dig into each details, but it seems that without
AllowTCPForwarding, AllowStreamLocalForwarding is useless. This could
be fixed by either:
- Mentioning in the documentation that AllowTcpForwarding is required
- Adding parsing for sockets in PermitListen and PermitOpen (which
would be the best ;) )

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list