[PATCH] accept SOCKS request over the mux socket

Salvador Fandino sfandino at yahoo.com
Fri Mar 13 03:22:40 EST 2009






----- Original Message ----
> From: Jim Knoble <jmknoble at pobox.com>
> To: Ben Lindstrom <mouring at eviladmin.org>
> Cc: Salvador Fandino <sfandino at yahoo.com>; openssh-unix-dev at mindrot.org
> Sent: Wednesday, March 11, 2009 7:21:54 PM
> Subject: Re: [PATCH] accept SOCKS request over the mux socket
> 
> Circa 2009-03-11 10:27 dixit Ben Lindstrom:
> 
> : I'm concerned that people will become confused since -M -S combo has  
> : been resevered for multiple ssh terminal sessions over a single  
> : tunnel.  I'd rather see it more clear like:
> : 
> : ssh -D -M -S /tmp/mux 172.20.3.12 -N -f   if you want multiple tunnels  
> : + SOCK support
> : ssh -D -S /tmp/mux  .. if you just want SOCKS support instead of a PORT
> : 
> : Which means an error needs to be throw on
> : 
> : ssh -Dxxx  -S xxxx
> 
> The above means that you can't separate permissions for the mux socket
> and the SOCKS socket.
> 
> Better to create a dedicated SOCKS socket, no?
> 
>   ssh -D /tmp/ssh-socks-socket ...
> 
> That is, '-D' may accept either an IP address or a filesystem path.
> Reserve '-S' for use with multiplexing sockets.  This way, one can:
> 
>   ssh -D /tmp/ssh-socks-socket -M -S /tmp/ssh-mux-socket ...
> 
> and allow more than one user to use the SOCKS connection while keeping
> the mux socket more private.
> 
> This also makes the '-D' syntax consistent and sensible.

I have attached a new patch to the request at...

  https://bugzilla.mindrot.org/show_bug.cgi?id=1572

doing just that.

There is a problem with it and is that slashes already have an special meaning on tunnel specifications , they are used with IPv6 addresses.

My proposal (not implemented on the patch yet) would be to use {} to demarcate unix paths as in

 $ ssh -D{/tmp/bar} ...

and

  $ ssh -L{/tmp/foo}:host:22 ...

It will fail for -L{/tmp/name,with,commas}, but hey, this is not very common!

Cheers,

  - Salva

> 
> --jim
> 
> -- 
> jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
> (GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
> (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)



More information about the openssh-unix-dev mailing list