[PATCH] accept SOCKS request over the mux socket

Fri Mar 13 09:31:35 EST 2009

Circa 2009-03-12 11:22 dixit Salvador Fandino:

: > From: Jim Knoble <jmknoble at pobox.com>
: > Sent: Wednesday, March 11, 2009 7:21:54 PM
: > 
: >   ssh -D /tmp/ssh-socks-socket ...
: 
: I have attached a new patch to the request at...
: 
:   https://bugzilla.mindrot.org/show_bug.cgi?id=1572
: 
: doing just that.
: 
: There is a problem with it and is that slashes already have an special
: meaning on tunnel specifications , they are used with IPv6 addresses.

The syntax you're speaking of is (from ssh(1)):

    IPv6 addresses can be specified with an alternative syntax:
    [bind_address/]port/host/hostport
    or by enclosing the address in square brackets.

There's a key difference between that syntax and the Unix-domain socket
path:  The leading slash of an absolute path.  That is:

    # Listen on IPv6 address ::1 on port 2222, forward across the
    # ssh link to address ::1, port 22

    ssh -L ::1/2222/::1/22

    # Listen on a Unix domain socket at /tmp/my-ssh-forward-sock, and
    # forward across the ssh link to address 127.0.0.1, port 22

    ssh -L /tmp/my-ssh-forward-sock:127.0.0.1:22

    # Listen on a Unix domain socket at /tmp/my-ssh-forward-sock, and
    # forward across the ssh link to address ::1, port 22
    # TODO: Does this work: -L [::1]:2222:[::1]:22

    ssh -L /tmp/my-ssh-forward-sock:[::1]:22

    # Syntax error (too many ':')

    ssh -L /::1/2222/::1/22

In words: If the first character of the argument to -L is '/', it's a
filesystem path, and ':' is required to be the sub-argument separator.
Remote IPv6 addresses must be enclosed in square brackets.  Otherwise,
the syntax is the same as before.

Are there plans to implement domain sockets for '-R'?  If so:

    # Listen on the remote address ::1 on port 2222, forward back across
    # the ssh link to address ::1, port 22

    ssh -R ::1/2222/::1/22

    # Listen on the remote address 127.0.0.1 on port 2222, forward back
    # across the ssh link to the socket at /tmp/my-service-sock on the
    # host ssh is running on

    ssh -R 127.0.0.1:2222:/tmp/my-service-sock

    # Listen on the remote address ::1 on port 2222, forward back across
    # the ssh link to the socket at /tmp/my-service-sock on the host ssh
    # is running on

    ssh -R [::1]:2222:/tmp/my-service-sock

    # Syntax error (probably produces either "tmp: host not found" or
    # "my-service-sock: unknown port")

    ssh -R ::1/2222/tmp/my-service-sock

In words, if '/' is used as the subargument separator, then Unix domain
sockets cannot be specified.  If ':' is used, remote IPv6 addresses
must be specified in square brackets, and if the first character of the
"local" host specification is '/', then it's a Unix domain socket.

If you want Unix domain sockets to be used with -L or -R on the remote
end as well, that works the same as above, only with -L and -R reversed.
To forward between Unix domain sockets on both ends, you get:

    ssh -L /tmp/ssh-forward-sock:/tmp/my-service-sock

(I.e., only 2 subarguments, separated by ':').  Same for -R.  Obviously,
sshd would have to be patched to support that.

Anything i missed, for -L or -R?

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: C6F31FFA  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA)