Unix socket forwarding

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Mar 6 07:08:16 EST 2012 

On 03/05/2012 02:44 PM, William Ahern wrote:

> If there's real interest by the team to accept the feature, I'd be happy to
> update my patch and workout any integration issues and misgivings. But for
> years there's been nothing but stone cold silence concerning this feature.

While i understand your frustration, i think the way to demonstrate that
a feature is actively desired is to keep the patch up-to-date, and try
to encourage people to try it out and give feedback.

I'm not on the OpenSSH dev team, so i can't guarantee their responses,
but certainly having an active group of people using such a feature (and
having a well-written, up-to-date patch that simplifies things and
minimizes configuration complexity) would be a good thing.

Some devil-is-in-the-details questions:

 0) Have you thought about how you'd expect the patch to interact with
the "no-port-forwarding" argument in authorized_keys files (see
sshd(8))?  Do you want to introduce a new authorized_keys argument to
deal strictly with unix-domain sockets?

 1) What about AllowTcpForwarding in sshd_config(5)?  Will this patch
introduce a new configuration option for sshd_config?

 2) Are all forwarded unix-domain sockets going to be of type
SOCK_STREAM, or is it possible to forward a SOCK_DGRAM (or
SOCK_SEQPACKET or SOCK_RAW) socket?

 3) Should ssh be able to connect a local unix domain socket to a remote
TCP port?  or vice versa?  If so, how does that decision affect the
configuration option decisions you've made in (0) and (1)?

 4) Given that the process is currently doable (albeit with some
command-line complexity) without implementing it directly in ssh (e,g,
http://www.debian-administration.org/users/dkg/weblog/68), are the
additional configuration complexities introduced into ssh worth the gain
for those of us who want to use the feature?

I don't mean these questions as discouragement; on the contrary, i think
having a clear and well-justified answer to these questions should make
a stronger argument for adoption of a patch that implements the feature.

	--dkg

More information about the openssh-unix-dev mailing list