Unix socket forwarding
William Ahern
william at 25thandClement.com
Tue Mar 6 12:09:56 EST 2012
On Tue, Mar 06, 2012 at 01:04:41AM +0100, Peter Stuge wrote:
> William Ahern wrote:
> > I'm intimately aware of the details. Outside of the core developers
> > and a small cadre of hackers I probably became more familiar with
> > the OpenSSH codebase than anyone else. It's an intrusive patch and
> > required additions to the underlying protocol, fixes to options
> > parsing code, and a refactoring of several data structures and
> > related code.
>
> Each of these properties is enough motivation to reject the patch.
>
>
> > The fact that X11 forwarding already exists--as pointed out by the
> > OP--turns out to not matter one iota because of the SSH protocol
> > spec and the architecture of OpenSSH in particular.
>
> The spec is the bigger problem. Nobody likes private extensions..
>
>
> > The fact that everybody but the core developers think it's a good idea,
>
> Don't put words in my mouth please.
Please excuse my hyperbole.
> I think it's a terrible idea because of all the required changes.
All things being equal, I'd agree with you. But all things aren't equal.
Forwarding support is more central to the function of SSH than any old
feature. It's an open-ended capability that increases the utility of ssh
manyfold.
And a ton of junk has gone into OpenSSH over the years, and continues to be
added. And many of my changes actually improved the quality of the code
base, IMNSHO. The patch reduced obsfuscation of socket handling in many
cases, and would have eased some of the changes in the intervening years.
Adding domain socket support is a sane generalization of the existing
system. Certainly saner than, say, adding tun/tap support ;)
I mean, how much more useful on a day-to-day basis is it to be able to
easily forward a MySQL or PostgreSQL domain socket (especially when, for
security reasons--e.g. socket credential authentication or minimal
dependency on a firewall to protect your data--you disable TCP access) than
it is to use SSH for an esoteric and ad hoc (albeit, sometimes very cool and
useful) VPN?
socat is _not_ convenient. It's not even portable. There's socat, nc,
netcat, and perhaps more often than not, nothing.
I think the _idea_ of adding domain socket support--even given the hairiness
of OpenSSH's code base--is quite defensible.
More information about the openssh-unix-dev
mailing list