Unix socket forwarding

Tue Mar 6 13:01:54 EST 2012

William Ahern wrote:
> > I think it's a terrible idea because of all the required changes.
> 
> All things being equal, I'd agree with you. But all things aren't equal.
> Forwarding support is more central to the function of SSH than any old
> feature. It's an open-ended capability that increases the utility of ssh
> manyfold.

Mh. TCP isn't rocket science. I agree that it's handy sometimes, but
generally when you would want to use it, it's for users who need so
much handholding that you might as well write them a special purpose
SSH client instead.

> many of my changes actually improved the quality of the code base,
> IMNSHO. The patch reduced obsfuscation of socket handling in many
> cases, and would have eased some of the changes in the intervening
> years.

So maybe a good way to get the feature included is to submit these
preparatory improvements one by one, as opposed to everything in one
unhandlable monolith change.

> Adding domain socket support is a sane generalization of the existing
> system. Certainly saner than, say, adding tun/tap support ;)

Just because tun is foreign to you doesn't mean that it is so for
others. I used (programmed) tun for the first time some 15 years ago.

> I mean, how much more useful on a day-to-day basis is it to be able to
> easily forward a MySQL or PostgreSQL domain socket (especially when, for
> security reasons--e.g. socket credential authentication or minimal
> dependency on a firewall to protect your data--you disable TCP access)

Sure, peercred authentication is a neat trick and AF_UNIX forwarding
could simplify it remotely, but I still think that if you have this
need then adding socat to the system and configuring a subsystem is
really quite trivial for any systems administrator worth their title.

> than it is to use SSH for an esoteric and ad hoc (albeit, sometimes
> very cool and useful) VPN?

I don't know if I agree about esoteric and ad-hoc. tun is not new to
me, and any VPN can be connected or disconnected.

> socat is _not_ convenient. It's not even portable. There's socat,
> nc, netcat, and perhaps more often than not, nothing.

I disagree strongly. If AF_UNIX forwarding was in SSH protocol then
it would be easy to argue for supporting it. But since SSH is
specifically not only for UNIX and -like systems I'm happy that it
isn't in the protocol. socat is the needed abstraction and is
portable across "AIX, BSD, HP-UX, Linux, Solaris e.a. (UNIX)"
according to http://www.dest-unreach.org/socat/

> I think the _idea_ of adding domain socket support--even given the
> hairiness of OpenSSH's code base--is quite defensible.

Like tun channels I think AF_UNIX channels is a neat hack. But there
is obviously zero chance of inclusion unless the final patch to add
the feature is clean.

The obvious way is to break it down into a set of patches with clear
one-by-one improvements. I guess you know this already.

//Peter