[PATCH] Expose remote forwarding ports as environment variable

Fri May 17 22:53:17 EST 2013

Philipp Marek [Fri, May 17, 2013 at 07:19:16AM +0200]:
> > [...]
> > I have a nasty hack which (in essence) involves making forceCommand
> > run something server side which records the PID of sshd, looks
> > at the table of listening sockets, sees what processes own them,
> > and links up the two. This is pretty disgusting.
> If you need a local TCP port, how about using socat to link it to SSH's 
> stdin/stdout, and (if needed) do the reverse on the server side?

I was actually considering this option before writing the patch.

Unfortunately there are various problems with this approach,
to name two:

    - It requires socat additionally on both sides
    - Socat only allows 1 (!) connection and exits afterwards,
      so it does not solve the problem of accessing the box multiple
      times (like required by cdist/ccollect)

Furthermore, one of the biggest advantages of using ssh
code is that robust code to handle the problem is already in place.
OpenSSH just would need to expose this information.

> Then there's no port actually forwarded (just the "normal" data flow), 
> so there won't (and can't) be any collisions, and you can simply 
> determine which port is _really_ in use.

Yep, would have been nice if it worked easily and reliably.

Cheers,

Nico

socat session:

~/.ssh/authorized_keys:

    command="socat - TCP-LISTEN:1234" ssh-rsa AAAAB3NzaC1yc

[13:21] bento:~% socat TCP4:localhost:22,forever "EXEC:ssh nico-dev-vm-snr01"
Pseudo-terminal will not be allocated because stdin is not a terminal.

[root at nico-dev-vm-snr01 yum.repos.d]# ssh -p 1234 root at localhost
exit

[13:21] bento:~% socat TCP4:localhost:22,forever "EXEC:ssh nico-dev-vm-snr01"
Pseudo-terminal will not be allocated because stdin is not a terminal.
[13:32] bento:~% 

-----> socat exits after the ssh connection was closed

-- 
PGP key: 7ED9 F7D3 6B10 81D7 0EC5  5C09 D7DC C8E4 3187 7DF0