StreamLocal forwarding

Damien Miller djm at mindrot.org
Tue May 3 22:21:25 AEST 2016


Hi,

The code definitely attempts to unlink any old listener
beforehand (see misc.c:unix_listener()) so I don't understand why
that isn't being called. You might try simulating your configuration
using sshd's -T and -C to make sure the flag is correctly being set.

Could chroot be interfering? Some platforms implement additional
restrictions on devices and sockets inside chroot.

-d

On Tue, 3 May 2016, Rogan Dawes wrote:

> Hi folks,
> 
> Can nobody help me to figure out why this is not working? I'd like to think
> that I have given it a good attempt at figuring it out for myself, but
> everything I see says my configuration *should* be working.
> 
> Many thanks!
> 
> Rogan
> 
> 
> On Sat, Apr 23, 2016 at 9:07 PM Rogan Dawes <rogan at dawes.za.net> wrote:
> 
> > Hi folks,
> >
> > (3rd time I am sending this message, none of the other appear to have
> > made it through!)
> >
> > Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on
> > the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g  1 Mar 2016" on the client.
> >
> > I am trying to use sshtunnel with StreamLocal forwarding to enable me
> > to connect back to the client's ssh port, without having to arbitrate
> > ports between clients.
> >
> > The idea is to configure the server to allow StreamLocalForwarding via
> > a unique Unix socket on the host, that relays back to the client.
> >
> > i.e. on the client (named gateway for this example, but will be unique
> > once deployed in volume):
> >
> > /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o
> > ServerAliveCountMax=3 -o ServerAliveInterval=5 -o
> > StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o
> > StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes
> > -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host
> >
> > On the server:
> >
> > Match User sshvpn
> >   ChrootDirectory /var/sshvpn/
> >   AllowTCPForwarding no
> >   AllowStreamLocalForwarding yes
> >   StreamLocalBindUnlink yes
> >
> > Then to connect to the client:
> >
> > $ ssh -o ProxyCommand='socat /var/sshvpn/sshvpn/gateway' root at gateway
> >
> > So, it works fine the first time, when the socket does not exist. Once
> > the connection terminates, and the client attempts to log in again, it
> > fails because the socket already exists:
> >
> > debug1: user sshvpn matched 'User sshvpn' at line 89
> > debug3: match found
> > debug3: reprocess config:90 setting ChrootDirectory /var/sshvpn/
> > debug3: reprocess config:91 setting AllowTCPForwarding no
> > debug3: reprocess config:92 setting AllowStreamLocalForwarding yes
> > debug3: reprocess config:93 setting StreamLocalBindUnlink yes
> > [...snip...]
> > debug1: server_input_global_request: rtype
> > streamlocal-forward at openssh.com want_reply 1
> > debug1: server_input_global_request: streamlocal-forward listen path
> > /sshvpn/gateway
> > debug3: channel_setup_fwd_listener_streamlocal: type 19 path
> > /sshvpn/gateway
> > bind: Address already in use
> > unix_listener: cannot bind to path: /sshvpn/gateway
> >
> > I am aware of the StreamLocalBindUnlink option, and you can see that
> > it is set on both the client and the server, but it doesn't seem to be
> > effective.
> >
> > I also ran it under ltrace, and got the following:
> >
> > 24079 write(2, "debug3: channel_setup_fwd_listen"..., 78)  = 78
> > 24079 umask(0177)                                          = 02
> > 24079 socket(1, 1, 0)                                      = 8
> > 24079 bind(8, 0x7ffc4f8915c0, 110, -1)                     = -1
> > 24079 __errno_location()                                   = 0x7f03f55a5710
> > 24079 strerror(98)                                         = "Address
> > already in use"
> >
> > From this, it appears that there is no attempt to unlink the socket if
> > it already exists, as would be expected from this code
> > (
> > https://github.com/openssh/openssh-portable/blob/7de4b03a6e4071d454b72927ffaf52949fa34545/misc.c#L1083
> > ):
> >
> > sock = socket(PF_UNIX, SOCK_STREAM, 0);
> > if (sock < 0) {
> > saved_errno = errno;
> > error("socket: %.100s", strerror(errno));
> > errno = saved_errno;
> > return -1;
> > }
> > if (unlink_first == 1) {
> > if (unlink(path) != 0 && errno != ENOENT)
> > error("unlink(%s): %.100s", path, strerror(errno));
> > }
> > if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
> > saved_errno = errno;
> > error("bind: %.100s", strerror(errno));
> > close(sock);
> > error("%s: cannot bind to path: %s", __func__, path);
> > errno = saved_errno;
> > return -1;
> > }
> >
> > What am I missing?
> >
> > Rogan
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list