Is there socksify script for dynamics forwardings to unix domain sockets?
Dan Kaminsky
dan at doxpara.com
Thu Feb 22 12:02:58 AEDT 2018
On Wed, Feb 21, 2018 at 4:59 PM Damien Miller <djm at mindrot.org> wrote:
> On Wed, 21 Feb 2018, Jö Fahlke wrote:
>
> > Am Di, 20. Feb 2018, 23:13:16 -0800 schrieb Dan Kaminsky:
> > > Date: Tue, 20 Feb 2018 23:13:16 -0800
> > > From: Dan Kaminsky <dan at doxpara.com>
> > > To: Jö Fahlke <jorrit at jorrit.de>
> > > Cc: openssh-unix-dev at mindrot.org
> > > Subject: Re: Is there socksify script for dynamics forwardings to unix
> > > domain sockets?
> > >
> > > Whoa. That's pretty cool.
> > >
> > > Empirically, how well do LD_PRELOAD scripts work in grabbing all socket
> > > calls?
> >
> > Good point, I did not check that before, so I tried now (with tsocks on
> Debian
> > stretch and the "ssh -D" socks port on a random port on localhost) and
> got
> > mixed results. Generally, anything name-lookup related does not seem to
> work
> > and I have to use IP addresses.
>
> Yeah, IMO it would be better to write a small userspace NAT helper e.g.
> using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone
> hasn't already done this).
>
> -d
There’s a couple strategies I’ve been looking at for other reasons
(universal TLS on all sockets, mainly). Seccomp trapping, expanding of the
preload to DNS calls, using some other security hooks. Will report back.
>
More information about the openssh-unix-dev
mailing list