[Bug 1572] New: accept SOCKS requests over the mux socket in master mode

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Mar 11 20:10:15 EST 2009


           Summary: accept SOCKS requests over the mux socket in master
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: sfandino at yahoo.com

Created an attachment (id=1613)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1613)
patch for OpenSSH current

The attached patch extends the mux listener to accept SOCKS4/5 requests
in addition to the native mux commands.

The rationale behind is that creating tunnels attached to TCP ports is
a security hazard in multi-user machines where there is no way to
control who connects through the tunnels. On the other hand, The mux
UNIX domain socket binds to the file system and regular permissions can
be used for access control.

I have also created a small Perl script "snc", similar to netcat, that
uses this new feature. In the end, if this patch gets accepted, my idea
is to extend my Perl module Net::OpenSSH to use it.

Under the hood, the code I have added just looks at the first byte
coming from the mux connection. When it is a mux command, it
corresponds to the first byte for the packet length encoded as a 32bits
integer in network order and so, it is 0 (packet length is limited to
256KB). When it is a SOCKS connection the first byte is 4 or 5 so we
can easyly distinguish both protocols.

I know it is somewhat hacky, but the alternatives I see are:

1) to use a dedicated socket for the SOCKS proxy

2) to extend the mux "protocol" with new commands offering equivalent

I don't like (1) because, IMO, it would unnecessarily complicate ssh
usage. I don't like (2) because adapting a SOCKS client to use a UNIX
socket instead of a TCP one, should be much easier than implementing a
new protocol.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list