[Patch] Unix Domain Socket Forwarding

William Ahern william at 25thandClement.com
Sun Apr 23 04:01:20 EST 2006 

http://25thandclement.com/~william/openssh-4.3p2-streamlocal-20060421.patch

The above URL is a complete patch to OpenSSH 4.3p2 to implement unix domain
socket forwarding (this supercedes a canceled message I sent last night w/
an inline attachment). Basically, for forward and reverse forwardings
anywhere you previously put a port number you can now put a path. The socket
path should go between braces (`[' and `]'), and backslash escaping is
honored within. Basically, any "port" which uses an escaping mechanism is
considered a path instead. That way you can have socket paths like 1234 w/o
ambiguity.

-L[</path/to/socket>]:<host>:<port>
-L<port>:[</path/to/socket>]
-L[</path/to/socket>]:[</path/to/another_socket>]
-R[</path/to/socket>]:<host>:<port>
-R<port>:[</path/to/socket>]
-R[</path/to/socket>]:[</path/to/another_socket>]

I've added several new SSH messages:

	streamlocal-forward at openssh.com
	forarded-streamlocal at openssh.com
	cancel-streamlocal-forward at openssh.com
	direct-streamlocal at openssh.com

streamlocal from "AF_LOCAL" and "SOCK_STREAM". Seemed to logically follow
from the tcpip messages.

Um, included in this patch, for now, is my previous patch which added
options to specify a mask and access control lists for control sockets. I'll
seperate them out when I port this over to the main OpenSSH source in
OpenBSD. So, the following options are honored with this patch:

Client:
-> old stuff <-
	ControlBindMask		Mask to use when binding a control socket
	ControlAllowUsers	List of users and uids allowed to connect
	ControlAllowGroups	List of groups and gids allows to connect
	ControlDenyUsers	List of users and uids disallowed
	ControlDenyGroups	List of groups and gids disallowed

-> new stuff <-
	StreamLocalBindMask	Mask to use when binding a forward socket
	StreamLocalBindUnlink	Attempt an unlink before binding
	FakeStreamLocalForwards	Fake a connection originating from a socket as
				tcpip. This isn't currently honored, but is
				the default and only behavior. See
				channel_post_port_listener().

Server:
	StreamLocalBindMask	See above.
	StreamLocalBindUnlink	See above.

All regression tests pass, though I haven't yet added any for the new
functionality.

Please send suggestions and comments. It would be nice if this were
included, or at least had the prospect of inclusion in the future.

- Bill

More information about the openssh-unix-dev mailing list