SSH Enhancements - Delete StreamLocal forwards on disconnect, and bind to interface

Rogan Dawes rogan at dawes.za.net
Fri Sep 23 19:16:08 AEST 2016 

Hi folks,

I'm using OpenSSH to set up a rendezvous for a number of OpenWRT devices.

Central server has the following configuration in sshd_config:

# This is to work around a bug only fixed in OpenSSH 7.3 (most likely)
StreamLocalBindUnlink yes

Match User sshvpn
ChrootDirectory /var/sshvpn/
AllowTCPForwarding no
AllowStreamLocalForwarding yes
StreamLocalBindUnlink yes

Clients connect to the server using the following invocation, via autossh:

/usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o ServerAliveCountMax=2
-o ServerAliveInterval=120 -o StrictHostKeyChecking=yes -o TCPKeepAlive=yes
-o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=no -o BatchMode=yes
-nN -R /sshvpn/gateway-78a3510e3b38:127.0.0.1:22 sshvpn at myserver

I can then connect to the device from my central server using the following:

ssh -o “StrictHostKeyChecking=no” -o Proxycommand=’socat
UNIX:/var/sshvpn/sshvpn/gateway-78a3510e3b38 -‘ -D 1085
root at gateway-78a3510e3b38

and subsequently access the device itself or any other hosts it can reach.
This works pretty well!

There are a couple of small things that would make this perfect:

1. sshd should be configurable to delete the StreamLocal file when the
client disconnects. Otherwise it can be tricky to figure out which clients
have an active,usable connection. Most times, I just get "the other end has
disconnected" because socat cannot open the domain socket.

2. The devices are intended to be deployed into a customer environment, and
may have wifi or ethernet uplink as well as 3G. I want to keep the 3G link
up and accessible in case the ethernet or wifi uplinks fail for whatever
reason. It seems to me that one way to achieve this is to have multiple
autossh sessions running, each bound to the IP address of the
ethernet/wifi/3g interfaces. This will ensure that each autossh instance
will be routed via that interface, rather than the defaul troute. While
this is doable with a bit of scripting, the addresses can change as the
interfaces go up and down, and it seems to me that this is something that
could be reasonably implemented in OpenSSH itself. e.g. with a -B eth0
option (analogous to -b <ip>).

Any comments on these suggestions? Would patches to implement these be
considered?

Rogan

More information about the openssh-unix-dev mailing list