Portforwarding using the control master. - openssh

This is a discussion on Portforwarding using the control master. - openssh ; Hi all, currently I am considering writing a patch for OpenSSH that will allow portforwarding using the control_master unix domain socket. The idea is to introduce an extra SSHMUX command, SSHMUX_COMMAND_SOCKS, which will then pass control to the normal socks ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Portforwarding using the control master.

  1. Portforwarding using the control master.

    Hi all,


    currently I am considering writing a patch for OpenSSH that will allow
    portforwarding using the control_master unix domain socket. The idea is
    to introduce an extra SSHMUX command, SSHMUX_COMMAND_SOCKS, which will
    then pass control to the normal socks functions used for dynamic
    forwarding.

    The main reason for me to write this patch are:
    - some more control over who gets to connect to portforwardings.
    (the control_master has uid control build in, while everyone can
    connect to the (dynamic) port forwardings.

    - easier to keep an overview, remembering that master-%r@%h:%p
    allows forwarding to ports from that machine is easier then keeping
    track of all the different ports.


    To be actually able to use it (since SSHMUX is an openssh only thing
    as far as I can tell). I'll write a patch to socat as well.


    Any comments?


    Kind Regards,
    dvorak

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Portforwarding using the control master.

    Hi Dvorak,

    On Thu, Jun 19, 2008 at 2:25 PM, dvorak wrote:

    > Any comments?


    If I understand you correctly, you wish to forward connections from a
    unix domain socket on a local machine to network ports on a remote
    machine. And given that in most situations, clients will have been
    written to connect to network ports, you'll write a patch for socat
    allowing for network ports on a local machine to be forwarded to the
    unix domain socket in question.

    But while socat is running in this capacity, how will this provide any
    greater security than the current network-port-to-network-port
    forwardings?

    Hamish
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: Portforwarding using the control master.

    On Thu, 19 Jun 2008, dvorak wrote:
    > currently I am considering writing a patch for OpenSSH that will allow
    > portforwarding using the control_master unix domain socket. The idea is
    > to introduce an extra SSHMUX command, SSHMUX_COMMAND_SOCKS, which will
    > then pass control to the normal socks functions used for dynamic
    > forwarding.


    Will this allow me to do the folowing:

    # open an ssh master connection, without port forwarding
    ssh -oControlPath=foo -oControlMaster=yes -N -f user@host
    # forward a port over the already-open master connection
    ssh -oControlPath=foo -oControlMaster=yes -N -f \
    -L 25:localhost:25 user@host

    --apb (Alan Barrett)
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: Portforwarding using the control master.

    > Hi Dvorak,
    >
    > On Thu, Jun 19, 2008 at 2:25 PM, dvorak wrote:
    >
    > > Any comments?

    >
    > If I understand you correctly, you wish to forward connections from a
    > unix domain socket on a local machine to network ports on a remote
    > machine. And given that in most situations, clients will have been
    > written to connect to network ports, you'll write a patch for socat
    > allowing for network ports on a local machine to be forwarded to the
    > unix domain socket in question.
    >
    > But while socat is running in this capacity, how will this provide any
    > greater security than the current network-port-to-network-port
    > forwardings?


    If the other side of socat is a normal listening socat this is indeed the
    case. However if used with for instance the ssh ProxyCommand it is just
    one connection without a locally listening counter part.

    My inteded usage is something like:

    ssh -o "ProxyCommand socat - SSH-SOCKS:/path/to-master:%h:%p" user@box2


    >
    > Hamish
    >

    Dvorak

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. Re: Portforwarding using the control master.

    > On Thu, 19 Jun 2008, dvorak wrote:
    > > currently I am considering writing a patch for OpenSSH that will allow
    > > portforwarding using the control_master unix domain socket. The idea is
    > > to introduce an extra SSHMUX command, SSHMUX_COMMAND_SOCKS, which will
    > > then pass control to the normal socks functions used for dynamic
    > > forwarding.

    >
    > Will this allow me to do the folowing:
    >
    > # open an ssh master connection, without port forwarding
    > ssh -oControlPath=foo -oControlMaster=yes -N -f user@host
    > # forward a port over the already-open master connection
    > ssh -oControlPath=foo -oControlMaster=yes -N -f \
    > -L 25:localhost:25 user@host
    >
    > --apb (Alan Barrett)

    That was not my intended usage, and would require a quite different
    patch. Something like:
    http://fixunix.com/openssh/175979-pa...trol-path.html

    The patch would basicly open up a dynamic forward port over the control
    socket instead of having a listening socks proxy.


    Dvorak.




    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  6. Re: Portforwarding using the control master.

    On Thu, Jun 19, 2008 at 3:10 PM, dvorak wrote:

    > If the other side of socat is a normal listening socat this is indeed the
    > case. However if used with for instance the ssh ProxyCommand it is just
    > one connection without a locally listening counter part.
    >
    > My inteded usage is something like:
    >
    > ssh -o "ProxyCommand socat - SSH-SOCKS:/path/to-master:%h:%p" user@box2


    I see! Do you have a multi-hop SSH connection that cannot be
    multiplexed with the current functionality, or are you intending this
    for other tools with ProxyCommand-like features?

    Hamish
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  7. Re: Portforwarding using the control master. (patch attached)

    Hi all,

    Attached is the patch I have written, it is a bit larger then expected
    due to moving a lot from the code in client_process_control to its own
    function (client_process_sshmux_command_open).

    also attached is a simple script to test the functionality usage:
    (sh PROX.raw ; cat ) | socat - UNIX-CONNECT:./ctl

    where ./ctl is the path to the control master. It tries to open a
    connection to 127.0.0.1 1234.

    In case the patch is something usefull to have in OpenSSH I'll gladly
    help to get the code up to accepted standards.

    And as always, comments are most welcome.


    Kind Regards,
    dvorak

    > currently I am considering writing a patch for OpenSSH that will allow
    > portforwarding using the control_master unix domain socket. The idea is
    > to introduce an extra SSHMUX command, SSHMUX_COMMAND_SOCKS, which will
    > then pass control to the normal socks functions used for dynamic
    > forwarding.
    >
    > The main reason for me to write this patch are:
    > - some more control over who gets to connect to portforwardings.
    > (the control_master has uid control build in, while everyone can
    > connect to the (dynamic) port forwardings.
    >
    > - easier to keep an overview, remembering that master-%r@%h:%p
    > allows forwarding to ports from that machine is easier then keeping
    > track of all the different ports.
    >
    > To be actually able to use it (since SSHMUX is an openssh only thing
    > as far as I can tell). I'll write a patch to socat as well.


    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  8. Re: Portforwarding using the control master. (patch attached)

    On Thu, 19 Jun 2008, dvorak wrote:

    > Hi all,
    >
    > Attached is the patch I have written, it is a bit larger then expected
    > due to moving a lot from the code in client_process_control to its own
    > function (client_process_sshmux_command_open).
    >
    > also attached is a simple script to test the functionality usage:
    > (sh PROX.raw ; cat ) | socat - UNIX-CONNECT:./ctl
    >
    > where ./ctl is the path to the control master. It tries to open a
    > connection to 127.0.0.1 1234.
    >
    > In case the patch is something usefull to have in OpenSSH I'll gladly
    > help to get the code up to accepted standards.
    >
    > And as always, comments are most welcome.


    Sorry, I'm a little bit behind on email and haven't had a chance to
    look at what you are proposing to do. However if you want your patch
    to go in, you should base it on CVS -current rather than 5.0 as the
    multiplexing code has been rearranged significantly.

    (I can tell that you are not using -current bacause the function names
    have changed)

    -d
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread