Hi folks, (3rd time I am sending this message, none of the other appear to have made it through!) Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016" on the client. I am trying to use sshtunnel with StreamLocal forwarding to enable me to connect back to the client's ssh port, without having to arbitrate ports between clients. The idea is to configure the server to allow StreamLocalForwarding via a unique Unix socket on the host, that relays back to the client. i.e. on the client (named gateway for this example, but will be unique once deployed in volume): /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o ServerAliveCountMax=3 -o ServerAliveInterval=5 -o StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host On the server: Match User sshvpn ChrootDirectory /var/sshvpn/ AllowTCPForwarding no AllowStreamLocalForwarding yes StreamLocalBindUnlink yes Then to connect to the client: $ ssh -o ProxyCommand='socat /var/sshvpn/sshvpn/gateway' root at gateway So, it works fine the first time, when the socket does not exist. Once the connection terminates, and the client attempts to log in again, it fails because the socket already exists: debug1: user sshvpn matched 'User sshvpn' at line 89 debug3: match found debug3: reprocess config:90 setting ChrootDirectory /var/sshvpn/ debug3: reprocess config:91 setting AllowTCPForwarding no debug3: reprocess config:92 setting AllowStreamLocalForwarding yes debug3: reprocess config:93 setting StreamLocalBindUnlink yes [...snip...] debug1: server_input_global_request: rtype streamlocal-forward at openssh.com want_reply 1 debug1: server_input_global_request: streamlocal-forward listen path /sshvpn/gateway debug3: channel_setup_fwd_listener_streamlocal: type 19 path /sshvpn/gateway bind: Address already in use unix_listener: cannot bind to path: /sshvpn/gateway I am aware of the StreamLocalBindUnlink option, and you can see that it is set on both the client and the server, but it doesn't seem to be effective. I also ran it under ltrace, and got the following: 24079 write(2, "debug3: channel_setup_fwd_listen"..., 78) = 78 24079 umask(0177) = 02 24079 socket(1, 1, 0) = 8 24079 bind(8, 0x7ffc4f8915c0, 110, -1) = -1 24079 __errno_location() = 0x7f03f55a5710 24079 strerror(98) = "Address already in use">From this, it appears that there is no attempt to unlink the socket ifit already exists, as would be expected from this code (https://github.com/openssh/openssh-portable/blob/7de4b03a6e4071d454b72927ffaf52949fa34545/misc.c#L1083): sock = socket(PF_UNIX, SOCK_STREAM, 0); if (sock < 0) { saved_errno = errno; error("socket: %.100s", strerror(errno)); errno = saved_errno; return -1; } if (unlink_first == 1) { if (unlink(path) != 0 && errno != ENOENT) error("unlink(%s): %.100s", path, strerror(errno)); } if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { saved_errno = errno; error("bind: %.100s", strerror(errno)); close(sock); error("%s: cannot bind to path: %s", __func__, path); errno = saved_errno; return -1; } What am I missing? Rogan
Hi folks, Can nobody help me to figure out why this is not working? I'd like to think that I have given it a good attempt at figuring it out for myself, but everything I see says my configuration *should* be working. Many thanks! Rogan On Sat, Apr 23, 2016 at 9:07 PM Rogan Dawes <rogan at dawes.za.net> wrote:> Hi folks, > > (3rd time I am sending this message, none of the other appear to have > made it through!) > > Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on > the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016" on the client. > > I am trying to use sshtunnel with StreamLocal forwarding to enable me > to connect back to the client's ssh port, without having to arbitrate > ports between clients. > > The idea is to configure the server to allow StreamLocalForwarding via > a unique Unix socket on the host, that relays back to the client. > > i.e. on the client (named gateway for this example, but will be unique > once deployed in volume): > > /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o > ServerAliveCountMax=3 -o ServerAliveInterval=5 -o > StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o > StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes > -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host > > On the server: > > Match User sshvpn > ChrootDirectory /var/sshvpn/ > AllowTCPForwarding no > AllowStreamLocalForwarding yes > StreamLocalBindUnlink yes > > Then to connect to the client: > > $ ssh -o ProxyCommand='socat /var/sshvpn/sshvpn/gateway' root at gateway > > So, it works fine the first time, when the socket does not exist. Once > the connection terminates, and the client attempts to log in again, it > fails because the socket already exists: > > debug1: user sshvpn matched 'User sshvpn' at line 89 > debug3: match found > debug3: reprocess config:90 setting ChrootDirectory /var/sshvpn/ > debug3: reprocess config:91 setting AllowTCPForwarding no > debug3: reprocess config:92 setting AllowStreamLocalForwarding yes > debug3: reprocess config:93 setting StreamLocalBindUnlink yes > [...snip...] > debug1: server_input_global_request: rtype > streamlocal-forward at openssh.com want_reply 1 > debug1: server_input_global_request: streamlocal-forward listen path > /sshvpn/gateway > debug3: channel_setup_fwd_listener_streamlocal: type 19 path > /sshvpn/gateway > bind: Address already in use > unix_listener: cannot bind to path: /sshvpn/gateway > > I am aware of the StreamLocalBindUnlink option, and you can see that > it is set on both the client and the server, but it doesn't seem to be > effective. > > I also ran it under ltrace, and got the following: > > 24079 write(2, "debug3: channel_setup_fwd_listen"..., 78) = 78 > 24079 umask(0177) = 02 > 24079 socket(1, 1, 0) = 8 > 24079 bind(8, 0x7ffc4f8915c0, 110, -1) = -1 > 24079 __errno_location() = 0x7f03f55a5710 > 24079 strerror(98) = "Address > already in use" > > From this, it appears that there is no attempt to unlink the socket if > it already exists, as would be expected from this code > ( > https://github.com/openssh/openssh-portable/blob/7de4b03a6e4071d454b72927ffaf52949fa34545/misc.c#L1083 > ): > > sock = socket(PF_UNIX, SOCK_STREAM, 0); > if (sock < 0) { > saved_errno = errno; > error("socket: %.100s", strerror(errno)); > errno = saved_errno; > return -1; > } > if (unlink_first == 1) { > if (unlink(path) != 0 && errno != ENOENT) > error("unlink(%s): %.100s", path, strerror(errno)); > } > if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { > saved_errno = errno; > error("bind: %.100s", strerror(errno)); > close(sock); > error("%s: cannot bind to path: %s", __func__, path); > errno = saved_errno; > return -1; > } > > What am I missing? > > Rogan >
Hi, The code definitely attempts to unlink any old listener beforehand (see misc.c:unix_listener()) so I don't understand why that isn't being called. You might try simulating your configuration using sshd's -T and -C to make sure the flag is correctly being set. Could chroot be interfering? Some platforms implement additional restrictions on devices and sockets inside chroot. -d On Tue, 3 May 2016, Rogan Dawes wrote:> Hi folks, > > Can nobody help me to figure out why this is not working? I'd like to think > that I have given it a good attempt at figuring it out for myself, but > everything I see says my configuration *should* be working. > > Many thanks! > > Rogan > > > On Sat, Apr 23, 2016 at 9:07 PM Rogan Dawes <rogan at dawes.za.net> wrote: > > > Hi folks, > > > > (3rd time I am sending this message, none of the other appear to have > > made it through!) > > > > Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on > > the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016" on the client. > > > > I am trying to use sshtunnel with StreamLocal forwarding to enable me > > to connect back to the client's ssh port, without having to arbitrate > > ports between clients. > > > > The idea is to configure the server to allow StreamLocalForwarding via > > a unique Unix socket on the host, that relays back to the client. > > > > i.e. on the client (named gateway for this example, but will be unique > > once deployed in volume): > > > > /usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o > > ServerAliveCountMax=3 -o ServerAliveInterval=5 -o > > StrictHostKeyChecking=yes -o TCPKeepAlive=yes -o > > StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes -o BatchMode=yes > > -nN -R /sshvpn/gateway:127.0.0.1:22 -p 52221 sshvpn at host > > > > On the server: > > > > Match User sshvpn > > ChrootDirectory /var/sshvpn/ > > AllowTCPForwarding no > > AllowStreamLocalForwarding yes > > StreamLocalBindUnlink yes > > > > Then to connect to the client: > > > > $ ssh -o ProxyCommand='socat /var/sshvpn/sshvpn/gateway' root at gateway > > > > So, it works fine the first time, when the socket does not exist. Once > > the connection terminates, and the client attempts to log in again, it > > fails because the socket already exists: > > > > debug1: user sshvpn matched 'User sshvpn' at line 89 > > debug3: match found > > debug3: reprocess config:90 setting ChrootDirectory /var/sshvpn/ > > debug3: reprocess config:91 setting AllowTCPForwarding no > > debug3: reprocess config:92 setting AllowStreamLocalForwarding yes > > debug3: reprocess config:93 setting StreamLocalBindUnlink yes > > [...snip...] > > debug1: server_input_global_request: rtype > > streamlocal-forward at openssh.com want_reply 1 > > debug1: server_input_global_request: streamlocal-forward listen path > > /sshvpn/gateway > > debug3: channel_setup_fwd_listener_streamlocal: type 19 path > > /sshvpn/gateway > > bind: Address already in use > > unix_listener: cannot bind to path: /sshvpn/gateway > > > > I am aware of the StreamLocalBindUnlink option, and you can see that > > it is set on both the client and the server, but it doesn't seem to be > > effective. > > > > I also ran it under ltrace, and got the following: > > > > 24079 write(2, "debug3: channel_setup_fwd_listen"..., 78) = 78 > > 24079 umask(0177) = 02 > > 24079 socket(1, 1, 0) = 8 > > 24079 bind(8, 0x7ffc4f8915c0, 110, -1) = -1 > > 24079 __errno_location() = 0x7f03f55a5710 > > 24079 strerror(98) = "Address > > already in use" > > > > From this, it appears that there is no attempt to unlink the socket if > > it already exists, as would be expected from this code > > ( > > https://github.com/openssh/openssh-portable/blob/7de4b03a6e4071d454b72927ffaf52949fa34545/misc.c#L1083 > > ): > > > > sock = socket(PF_UNIX, SOCK_STREAM, 0); > > if (sock < 0) { > > saved_errno = errno; > > error("socket: %.100s", strerror(errno)); > > errno = saved_errno; > > return -1; > > } > > if (unlink_first == 1) { > > if (unlink(path) != 0 && errno != ENOENT) > > error("unlink(%s): %.100s", path, strerror(errno)); > > } > > if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { > > saved_errno = errno; > > error("bind: %.100s", strerror(errno)); > > close(sock); > > error("%s: cannot bind to path: %s", __func__, path); > > errno = saved_errno; > > return -1; > > } > > > > What am I missing? > > > > Rogan > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >