openssh unix dev - Jan 2022 - Feature Request: socket-passing support in ssh client

Hi all,

My apologies if what I'm looking for is already possible. If that is
the case, I would gratefully welcome pointers to where in the
documentation to find it and/or key words to search for.

What I hope to accomplish is on-demand activation of ssh port forwards.
I gather that the OpenSSH server's -i flag is essentially what I'm
looking for, in which something like inetd or systemd already has port
22 open and passes it to sshd at launch. As far as I understand things,
the OpenSSH *client* has no similar capability, which is unsurprising
given that it's not a server.  ;-)

For the use case where I want to use an SSH port forward to access a
remote service on a regular-ish (but not "always-on") basis, it
doesn't
really make sense to try to hold that tunnel open all the time with
keepalives and timeouts and restarts and such. But setting it up
manually each time is suboptimal, especially for someone who uses
numerous such tunnels, eg to access a bunch of web-based management
interfaces behind a firewall. As far as I know, current capabilities
don't allow any reasonable on-demand automated solution.

It would be really cool if I could have a meta-server listening
on the local port right from boot, and then on access to that port it
would invoke something like:
/usr/bin/ssh -N -T -L localhost:12345:localhost:12345 user at server
...but with some equivalent to sshd's "-i" flag, so that the
ssh client would accept being passed local port 12345 instead of trying
to open it itself and erroring out because it's already in use.

In my particular use-case I would use a systemd socket unit for this,
but if I'm not mistaken xinetd could fulfill that role too, so what
I'm looking for is platform-independent and doesn't introduce any
systemd dependencies. Finally, it would be convenient if it could take
the local socket from the command line rather than requiring custom
entries in /etc/services, but that's a minor detail.

Does that make sense?

Cheers!
 -Chris

I could be misunderstanding your use-case, but ssh has a
ProxyUseFdpass option where it can accept an already-connected socket.

On Thu, Jan 13, 2022 at 8:19 AM Chris Mitchell
<ssh-list at chris.oldnest.ca> wrote:
>
> Hi all,
>
> My apologies if what I'm looking for is already possible. If that is
> the case, I would gratefully welcome pointers to where in the
> documentation to find it and/or key words to search for.
>
> What I hope to accomplish is on-demand activation of ssh port forwards.
> I gather that the OpenSSH server's -i flag is essentially what I'm
> looking for, in which something like inetd or systemd already has port
> 22 open and passes it to sshd at launch. As far as I understand things,
> the OpenSSH *client* has no similar capability, which is unsurprising
> given that it's not a server.  ;-)
>
> For the use case where I want to use an SSH port forward to access a
> remote service on a regular-ish (but not "always-on") basis, it
doesn't
> really make sense to try to hold that tunnel open all the time with
> keepalives and timeouts and restarts and such. But setting it up
> manually each time is suboptimal, especially for someone who uses
> numerous such tunnels, eg to access a bunch of web-based management
> interfaces behind a firewall. As far as I know, current capabilities
> don't allow any reasonable on-demand automated solution.
>
> It would be really cool if I could have a meta-server listening
> on the local port right from boot, and then on access to that port it
> would invoke something like:
> /usr/bin/ssh -N -T -L localhost:12345:localhost:12345 user at server
> ...but with some equivalent to sshd's "-i" flag, so that the
> ssh client would accept being passed local port 12345 instead of trying
> to open it itself and erroring out because it's already in use.
>
> In my particular use-case I would use a systemd socket unit for this,
> but if I'm not mistaken xinetd could fulfill that role too, so what
> I'm looking for is platform-independent and doesn't introduce any
> systemd dependencies. Finally, it would be convenient if it could take
> the local socket from the command line rather than requiring custom
> entries in /etc/services, but that's a minor detail.
>
> Does that make sense?
>
> Cheers!
>  -Chris
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, 14 Jan 2022 at 03:17, Chris Mitchell <ssh-list at
chris.oldnest.ca>
wrote:
> What I hope to accomplish is on-demand activation of ssh port forwards.
> I gather that the OpenSSH server's -i flag is essentially what I'm
> looking for, in which something like inetd or systemd already has port
> 22 open and passes it to sshd at launch. As far as I understand things,
> the OpenSSH *client* has no similar capability, which is unsurprising
> given that it's not a server.  ;-)
>
It's not exactly what you ask for later, but it's the exact counterpart
for
sshd -i: you can run ssh under inetd (or similar) in "netcat mode"
(-W),
where it will pass data on stdin/out to a remote port forward.  You'd put
something like this in inetd.conf:

ssh -W destinationhost:port intermediatehost

and set it up with passwordless auth.  This will bring up the connection on
demand, but the caveat is that there will be one SSH connection per
forwarded TCP connection, not many multiplexed TCP connections within a
single SSH connection.  I've used this construction in the past for various
shenanigans such as routing low-volume mail and accessing backup servers
between networks without direct connections.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.