openssh unix dev - Jan 2022 - Feature Request: socket-passing support in ssh client

On Fri, 14 Jan 2022 at 03:17, Chris Mitchell <ssh-list at
chris.oldnest.ca>
wrote:
> What I hope to accomplish is on-demand activation of ssh port forwards.
> I gather that the OpenSSH server's -i flag is essentially what I'm
> looking for, in which something like inetd or systemd already has port
> 22 open and passes it to sshd at launch. As far as I understand things,
> the OpenSSH *client* has no similar capability, which is unsurprising
> given that it's not a server.  ;-)
>
It's not exactly what you ask for later, but it's the exact counterpart
for
sshd -i: you can run ssh under inetd (or similar) in "netcat mode"
(-W),
where it will pass data on stdin/out to a remote port forward.  You'd put
something like this in inetd.conf:

ssh -W destinationhost:port intermediatehost

and set it up with passwordless auth.  This will bring up the connection on
demand, but the caveat is that there will be one SSH connection per
forwarded TCP connection, not many multiplexed TCP connections within a
single SSH connection.  I've used this construction in the past for various
shenanigans such as routing low-volume mail and accessing backup servers
between networks without direct connections.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On January 13, 2022 6:01 PM, Darren Tucker wrote:
> On Fri, 14 Jan 2022 at 03:17, Chris Mitchell <ssh-list at
chris.oldnest.ca>
> wrote:
> 
> > What I hope to accomplish is on-demand activation of ssh port
forwards.
> > I gather that the OpenSSH server's -i flag is essentially what
I'm
> > looking for, in which something like inetd or systemd already has port
> > 22 open and passes it to sshd at launch. As far as I understand
> > things, the OpenSSH *client* has no similar capability, which is
> > unsurprising given that it's not a server.  ;-)
> >
> 
> It's not exactly what you ask for later, but it's the exact
counterpart
for sshd -i: you
> can run ssh under inetd (or similar) in "netcat mode" (-W), where
it will
pass data
> on stdin/out to a remote port forward.  You'd put something like this
in
inetd.conf:
> 
> ssh -W destinationhost:port intermediatehost
> 
> and set it up with passwordless auth.  This will bring up the connection
on demand,
> but the caveat is that there will be one SSH connection per forwarded TCP
> connection, not many multiplexed TCP connections within a single SSH
> connection.  I've used this construction in the past for various
shenanigans such as
> routing low-volume mail and accessing backup servers between networks
without
> direct connections.
For multiplexed connections, would not local port forwarding be a better
architecture? It does not pass off sockets but allows on-demand access.
--Randall

On Fri, 14 Jan 2022 10:01:29 +1100
Darren Tucker <dtucker at dtucker.net> wrote:
> It's not exactly what you ask for later, but it's the exact
> counterpart for sshd -i: you can run ssh under inetd (or similar) in
> "netcat mode" (-W), where it will pass data on stdin/out to a
remote
> port forward.  You'd put something like this in inetd.conf:
> 
> ssh -W destinationhost:port intermediatehost
Ah-ha! I think that will do nicely for my purposes. I'll try my
on-demand setup with that option and see what sort of trouble I can get
myself into.

Cheers!
 -Chris