similar to: [Patch] Unix Domain Socket Forwarding

Attached (and inline) is a patch to add the following config options: ControlBindMask ControlAllowUsers ControlAllowGroups ControlDenyUsers ControlDenyGroups It pulls the peer credential check from client_process_control() in ssh.c, and expounds upon it in a new function, client_control_grant(). Supplemental groups are not checked in this patch. I didn't feel comfortable taking a shot

On Tue, 3 May 2016, Rogan Dawes wrote: > Hi Damien, > Thanks for the response! > > I tried moving the StreamLocalBindUnlink directive outside of the Match > rule, and it worked. But that doesn't explain why the Match was not > correctly setting the directive: > > This is running on an alternate port with -ddd: > > debug3: checking match for 'User

Hi, The code definitely attempts to unlink any old listener beforehand (see misc.c:unix_listener()) so I don't understand why that isn't being called. You might try simulating your configuration using sshd's -T and -C to make sure the flag is correctly being set. Could chroot be interfering? Some platforms implement additional restrictions on devices and sockets inside chroot. -d

https://bugzilla.mindrot.org/show_bug.cgi?id=2601 Bug ID: 2601 Summary: StreamLocalBindUnlink not working Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org

Hi folks, (3rd time I am sending this message, none of the other appear to have made it through!) Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016" on the client. I am trying to use sshtunnel with StreamLocal forwarding to enable me to connect back to the client's ssh port, without having to

When forwarding a Unix-domain socket, the remote socket path must be absolute (otherwise the forwarding fails later). However, guessing absolute path on the remote end is sometimes not straightforward, because the file system location may vary for many reasons, including the system installation, the choices of NFS mount points, or the remote user ID. To allow ssh clients to request remote socket

https://bugzilla.mindrot.org/show_bug.cgi?id=2353 Bug ID: 2353 Summary: options allowed for Match blocks missing form documentation Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: Documentation

https://bugzilla.mindrot.org/show_bug.cgi?id=2529 Bug ID: 2529 Summary: direct-streamlocal channel open doesn't match PROTOCOL documentation Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh

Hello, there is a patch which allows redirecting UNIX domain sockets here: http://www.25thandclement.com/~william/projects/streamlocal.html<http://www.25thandclement.com/%7Ewilliam/projects/streamlocal.html> We really need it in our institution. It's for OpenSSH 4.4 but I managed to adopt it for 4.7p1 included in Ubuntu 8.04.

Hi folks, I'm wondering if it is possible to set up a dynamic port forward (i.e. socks proxy), where the listening socket is actually on the server rather than the client as is currently the case for -D ? A possible use case is providing a deeply firewalled box with an outbound SOCKS proxy, but only while an inbound ssh connection is active. Or, in my particular case, I have many routers

Hi, I am trying to understand the ChannelTimeout option and whether it should work as I expect. I intended to use it to terminate inactive sessions, e.g. where no keystrokes / output is sent or SFTP sessions with no commands or data transfer. For testing I am using OpenSSH_9.6p1 Debian-5, OpenSSL 3.1.5 30 Jan 2024 both as the server and client. I set the following options in sshd_config:

I've updated the streamlocal patch for OpenSSH 4.4p1. http://www.25thandclement.com/~william/projects/streamlocal.html This patch allows for local and remote forwards, to and from Unix domain sockets. Simply specify the socket path, enclosed within squares braces (i.e. -L[/tmp/.s.PGSQL.5432]:[/tmp/.s.PGSQL.5432]) as the origin and/or destination of the -R and -L switches. This patch also

https://bugzilla.mindrot.org/show_bug.cgi?id=2421 Bug ID: 2421 Summary: direct-streamlocal at openssh.com doesn't have a reserved string - PROTOCOL.txt Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5

I've a server where clients can connect to using direct-streamlocal at openssh.com. I want that the server "knows" the address of the client. I've tried using the peercredentials of the process connecting my server (which is a sshd process) and check the environment. I thought that in the environment the var SSH_CLIENT would be set, but that did not work. This sshd process has

I'll be maintaining the streamlocal patch(s)--which teach(es) OpenSSH to forward local and remote domain sockets--here: http://www.25thandclement.com/~william/projects/streamlocal.html - Bill

https://bugzilla.mindrot.org/show_bug.cgi?id=1256 Colin Watson <cjwatson at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cjwatson at debian.org --- Comment #7 from Colin Watson <cjwatson at debian.org> --- It looks as though

Later versions of OpenSSH allow the user to forward connections also to/from Unix sockets. This patch allows to use Unix sockets as the target when forwarding the local stdio using the -W feature. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-forwarding-of-stdio-to-streamlocal-end-points.patch Type: application/text Size: 5796 bytes Desc: not

On Thu, 26 Feb 2015, Darren Tucker wrote: > I noticed this error log spam on the tinderbox when looking at one of the > failures. It happens with Unix domain socket forwarding is requested: > > debug1: channel 1: new [forwarded-streamlocal at openssh.com] > get_socket_address: getnameinfo 1 failed: ai_family not supported > get_sock_port: getnameinfo NI_NUMERICSERV failed:

https://bugzilla.mindrot.org/show_bug.cgi?id=2416 Bug ID: 2416 Summary: [PATCH] Allow forwarding of stdio to streamlocal end points Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh

RFC 4254 says, in regards to the "tcpip-forward" request message: Section 7.1 ... If a client passes 0 as port number to bind and has 'want reply' as TRUE, then the server allocates the next available unprivileged port number and replies with the following message; otherwise, there is no response-specific data. byte SSH_MSG_REQUEST_SUCCESS uint32 port that was bound