Unix Domain Socket Forwarding

To: ietf-ssh%NetBSD.org@localhost
Subject: Unix Domain Socket Forwarding
From: William Ahern <william%25thandClement.com@localhost>
Date: Tue, 9 May 2006 13:58:49 -0700

I'd like to solicit opinions on a protocol for Unix domain socket
forwarding.

As a proof-of-concept I wrote a patch to OpenSSH 4.3p2 and added
the following messages:

forwarded-streamlocal%openssh.com@localhost
direct-streamlocal%openssh.com@localhost
streamlocal-forward%openssh.com@localhost
cancel-streamlocal-forward%openssh.com@localhost

I can go into details on the format of those messages if anybody wishes, but
to cut to the chase I'm most interested in hearing what people have to say
about umask settings, since some SysV platforms obey file permissions on
Unix domain sockets.

In my implementation I decided to let each end handle the umask
autonomously, partly for simplictity's sake, partly so that the remote side
is solely responsible for local policy, and lastly with the notion that
"streamlocal" might be translatable on Windows (aside from Cygwin's
compatbility layer) and that umask in such a case likely could have no
useful meaning.

Also, for reverse forwarded connections relayed via the
"forwarded-streamlocal" message, the format is a string path followed by
name=value pairs terminated by an empty string. The idea here being that
interesting information could be relayed, possibly allowing something like
getpeereid(2) to be emulated on the other side (getpeereid(2) and similar
API's allows the effective uid and gid of the connecting peer to be
queried), but only on a best-effort type of basis (since trusting the remote
end is a dubious proposition at best). For this piece, I'd also like to hear
opinions on whether anybody would chuck that bit for simplicity's sake.

The existing OpenSSH patch can be found here:

http://www.25thandclement.com/~william/projects/streamlocal.html

Oh, and another interesting problem is handling unlinking of existing
sockets. Since, unfortunately, Unix domain sockets aren't first class
objects in the Unix namespace model, handling dangling socket paths poses
some headaches. Again, I left this up to each side, independently.

- Bill

Follow-Ups:
- Re: Unix Domain Socket Forwarding
  - From: Timo J. Rinne

Prev by Date: RFC 4462 on Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
Next by Date: Re: Unix Domain Socket Forwarding
Previous by Thread: RFC 4462 on Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol
Next by Thread: Re: Unix Domain Socket Forwarding
Indexes:

Home | Main Index | Thread Index | Old Index