Bug 1256

Summary: unix domain sockets support
Product: Portable OpenSSH Reporter: Thomas Neumann <tneumann>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: bpeeluk, bugzilla.mindrot.org, cjwatson, daniel.black, djm, fche, mindrot, niels, richard, sascha-openssh-bugs, spam.sub.atomic.fusion
Priority: P2 Keywords: patch
Version: 4.4p1   
Hardware: Other   
OS: All   
Bug Depends on:    
Bug Blocks: 2188    

Description Thomas Neumann 2006-10-30 19:12:55 AEDT 
It would be nice if ssh could forward unix domain sockets in addition to TCP ports. The main reasons for this are better security and a nicer namespace: If I use ssh to access a remote service (e.g. VNC), my forward is visible to all other users on the same machine. First, this means that some care is required to make sure that the choosen port is still free, and second, all other users can access the remote service using my forwarded port. This is unfortunate if the remote services has a weak or no access control.
Using unix domain sockets provides as natural namespace to avoid collisions and allows using filesystem permissions to grant or deny access.

There is already a patch against OpenSSH that provides unix domain socket support

http://www.25thandclement.com/~william/projects/streamlocal.html

which might be used as a base.

(It is probably known to the OpenSSH developers, but as I could not find an corresponding Bugzilla entry I filed an enhancement request).
Comment 1 Thomas Neumann 2010-01-20 21:27:27 AEDT 
There is an updated patch available

http://www.25thandclement.com/~william/projects/releases/openssh-4.7p1-streamlocal-20090829-v6sa.patch

It would really be nice if the functionality could be integrated into OpenSSH.
Comment 2 Sascha Silbe 2010-04-02 08:20:00 AEDT 
Besides other things this would also allow gpg-agent forwarding, thus enabling users to keep their GPG key only on the local computer (even on a smartcard) and still using GPG remotely.
Comment 3 Richard Connon 2011-12-10 11:28:58 AEDT 
*** Bug 1802 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Kahn Gillmor 2012-03-06 04:38:41 AEDT 
*** Bug 1984 has been marked as a duplicate of this bug. ***
Comment 5 bpeeluk 2013-07-06 20:24:00 AEST 
I was just wondering what's the status on this bug? Is there anything blocking landing the patch from comment 1? I want to use this to do gpg-agent forwarding. It looks like a recommended way to do this is via socat to tunnel the UNIX-domain socket through a normal TCP socket, but that is a bit messy as it opens up a port and doesn't allow restrictions based on user ID.
Comment 6 martin ➬ 2014-06-12 04:48:51 AEST 
I am also really interested in this patch/functionality. What's blocking it? Can I help?
Comment 7 Colin Watson 2014-10-07 23:39:58 AEDT 
It looks as though this can perhaps be closed now?  From http://www.openssh.com/txt/release-6.7:

 * ssh(1), sshd(8): Add support for Unix domain socket forwarding.
   A remote TCP port may be forwarded to a local Unix domain socket
   and vice versa or both ends may be a Unix domain socket.

And ChangeLog says:

   - millert@cvs.openbsd.org 2014/07/15 15:54:14
     [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
     [sshd_config.5 sshlogin.c]
     Add support for Unix domain socket forwarding.  A remote TCP port
     may be forwarded to a local Unix domain socket and vice versa or
     both ends may be a Unix domain socket.  This is a reimplementation
     of the streamlocal patches by William Ahern from:
         http://www.25thandclement.com/~william/projects/streamlocal.html
     OK djm@ markus@
Comment 8 Damien Miller 2014-10-08 07:39:08 AEDT 
oops yes - thanks. This has indeed been released.
Comment 9 Damien Miller 2014-10-08 08:00:52 AEDT 
Close all bugs left open from 6.6 and 6.7 releases.