It would be nice if ssh could forward unix domain sockets in addition to TCP ports. The main reasons for this are better security and a nicer namespace: If I use ssh to access a remote service (e.g. VNC), my forward is visible to all other users on the same machine. First, this means that some care is required to make sure that the choosen port is still free, and second, all other users can access the remote service using my forwarded port. This is unfortunate if the remote services has a weak or no access control. Using unix domain sockets provides as natural namespace to avoid collisions and allows using filesystem permissions to grant or deny access. There is already a patch against OpenSSH that provides unix domain socket support http://www.25thandclement.com/~william/projects/streamlocal.html which might be used as a base. (It is probably known to the OpenSSH developers, but as I could not find an corresponding Bugzilla entry I filed an enhancement request).
There is an updated patch available http://www.25thandclement.com/~william/projects/releases/openssh-4.7p1-streamlocal-20090829-v6sa.patch It would really be nice if the functionality could be integrated into OpenSSH.
Besides other things this would also allow gpg-agent forwarding, thus enabling users to keep their GPG key only on the local computer (even on a smartcard) and still using GPG remotely.
*** Bug 1802 has been marked as a duplicate of this bug. ***
*** Bug 1984 has been marked as a duplicate of this bug. ***
I was just wondering what's the status on this bug? Is there anything blocking landing the patch from comment 1? I want to use this to do gpg-agent forwarding. It looks like a recommended way to do this is via socat to tunnel the UNIX-domain socket through a normal TCP socket, but that is a bit messy as it opens up a port and doesn't allow restrictions based on user ID.
I am also really interested in this patch/functionality. What's blocking it? Can I help?
It looks as though this can perhaps be closed now? From http://www.openssh.com/txt/release-6.7: * ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. And ChangeLog says: - millert@cvs.openbsd.org 2014/07/15 15:54:14 [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
oops yes - thanks. This has indeed been released.
Close all bugs left open from 6.6 and 6.7 releases.