https://bugzilla.mindrot.org/show_bug.cgi?id=1572
Summary: accept SOCKS requests over the mux socket in master
mode
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs@mindrot.org
ReportedBy: sfandino@yahoo.com
Created an attachment (id=1613)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1613)
patch for OpenSSH current
The attached patch extends the mux listener to accept SOCKS4/5 requests
in addition to the native mux commands.
The rationale behind is that creating tunnels attached to TCP ports is
a security hazard in multi-user machines where there is no way to
control who connects through the tunnels. On the other hand, The mux
UNIX domain socket binds to the file system and regular permissions can
be used for access control.
I have also created a small Perl script "snc", similar to netcat, that
uses this new feature. In the end, if this patch gets accepted, my idea
is to extend my Perl module Net::OpenSSH to use it.
Under the hood, the code I have added just looks at the first byte
coming from the mux connection. When it is a mux command, it
corresponds to the first byte for the packet length encoded as a 32bits
integer in network order and so, it is 0 (packet length is limited to
256KB). When it is a SOCKS connection the first byte is 4 or 5 so we
can easyly distinguish both protocols.
I know it is somewhat hacky, but the alternatives I see are:
1) to use a dedicated socket for the SOCKS proxy
2) to extend the mux "protocol" with new commands offering equivalent
functionality.
I don't like (1) because, IMO, it would unnecessarily complicate ssh
usage. I don't like (2) because adapting a SOCKS client to use a UNIX
socket instead of a TCP one, should be much easier than implementing a
new protocol.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Summary: accept SOCKS requests over the mux socket in master
mode
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: unassigned-bugs@mindrot.org
ReportedBy: sfandino@yahoo.com
Created an attachment (id=1613)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1613)
patch for OpenSSH current
The attached patch extends the mux listener to accept SOCKS4/5 requests
in addition to the native mux commands.
The rationale behind is that creating tunnels attached to TCP ports is
a security hazard in multi-user machines where there is no way to
control who connects through the tunnels. On the other hand, The mux
UNIX domain socket binds to the file system and regular permissions can
be used for access control.
I have also created a small Perl script "snc", similar to netcat, that
uses this new feature. In the end, if this patch gets accepted, my idea
is to extend my Perl module Net::OpenSSH to use it.
Under the hood, the code I have added just looks at the first byte
coming from the mux connection. When it is a mux command, it
corresponds to the first byte for the packet length encoded as a 32bits
integer in network order and so, it is 0 (packet length is limited to
256KB). When it is a SOCKS connection the first byte is 4 or 5 so we
can easyly distinguish both protocols.
I know it is somewhat hacky, but the alternatives I see are:
1) to use a dedicated socket for the SOCKS proxy
2) to extend the mux "protocol" with new commands offering equivalent
functionality.
I don't like (1) because, IMO, it would unnecessarily complicate ssh
usage. I don't like (2) because adapting a SOCKS client to use a UNIX
socket instead of a TCP one, should be much easier than implementing a
new protocol.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs