New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow ssh(1) to connect through UNIX domain sockets on systems where getaddrinfo(3) supports AF_UNIX #431
Conversation
connect through UNIX domain sockets. This is useful in combination with connections forwarding over UNIX domain sockets.
We want to use this for doing CI testing of our nbdkit-ssh-plugin. The current test must allocate a TCP port which is not very safe or scalable in a CI system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for doing this - I was ready to do the same, but you beat me to it.
I will test this as soon as I find some time for it. My use case is on MacOS, so I will try that.
Hmm, I couldn't get this to work under Linux, but it is not very strange because AF_UNIX has been removed from getaddrinfo in glibc. From glibc's Changelog:
|
That is weird. If you grep for
It's just a minor detail though. |
I will re-implement from scratch without using getaddrinfo(). Expect another pull request coming up. |
Seems MacOS doesn't support AF_UNIX in its libSystem getaddrinfo either. [source] |
Which server identity is used to authenticate the server? Note that you can already do that using:
Or with
|
TBH I think a more important element is the ability for |
If you are wondering about |
That's not sshd listening directly (and only) on a Unix domain socket. |
There is no need if you use Example:
Where |
Yes, I was confused how this patch could help your usecase :) A subset of your tests could be done by communicating via stdin/stdout directly to /usr/lib/openssh/sftp-server. I have no use myself for sshd listening to unix socket unfortunately... |
Oh I see, passing in a pre-opened socket using systemd socket activation (it doesn't actually need systemd to do this since the protocol is well-documented). I will have to investigate this as I hadn't thought about that before. |
I missed something important about this PR - the limitation that "On systems where getaddrinfo(3) supports AF_LOCAL". So looks like neither Linux (or actually glibc) nor MacOS support this - and I was wondering why the patch could be so simple ;-). Anyway, that doesn't address my use case, so I need to make changes. I am wondering though - which systems do support this? |
It works now with this change: fe3ccc9 , but there are things to iron out - it currently segfaults when accepting the host key, unless I give the option This works: Currently the socket file path needs to start with a |
Thanks! That was my first idea too, but we can't call freeaddrinfo() on homemade struct addrinfo's, maybe that's why it crashes. How can we set up a pull request that we can both push to? |
I fixed it, and force pushed it to my fork: f965e1e . Or just look at my branch there: https://github.com/oliverkurth/openssh-portable/commits/topic/okurth/unix-socket . The crash has nothing to do with I tested this with both MacOS and Linux (Ubuntu 22.04). |
Not sure, but it's okay if you just cherry-pick my change and add it here. |
Ah, looks like that is indeed how they do it for unix sockets for forwardings, see
Alright, I can do the same. |
Latest commit acafda4 addresses (not using) There is an issue with the known hosts checking when the path to the socket contains spaces (and unfortunately, even though I abhor spaces in file names, that's in my use case). But with the option
|
I had less time than I though to do this... but the plan is let this PR rest in peace and start over from master with an implementation that doesn't try to use getaddrinfo(). Then write a regression test and documentation. If you @oliverkurth could squash your commits on top of master it would be helpful! |
My changes so far are all in one commit, I always amended and force pushed to my branch https://github.com/oliverkurth/openssh-portable/commits/topic/okurth/unix-socket . I think it's actually mostly done, the only thing I need to decide is whether to just set But I wonder - is this even the right place to get this merged into upstream? When I look at https://github.com/openssh/openssh-portable/pulls?q=is%3Apr+is%3Amerged , almost no PRs get merged. |
Maybe is should always be used with
i.e. a UNIX socket should no be used a a server identity in |
That's one way to address it, but I think it's not very convenient. Maybe I don't want to edit my config file every time I want to connect to a new socket. I think enforcing |
Did that, with 30b4f1b on https://github.com/oliverkurth/openssh-portable/commits/topic/okurth/unix-socket Contributors, @pjd , @kalvdans , would it be okay if I create another PR from my branch to replace this one and squash all commits together? I have already rebased on current master. It would be nice if this gets tested. Not sure how to add automatic tests for this, I will try to figure that out. Also, documentation.
I don't think we need to worry about that. Next, we'd need to figure out how to get this into upstream. |
New PR, let's continue the discussion there: #435 |
Closing, since not many systems support UNIX domain sockets in getaddrinfo(). |
This is a restart of #162 by @pjd which was accidentally closed.
On systems where getaddrinfo(3) supports AF_LOCAL family allow ssh(1) to connect through UNIX domain sockets.
This is useful in combination with connections forwarding over UNIX domain
sockets.
Let's say I have system A behind a NAT and system B accessible in the Internet.
I want to enable some users of system B to connect to sshd on system A.
I can leverage stream forwarding and run on system A the following command:
Now, on the system B only I will be able to connect to system A over UNIX domain socket.
On system B with this patch I can run:
TODO: