Support Unix domain socket (local) forwarding #31
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
My goal is to support socket forwarding similar to what OpenSSH 6.7 supports. In my case, I am only supporting forwarding to a Unix domain socket on the local side of the forward, not on the remote end.
The benefit I'm gaining out of this patch is that I can forward a remote port to a local Unix domain socket, so only users on the system that have read permissions on socket file can connect to the tunnel. This, I believe, will be more secure on a multiuser system.
To use socket forwarding, just replace your
local_bind_address
tuple with a string that represents the unix socket path:To implement this functionality, I created two new
ForwardServer
classes:_UnixStreamFowardServer
_ThreadingUnixStreamForwardServer
These are no different than their
_ForwardServer
counterparts except that they useTCPServer
's subclass:UnixStreamServer
(see docs).UnixStreamServer
uses Unix domain sockets, so it's not usable on Windows.When
local_bind_address
is a tuple, the code will use the existing_ForwardServer
, and otherwise it will select the_UnixStreamForwardServer
.I am a little concerned about the
_ForwardHandler
code where I have to pass paramiko'sopen_channel
a fake source address. First off, paramiko doesn't support the socket forwarding protocol yet (paramiko/paramiko#544 seeks to implement this). Even so, this code still seems to work with "direct-tcpip".Second, when using the AF_UNIX address family,
getpeername
returns a a string instead of an address tuple like AF_INET (ref docs). When I detect thatgetpeername
doesn't return a tuple, I assume it's AF_UNIX, and then generate a dummy address tuple.