Hi,
I've been planning to develop a support for tunneling between "local_tcp
=> server_AF_UNIX".
This way, every user of server machine, can have:
1. personal address space (if socket is located on personal directory).
Currently one must check assigned local port every time starting a
server (e.g. vncserver), and redirect a local port to "random" remote
port.
2. Added security. If server application in remote machine supports
AF_UNIX sockets, socket can be made accissible to the user only (by
locating it to 700 directory).
Questions:
3. Is there a way to achieve same goals with current ssh version?
4. Is there a reason not to do this?
5. Is there a already available naming convention to support different
address families?
Quick_n_dirty way would be prefixing host_address with some predefined
"illegal" character (e.g. '#'), to signal the AF_UNIX address. But I see
that general, expandable naming convention would give more. One could
e.g. define an address space of "AF_EXEC", which would execute program
on remote host every time new tunnel is initiated.
I was thinking something like:
"AF_UNIX::/home/user/dir/sock_file" for UNIX sockets (ssh -newflag
8080:AF_UNIX::/home/user/dir/sock_file hostname.com)
"AF_INET::localhost:80" for tcp redirection, this should be default, if
no AF_* is specified.
"AF_EXEC::/home/user/server_executable -p param" for executable
redirection.
6. Local port support for new address families can gain some new usage.
Any ideas for this?
Any further ideas ?
--
Topi
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
|