SSH Enhancements - Delete StreamLocal forwards on disconnect, and bind to interface

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Hi folks,

I'm using OpenSSH to set up a rendezvous for a number of OpenWRT devices.

Central server has the following configuration in sshd_config:

# This is to work around a bug only fixed in OpenSSH 7.3 (most likely)
StreamLocalBindUnlink yes

Match User sshvpn
ChrootDirectory /var/sshvpn/
AllowTCPForwarding no
AllowStreamLocalForwarding yes
StreamLocalBindUnlink yes

Clients connect to the server using the following invocation, via autossh:

/usr/bin/ssh -o CheckHostIP=yes -o LogLevel=INFO -o ServerAliveCountMax=2
-o ServerAliveInterval=120 -o StrictHostKeyChecking=yes -o TCPKeepAlive=yes
-o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=no -o BatchMode=yes
-nN -R /sshvpn/gateway-78a3510e3b38:127.0.0.1:22 sshvpn@myserver

I can then connect to the device from my central server using the following:

ssh -o “StrictHostKeyChecking=no” -o Proxycommand=’socat
UNIX:/var/sshvpn/sshvpn/gateway-78a3510e3b38 -‘ -D 1085
root@gateway-78a3510e3b38

and subsequently access the device itself or any other hosts it can reach.
This works pretty well!

There are a couple of small things that would make this perfect:

1. sshd should be configurable to delete the StreamLocal file when the
client disconnects. Otherwise it can be tricky to figure out which clients
have an active,usable connection. Most times, I just get "the other end has
disconnected" because socat cannot open the domain socket.

2. The devices are intended to be deployed into a customer environment, and
may have wifi or ethernet uplink as well as 3G. I want to keep the 3G link
up and accessible in case the ethernet or wifi uplinks fail for whatever
reason. It seems to me that one way to achieve this is to have multiple
autossh sessions running, each bound to the IP address of the
ethernet/wifi/3g interfaces. This will ensure that each autossh instance
will be routed via that interface, rather than the defaul troute. While
this is doable with a bit of scripting, the addresses can change as the
interfaces go up and down, and it seems to me that this is something that
could be reasonably implemented in OpenSSH itself. e.g. with a -B eth0
option (analogous to -b <ip>).

Any comments on these suggestions? Would patches to implement these be
considered?

Rogan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux