On Wed, Feb 21, 2018 at 4:59 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > On Wed, 21 Feb 2018, Jö Fahlke wrote: > > > Am Di, 20. Feb 2018, 23:13:16 -0800 schrieb Dan Kaminsky: > > > Date: Tue, 20 Feb 2018 23:13:16 -0800 > > > From: Dan Kaminsky <dan@xxxxxxxxxxx> > > > To: Jö Fahlke <jorrit@xxxxxxxxx> > > > Cc: openssh-unix-dev@xxxxxxxxxxx > > > Subject: Re: Is there socksify script for dynamics forwardings to unix > > > domain sockets? > > > > > > Whoa. That's pretty cool. > > > > > > Empirically, how well do LD_PRELOAD scripts work in grabbing all socket > > > calls? > > > > Good point, I did not check that before, so I tried now (with tsocks on > Debian > > stretch and the "ssh -D" socks port on a random port on localhost) and > got > > mixed results. Generally, anything name-lookup related does not seem to > work > > and I have to use IP addresses. > > Yeah, IMO it would be better to write a small userspace NAT helper e.g. > using IPPROTO_DIVERT that proxied things via SOCKS (assuming someone > hasn't already done this). > > -d There’s a couple strategies I’ve been looking at for other reasons (universal TLS on all sockets, mainly). Seccomp trapping, expanding of the preload to DNS calls, using some other security hooks. Will report back. > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
