I could be misunderstanding your use-case, but ssh has a ProxyUseFdpass option where it can accept an already-connected socket. On Thu, Jan 13, 2022 at 8:19 AM Chris Mitchell <ssh-list@xxxxxxxxxxxxxxxx> wrote: > > Hi all, > > My apologies if what I'm looking for is already possible. If that is > the case, I would gratefully welcome pointers to where in the > documentation to find it and/or key words to search for. > > What I hope to accomplish is on-demand activation of ssh port forwards. > I gather that the OpenSSH server's -i flag is essentially what I'm > looking for, in which something like inetd or systemd already has port > 22 open and passes it to sshd at launch. As far as I understand things, > the OpenSSH *client* has no similar capability, which is unsurprising > given that it's not a server. ;-) > > For the use case where I want to use an SSH port forward to access a > remote service on a regular-ish (but not "always-on") basis, it doesn't > really make sense to try to hold that tunnel open all the time with > keepalives and timeouts and restarts and such. But setting it up > manually each time is suboptimal, especially for someone who uses > numerous such tunnels, eg to access a bunch of web-based management > interfaces behind a firewall. As far as I know, current capabilities > don't allow any reasonable on-demand automated solution. > > It would be really cool if I could have a meta-server listening > on the local port right from boot, and then on access to that port it > would invoke something like: > /usr/bin/ssh -N -T -L localhost:12345:localhost:12345 user@server > ...but with some equivalent to sshd's "-i" flag, so that the > ssh client would accept being passed local port 12345 instead of trying > to open it itself and erroring out because it's already in use. > > In my particular use-case I would use a systemd socket unit for this, > but if I'm not mistaken xinetd could fulfill that role too, so what > I'm looking for is platform-independent and doesn't introduce any > systemd dependencies. Finally, it would be convenient if it could take > the local socket from the command line rather than requiring custom > entries in /etc/services, but that's a minor detail. > > Does that make sense? > > Cheers! > -Chris > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
