[pve-devel] [PATCH v2 1/2] migrate: use ssh over socat provided UNIX socks as tunnel
Dietmar Maurer
dietmar at proxmox.com
Tue May 31 17:59:01 CEST 2016
> > The Forward tunnel is a different channel in the SSH connection,
> > independent of the SSH `qm mtunnel` channel, so only if that works
> > it does not guarantees that our migration tunnel is up and ready.
>
> And a simple -o "ExitOnForwardFailure=yes" does not solve this?
And it seems newer version of ssh can do unix socket forwarding:
# man sshd_config
...
AllowStreamLocalForwarding
Specifies whether StreamLocal (Unix-domain socket) forwarding is
permitted. The available options are “yes”
or “all” to allow StreamLocal forwarding, “no” to prevent all
StreamLocal forwarding, “local” to allow local
(from the perspective of ssh(1)) forwarding only or “remote” to
allow remote forwarding only. The default is
“yes”. Note that disabling StreamLocal forwarding does not improve
security unless users are also denied
shell access, as they can always install their own forwarders.
Would that help?
More information about the pve-devel
mailing list