[pve-devel] [PATCH v2 1/2] migrate: use ssh over socat provided UNIX socks as tunnel

Thomas Lamprecht t.lamprecht at proxmox.com
Tue May 31 18:15:25 CEST 2016



On 31.05.2016 17:59, Dietmar Maurer wrote:
>>> The Forward tunnel is a different channel in the SSH connection,
>>> independent of the SSH `qm mtunnel` channel, so only if that works
>>> it does not guarantees that our migration tunnel is up and ready.
>>
>> And a simple -o "ExitOnForwardFailure=yes" does not solve this?
>

No, this was the first thing I tried, while we see it as an error for ssh itself our problem is not an error.
This would make the SSH connection exit if the forward tunnel could not be made at all, i.e. a binding at the given port already exists, but it does not make it build the tunnel earlier.

> And it seems newer version of ssh can do unix socket forwarding:
>
> # man sshd_config
> ...
>     AllowStreamLocalForwarding
>              Specifies whether StreamLocal (Unix-domain socket) forwarding is
> permitted.  The available options are “yes”
>              or “all” to allow StreamLocal forwarding, “no” to prevent all
> StreamLocal forwarding, “local” to allow local
>              (from the perspective of ssh(1)) forwarding only or “remote” to
> allow remote forwarding only.  The default is
>              “yes”.  Note that disabling StreamLocal forwarding does not improve
> security unless users are also denied
>              shell access, as they can always install their own forwarders.
>
>
> Would that help?
>

If the same tunnel mechanisms as with the TCP forwarding persist (which I guess so) then no, but I will take a look at this tomorrow, maybe there the implementation is more rational.




More information about the pve-devel mailing list