- millert@cvs.openbsd.org 2014/07/15 15:54:14

[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h] [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c] [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c] [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c] [sshd_config.5 sshlogin.c] Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. This is a reimplementation of the streamlocal patches by William Ahern from: http://www.25thandclement.com/~william/projects/streamlocal.html OK djm@ markus@
author: Damien Miller <djm@mindrot.org> 2014-07-18 14:11:24 +1000
committer: Damien Miller <djm@mindrot.org> 2014-07-18 14:11:24 +1000
commit: 7acefbbcbeab725420ea07397ae35992f505f702 (patch)
tree: bfb07917715d425438dab987a47ccd7a8d7f118b /sshd_config.5
parent: 6262d760e00714523633bd989d62e273a3dca99a (diff)
1 files changed, 49 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5
index 06fd62de7..f92084857 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.175 2014/07/15 15:54:14 millert Exp $
-.Dd $Mdocdate: July 3 2014 $
+.Dd $Mdocdate: July 15 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -140,6 +140,26 @@ The default is
 Note that disabling TCP forwarding does not improve security unless
 users are also denied shell access, as they can always install their
 own forwarders.
+.It Cm AllowStreamLocalForwarding
+Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow StreamLocal forwarding,
+.Dq no
+to prevent all StreamLocal forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 )
+forwarding only or
+.Dq remote
+to allow remote forwarding only.
+The default is
+.Dq yes .
+Note that disabling StreamLocal forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
 .It Cm AllowUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -1171,6 +1191,33 @@ This option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm sshd
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
author	Damien Miller <djm@mindrot.org>	2014-07-18 14:11:24 +1000
committer	Damien Miller <djm@mindrot.org>	2014-07-18 14:11:24 +1000
commit	7acefbbcbeab725420ea07397ae35992f505f702 (patch)
tree	bfb07917715d425438dab987a47ccd7a8d7f118b /sshd_config.5
parent	6262d760e00714523633bd989d62e273a3dca99a (diff)

diff --git a/sshd_config.5 b/sshd_config.5 index 06fd62de7..f92084857 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $	36	.\" $OpenBSD: sshd_config.5,v 1.175 2014/07/15 15:54:14 millert Exp $
37	.Dd $Mdocdate: July 3 2014 $	37	.Dd $Mdocdate: July 15 2014 $
38	.Dt SSHD_CONFIG 5	38	.Dt SSHD_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -140,6 +140,26 @@ The default is
140	Note that disabling TCP forwarding does not improve security unless	140	Note that disabling TCP forwarding does not improve security unless
141	users are also denied shell access, as they can always install their	141	users are also denied shell access, as they can always install their
142	own forwarders.	142	own forwarders.
		143	.It Cm AllowStreamLocalForwarding
		144	Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
		145	The available options are
		146	.Dq yes
		147	or
		148	.Dq all
		149	to allow StreamLocal forwarding,
		150	.Dq no
		151	to prevent all StreamLocal forwarding,
		152	.Dq local
		153	to allow local (from the perspective of
		154	.Xr ssh 1 )
		155	forwarding only or
		156	.Dq remote
		157	to allow remote forwarding only.
		158	The default is
		159	.Dq yes .
		160	Note that disabling StreamLocal forwarding does not improve security unless
		161	users are also denied shell access, as they can always install their
		162	own forwarders.
143	.It Cm AllowUsers	163	.It Cm AllowUsers
144	This keyword can be followed by a list of user name patterns, separated	164	This keyword can be followed by a list of user name patterns, separated
145	by spaces.	165	by spaces.
@@ -1171,6 +1191,33 @@ This option applies to protocol version 1 only.
1171	.It Cm ServerKeyBits	1191	.It Cm ServerKeyBits
1172	Defines the number of bits in the ephemeral protocol version 1 server key.	1192	Defines the number of bits in the ephemeral protocol version 1 server key.
1173	The minimum value is 512, and the default is 1024.	1193	The minimum value is 512, and the default is 1024.
		1194	.It Cm StreamLocalBindMask
		1195	Sets the octal file creation mode mask
		1196	.Pq umask
		1197	used when creating a Unix-domain socket file for local or remote
		1198	port forwarding.
		1199	This option is only used for port forwarding to a Unix-domain socket file.
		1200	.Pp
		1201	The default value is 0177, which creates a Unix-domain socket file that is
		1202	readable and writable only by the owner.
		1203	Note that not all operating systems honor the file mode on Unix-domain
		1204	socket files.
		1205	.It Cm StreamLocalBindUnlink
		1206	Specifies whether to remove an existing Unix-domain socket file for local
		1207	or remote port forwarding before creating a new one.
		1208	If the socket file already exists and
		1209	.Cm StreamLocalBindUnlink
		1210	is not enabled,
		1211	.Nm sshd
		1212	will be unable to forward the port to the Unix-domain socket file.
		1213	This option is only used for port forwarding to a Unix-domain socket file.
		1214	.Pp
		1215	The argument must be
		1216	.Dq yes
		1217	or
		1218	.Dq no .
		1219	The default is
		1220	.Dq no .
1174	.It Cm StrictModes	1221	.It Cm StrictModes
1175	Specifies whether	1222	Specifies whether
1176	.Xr sshd 8	1223	.Xr sshd 8