Subject: Re: agent support

Re: agent support

From: Thomas Stover <thomas_at_wsinnovations.com>
Date: Thu, 17 Jun 2010 16:18:01 -0500

On Thu, 17 Jun 2010 22:38:26 +0200, Peter Stuge <peter_at_stuge.se> wrote:

> Your guess is basically correct. However, when the agent support was
> first added I asked for the exact details of how that unix socket is
> emulated in Cygwin and got a good explanation for it. It's not
> trivial to implement, but it's certainly possible for a native win32
> libssh2 to "reach" an emulated unix socket "inside" Cygwin.
>
> http://marc.info/?l=openssh-unix-dev&m=126113010114249

Wow great information! I've always wondered about that. The biggest
question to me is the credentials passing:
"
- Now send a second packet with your credentials. It's just a block
  of three 32 bit values in host byte order:

    uint32_t pid;
    uint32_t uid;
    uint32_t gid;"

how would a native win32 program figure out what values a cygwin program
is expecting?

> What would you like to have? I guess you already looked at dropbear?

I actually use dropbear in a large embedded deployment. My ssh server wish
list would roughly be:

1) full support for forwarding unix domain sockets

(example use case: password-less non-local postgresql connections)

2) some scheme for a "transient" credentials passing authentication on the
above where stuff like this can happen:

~a process Q running as an arbitrary user on machine A connects via ssh to
machine B as user root and runs remote process Y

~process Q listens for connection on a unix domain stream socket Z

~a user "blue" on machine A to connects to socket Z

~process Q on machine A is aware via credentials passing that the
connecting user is "blue"

~process Y has a child or something that gets set to the UID/GID of
"blue", which then connects to forwarded unix domain socket on machine B

(this may not be necessary at all)

3) windows named pipe forwarding

4) the ability to mix unlike channels, examples:
~run remote process with stdio directed to local tcp port (inetd style)
~connect remote tcp port to forwarded unix domain socket

5) basically gene splice something like openssh and socat so you could
forward everything else too, devices etc

Sorry for getting completely off topic.

-- 
www.thomasstover.com
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2010-06-17