Bug 1366400

Summary: openssh-server doesn't support unix socket forwarding
Product: Red Hat Enterprise Linux 7 Reporter: Christopher Tubbs <ctubbsii>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Stefan Dordevic <sdordevi>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: nmavrogi, sdordevi, szidek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-7.4p1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 18:42:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1341754    
Bug Blocks: 1377248    

Description Christopher Tubbs 2016-08-11 21:24:15 UTC 
Description of problem:

When attempting to forward a local socket from my Fedora workstation to an EL7 server, I get an error message:

"Warning: remote port forwarding failed for listen path /home/me/.gnupg/S.gpg-agent"

ssh -o "StreamLocalBindUnlink yes" -t -R $HOME/.gnupg/S.gpg-agent:/run/user/$(id -u)/gnupg/S.gpg-agent el7.example.com

It turns out that this feature wasn't added to openssh until 6.7, but EL7 still uses 6.6.

This feature is very useful in cloud development, where one must connect remote cloud resources with local machine resources without moving those local resources to the cloud.

It would be good to either update openssh or backport support for forwarding sockets.

Version-Release number of selected component (if applicable):
openssh-server-6.6.1p1-25.el7_2.x86_64
Comment 2 Jakub Jelen 2016-08-12 07:55:53 UTC 
Thank you for filling the bug and investigating the case you are interested in. You are right. The feature is in openssh-6.7 and therefore not in the RHEL7.

But bringing new features into RHEL needs proper justification, which is missing here. If you can provide proper business justification, please open a ticket with your regular Red Hat Support.
Comment 3 Christopher Tubbs 2016-08-12 22:48:04 UTC 
As implied in the initial description, I think a primary use case is to improve security for cloud use cases by being able to forward gpg-agent securely, without having to trust the cloud provider to store a copy of the GPG credentials.

I imagine there's other useful applications related to cloud. This feature allows you to connect unix services remotely over SSH.

If by "proper business justification", you mean "who's paying the bill to motivate Red Hat to make the change?", I don't have one. I've provided a technical justification, which I think will benefit your EL7 customers, but I don't personally have a paid Red Hat support subscription.
Comment 4 Jakub Jelen 2016-09-06 09:44:26 UTC 
This RFE would be solved by rebase to current upstream or by backport of several patches from upstream:

https://github.com/openssh/openssh-portable/commit/7acefbb (patch)
https://github.com/openssh/openssh-portable/commit/0e4e955 (tests)
https://github.com/openssh/openssh-portable/commit/a8a0f65 (documentation)
https://github.com/openssh/openssh-portable/commit/79ec214 (documentation)

quite a large patch, but in openssh-6.7, therefore not much diverged from the RHEL7. The patches contains also the regression test suite and documentation changes.
Comment 8 errata-xmlrpc 2017-08-01 18:42:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029