Bug 1366400 - openssh-server doesn't support unix socket forwarding
Summary: openssh-server doesn't support unix socket forwarding
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On: 1341754
Blocks: 1377248
TreeView+ depends on / blocked
 
Reported: 2016-08-11 21:24 UTC by Christopher Tubbs
Modified: 2017-08-01 18:42 UTC (History)
3 users (show)

Fixed In Version: openssh-7.4p1-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 18:42:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2029 normal SHIPPED_LIVE Moderate: openssh security, bug fix, and enhancement update 2017-08-01 18:11:55 UTC

Description Christopher Tubbs 2016-08-11 21:24:15 UTC
Description of problem:

When attempting to forward a local socket from my Fedora workstation to an EL7 server, I get an error message:

"Warning: remote port forwarding failed for listen path /home/me/.gnupg/S.gpg-agent"

ssh -o "StreamLocalBindUnlink yes" -t -R $HOME/.gnupg/S.gpg-agent:/run/user/$(id -u)/gnupg/S.gpg-agent el7.example.com

It turns out that this feature wasn't added to openssh until 6.7, but EL7 still uses 6.6.

This feature is very useful in cloud development, where one must connect remote cloud resources with local machine resources without moving those local resources to the cloud.

It would be good to either update openssh or backport support for forwarding sockets.

Version-Release number of selected component (if applicable):
openssh-server-6.6.1p1-25.el7_2.x86_64

Comment 2 Jakub Jelen 2016-08-12 07:55:53 UTC
Thank you for filling the bug and investigating the case you are interested in. You are right. The feature is in openssh-6.7 and therefore not in the RHEL7.

But bringing new features into RHEL needs proper justification, which is missing here. If you can provide proper business justification, please open a ticket with your regular Red Hat Support.

Comment 3 Christopher Tubbs 2016-08-12 22:48:04 UTC
As implied in the initial description, I think a primary use case is to improve security for cloud use cases by being able to forward gpg-agent securely, without having to trust the cloud provider to store a copy of the GPG credentials.

I imagine there's other useful applications related to cloud. This feature allows you to connect unix services remotely over SSH.

If by "proper business justification", you mean "who's paying the bill to motivate Red Hat to make the change?", I don't have one. I've provided a technical justification, which I think will benefit your EL7 customers, but I don't personally have a paid Red Hat support subscription.

Comment 4 Jakub Jelen 2016-09-06 09:44:26 UTC
This RFE would be solved by rebase to current upstream or by backport of several patches from upstream:

https://github.com/openssh/openssh-portable/commit/7acefbb (patch)
https://github.com/openssh/openssh-portable/commit/0e4e955 (tests)
https://github.com/openssh/openssh-portable/commit/a8a0f65 (documentation)
https://github.com/openssh/openssh-portable/commit/79ec214 (documentation)

quite a large patch, but in openssh-6.7, therefore not much diverged from the RHEL7. The patches contains also the regression test suite and documentation changes.

Comment 8 errata-xmlrpc 2017-08-01 18:42:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029


Note You need to log in before you can comment on or make changes to this bug.