Red Hat Bugzilla – Bug 1366400
openssh-server doesn't support unix socket forwarding
Last modified: 2017-08-01 14:42:47 EDT
Description of problem: When attempting to forward a local socket from my Fedora workstation to an EL7 server, I get an error message: "Warning: remote port forwarding failed for listen path /home/me/.gnupg/S.gpg-agent" ssh -o "StreamLocalBindUnlink yes" -t -R $HOME/.gnupg/S.gpg-agent:/run/user/$(id -u)/gnupg/S.gpg-agent el7.example.com It turns out that this feature wasn't added to openssh until 6.7, but EL7 still uses 6.6. This feature is very useful in cloud development, where one must connect remote cloud resources with local machine resources without moving those local resources to the cloud. It would be good to either update openssh or backport support for forwarding sockets. Version-Release number of selected component (if applicable): openssh-server-6.6.1p1-25.el7_2.x86_64
Thank you for filling the bug and investigating the case you are interested in. You are right. The feature is in openssh-6.7 and therefore not in the RHEL7. But bringing new features into RHEL needs proper justification, which is missing here. If you can provide proper business justification, please open a ticket with your regular Red Hat Support.
As implied in the initial description, I think a primary use case is to improve security for cloud use cases by being able to forward gpg-agent securely, without having to trust the cloud provider to store a copy of the GPG credentials. I imagine there's other useful applications related to cloud. This feature allows you to connect unix services remotely over SSH. If by "proper business justification", you mean "who's paying the bill to motivate Red Hat to make the change?", I don't have one. I've provided a technical justification, which I think will benefit your EL7 customers, but I don't personally have a paid Red Hat support subscription.
This RFE would be solved by rebase to current upstream or by backport of several patches from upstream: https://github.com/openssh/openssh-portable/commit/7acefbb (patch) https://github.com/openssh/openssh-portable/commit/0e4e955 (tests) https://github.com/openssh/openssh-portable/commit/a8a0f65 (documentation) https://github.com/openssh/openssh-portable/commit/79ec214 (documentation) quite a large patch, but in openssh-6.7, therefore not much diverged from the RHEL7. The patches contains also the regression test suite and documentation changes.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2029