Re: Unix-domain port forwarding with openssh

From: Kyler Laird (Kyler@news.Lairds.org)
Date: 12/24/02 

From: Kyler Laird <Kyler@news.Lairds.org>
Date: Tue, 24 Dec 2002 15:25:24 GMT

Jim Nance <jlnance@intrex.net> writes:

> I am writing a distributed application and I want to use ssh to
>take care of machine to machine communications.

That makes a lot of sense to me. (I do it often.)

>I can fairly easily make this work using ssh'es port
>forwarding features.

Hmmmmm...why port forwarding?

>However, if I use TCP sockets, I have to worry
>about other users on the machine connecting to the forwared ports.

Yup. That's the nature of port forwarding.

>If I was to use Unix domain sockets, I would be able to use file
>system permissions to keep unwanted people from accessing my sockets.
> This seems like a very logical use of forwared ports and it seems
>like it would be an easy feature to add to ssh.

I like this idea - for other purposes though.

>So perhaps its not as good an idea as I thought? Any thoughts
>about this?

Although I think your proposed solution is interesting, have you
already considered using simple SSH sessions (without forwarding
ports)? Instead of setting up an SSH session just to forward a
port, and then establishing sessions through the forwarded port to
your app's daemon, you could just run your app as an SSH command.

One of my favorite benefits of doing it this way is that you get
to eliminate a daemon. (I view daemons as security holes waiting
to be exploited.)

--kyler

Relevant Pages