New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh/tailssh: add support for forwarding unix sockets #12081
base: main
Are you sure you want to change the base?
Conversation
Updates tailscale#6232 Signed-off-by: Samuel Corsi-House <chouse.samuel@gmail.com>
Updates tailscale#6232 Signed-off-by: Samuel Corsi-House <chouse.samuel@gmail.com>
// AllowLocalUnixForwarding, if true, allows accepted connections | ||
// to use local unix forwarding if requested. | ||
AllowLocalUnixForwarding bool `json:"allowLocalUnixForwarding,omitempty"` | ||
|
||
// AllowRemoteUnixForwarding, if true, allows accepted connections | ||
// to use remote unix forwarding if requested. | ||
AllowRemoteUnixForwarding bool `json:"allowRemoteUnixForwarding,omitempty"` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure how to actually change these values on the client, could it be part of another project? Currently they seem to default to false.
Edit: Looking at Headscale's source code I think it's part of the proprietary code that Tailscale uses.
return false, nil | ||
} | ||
|
||
if err := os.Chmod(addr, os.FileMode(0777)); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a better permission that can be used on the socket?
closes #6232
Based off of @deansheather's work at gliderlabs/ssh#196 and https://github.com/coder/coder/blob/2c0f653aa85ab4d2c4be410642776c772eb524ac/agent/agentssh/forward.go, this PR finally adds support for forwarding unix sockets. This allows workflows such as GPG agent forwarding to work.
Just as a side note, I'm not very familiar with networking and the security that comes with it so this code will probably need to be modified to meet whatever requirements Tailscale has during review.