Discussion:
[systemd-devel] lazy forwarding of ssh ports
Igor Bukanov
2013-01-28 21:40:28 UTC
Permalink
I would like to forward-on-demand a local port to remote one over ssh.
Currently as a hack I use a socket unit with accept=yes together with
a service template unit that looks like:

[Service]
ExecStart=-/usr/bin/ssh options sever nc localhost port
StandardInput=socket

This works, but rather inefficient. The data is first copied to
systemd, that copies them to ssh, that forwards them to the nc command
running on the remote host that finally sends the data to the port.

It would be much better to use ssh -L port-forwarding option to avoid
all those extra data copies. Unfortunately ssh with its -L option does
not support inetd-style socket passing and always binds itself.

I suppose I can try to patch ssh to support that, but perhaps there is
some magic option in systemd that allows to redirect the accept
request to a new listening socket that ssh creates with its -L option?
Mantas Mikulėnas
2013-01-28 23:26:02 UTC
Permalink
Post by Igor Bukanov
I would like to forward-on-demand a local port to remote one over ssh.
Currently as a hack I use a socket unit with accept=yes together with
[Service]
ExecStart=-/usr/bin/ssh options sever nc localhost port
StandardInput=socket
This works, but rather inefficient. The data is first copied to
systemd, that copies them to ssh, that forwards them to the nc command
running on the remote host that finally sends the data to the port.
systemd only handles accepting connections, but does not copy any
data – ssh's stdin & stdout are attached directly to the socket.
Post by Igor Bukanov
It would be much better to use ssh -L port-forwarding option to avoid
all those extra data copies. Unfortunately ssh with its -L option does
not support inetd-style socket passing and always binds itself.
I suppose I can try to patch ssh to support that, but perhaps there is
some magic option in systemd that allows to redirect the accept
request to a new listening socket that ssh creates with its -L option?
No, there is no such magic.

--
Mantas Mikulėnas
Mantas Mikulėnas
2013-02-03 22:08:51 UTC
Permalink
Post by Mantas Mikulėnas
systemd only handles accepting connections, but does not copy any
data – ssh's stdin & stdout are attached directly to the socket.
Right, how can I missed that socket<->stdio bindings happens in kernel
that know how to transfer packets efficiently...
So the whole setup is not that bad. I just wish that I could avoid the
nc command on the server and ssh had an option to connect to a socket
directly without netcat involvement. But this has nothing to do with
systemd.
Apparently, ssh has an option "-W host:port" to do just that.

--
Mantas Mikulėnas
Igor Bukanov
2013-02-04 14:15:29 UTC
Permalink
Thanks again! I have completely missed this new feature of ssh.
Post by Mantas Mikulėnas
Post by Mantas Mikulėnas
systemd only handles accepting connections, but does not copy any
data – ssh's stdin & stdout are attached directly to the socket.
Right, how can I missed that socket<->stdio bindings happens in kernel
that know how to transfer packets efficiently...
So the whole setup is not that bad. I just wish that I could avoid the
nc command on the server and ssh had an option to connect to a socket
directly without netcat involvement. But this has nothing to do with
systemd.
Apparently, ssh has an option "-W host:port" to do just that.
--
Mantas Mikulėnas
Loading...