ssh -N -T -oExitOnForwardFailure=yes -L 3306:localhost:3306 remoteuser@mysqlserver.example
But sometimes, the remote service runs on a UNIX-domain socket, not on a TCP socket -- for example, debian's default configuration for postgresql is to have it listen only on a UNIX domain socket in /var/run/postgresql, and use SO_PEERCRED with a simple system account == psql account mapping scheme to authenticate users without needing any extra credentials. This is not quite as simple to forward over ssh, but it's doable as long as socat is installed on both your local host and on the remote postgres server.
Here's one way to do it if $SOCKET_DIR points to the full path of a directory under the user's control (this is all one command, split across lines for easier reading):
socat "UNIX-LISTEN:$SOCKET_DIR/.s.PGSQL.5432,reuseaddr,fork" \ EXEC:'ssh remoteuser@psqlserver.example socat STDIO UNIX-CONNECT\:/var/run/postgresql/.s.PGSQL.5432'Then, you'd connect with something like:
psql "user=remoteuser host=$SOCKET_DIR"Each such psql connection will trigger an ssh connection to be made. Of course, this won't work well if ssh has to prompt for passwords, but you should be using ssh-agent anyway, right?
There are at least a couple nice features of being able to use postgresql from a local client like this:
[ Parent | Reply to this comment ]
If the X server itself is listening on TCP, it knows that it is listening on the network and can apply different rules and policy based on that fact.
If you use socat proxy the network in to the X server, it assumes that each inbound connection is coming from your account. You're basically inviting anyone who decides to connect to port 6000 on your computer to execute arbitrary code as your user. This strikes me as a Bad Idea.
The reason my postgresql + ssh + socat example above is different is that ssh is authenticating the connections, and the traffic itself is encrypted and integrity-checked. So arbitrary network attackers can't DROP TABLES on me ;)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
i'd be a little wary about forwarding gpg-agent to a remote host, though -- that would mean that anyone with control over the remote account (including the administrator of that machine) could get unfettered access to the material stored in the gpg-agent. This is could be mitigated by having the gpg-agent prompt the user for accepted use, but this appears to be a contentious issue for gpg (i think it would be a fine idea).
Note also that gpg-agent in its 1.x and 2.0.x versions doesn't actually cache the secret key material for OpenPGP certifications. It only caches passphrases, and the gpg binary itself needs to have access to the encrypted secret key, which it can unlock with the passphrase it fetches from the agent. This makes it not terribly useful for forwarding gpg-agent over the network, because you'd need to distribute your secret key to the remote system as well (yikes!)
Werner Koch has said that gpg 2.1 will move all secret key handling directly into the agent, though, which makes your proposed approach seem more useful to me.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Did you know that SSH already has code to forward Unix sockets? This code is used only for the specific case of X11 forwarding, but it is there.
Unfortunately there is no interface to ask for generic socket forwarding, which would allow things like your PostgreSQL forwarding, PulseAudio forwarding and so on. Here your trick comes handy. Thanks!
[ Parent | Reply to this comment ]