summaryrefslogtreecommitdiff
path: root/posts/unix-domain-socket-forwarding-with-openssh.md
diff options
context:
space:
mode:
Diffstat (limited to 'posts/unix-domain-socket-forwarding-with-openssh.md')
-rw-r--r--posts/unix-domain-socket-forwarding-with-openssh.md6
1 files changed, 3 insertions, 3 deletions
diff --git a/posts/unix-domain-socket-forwarding-with-openssh.md b/posts/unix-domain-socket-forwarding-with-openssh.md
index 295b0c2..f06846b 100644
--- a/posts/unix-domain-socket-forwarding-with-openssh.md
+++ b/posts/unix-domain-socket-forwarding-with-openssh.md
@@ -56,7 +56,7 @@ For example, the following command uses the infamous [netcat](https://nc110.sour
As far as I know, you have two practical options to control access to forwardings:
1. Add user-specific rules to your firewall of choice, if supported.
-For example, the [owner module](http://ipset.netfilter.org/iptables-extensions.man.html#lbBP) of [`iptables(8)`](http://ipset.netfilter.org/iptables.man.html) enables you to match the user ID and the group ID of a local packet creator.
+For example, the [owner module](https://ipset.netfilter.org/iptables-extensions.man.html#lbBP) of [`iptables(8)`](https://ipset.netfilter.org/iptables.man.html) enables you to match the user ID and the group ID of a local packet creator.
1. Use [Unix domain sockets](https://en.wikipedia.org/w/index.php?title=Unix_domain_socket&oldid=949050080) instead of TCP ports, and protect the special socket files just like regular files --- i.e., set the file owner, group, and mode using [`chown(8)`](https://man.openbsd.org/OpenBSD-6.6/chown) and [`chmod(1)`](https://man.openbsd.org/OpenBSD-6.6/chmod).
@@ -130,7 +130,7 @@ Finally, a client may connect to this socket as follows --- regardless of how we
$ curl http://localhost:3000/
Unfortunately, [`ssh(1)`](https://man.openbsd.org/OpenBSD-6.6/ssh)'s `ExitOnForwardFailure` option does not catch missing permissions to access the socket file.
-Thus, if the final [`curl(1)`](https://curl.haxx.se/docs/manpage.html) command fails and you cannot actually use the forwarding, please check the group and the mode of the socket file created by [`socat(1)`](http://www.dest-unreach.org/socat/doc/socat.html) on the remote host.
+Thus, if the final [`curl(1)`](https://curl.se/docs/manpage.html) command fails and you cannot actually use the forwarding, please check the group and the mode of the socket file created by [`socat(1)`](http://www.dest-unreach.org/socat/doc/socat.html) on the remote host.
You can set the group and mode using the corresponding `UNIX-LISTEN` options.
## Conclusion
@@ -168,6 +168,6 @@ You can restrict the socket's file name by forcing a special command instead of
$ nc -lkU foo.sock 0<backpipe \
| nc 127.0.0.1 8080 1>backpipe
- However, in practice, the second command did not work reliably on [OpenBSD 6.6](https://www.openbsd.org/66.html) and [Arch Linux](https://www.archlinux.org/) in June 2020.
+ However, in practice, the second command did not work reliably on [OpenBSD 6.6](https://www.openbsd.org/66.html) and [Arch Linux](https://archlinux.org/) in June 2020.
I suspect, it's got something to do with an early EOF or standard output buffering.
Please drop me a mail if you can help me out.
Generated by cgit. See skreutz.com for my tech blog and contact information.