The issue is that the connecting machine is often outside of my physical
control after it's set up, so I'd rather not have root equivalency between
the connecting machine and the routing machine. I'd rather an unprivileged
user have an account which can own a tunnel, but that's all - I can have
an suid script actually configure the tunnel and add routes.

Creating just a tunnel without configuring it shouldn't change the routing
table, and changing ownership of the device in /dev/ is a pretty common
thing (like giving serial ports to different people on a multiport serial
card for accessing their own machine). I just don't know how OpenSSH can
be configured to link the tunnel to the tun interface after seeing that
ownership allows it.

Thanks,
John

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Maybe I'm missing something- or maybe two things.

OpenSSH "tunnels" are app-level things, and have nothing to do with
the tun interface.
And ideally, the routing table should be untouched as well.
This requires either apps that have flexible connection settings (most
do) or the use of a tcpwrapper/netcat kind of program.

If this is not what you want at all, and you're talking about what I
think you might be, then OpenVPN is the solution :)

-SS
--
NUNQUAM NON PARATUS
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

You're right that the most common use of ssh for tunnels are for
individual ports, but OpenSSH also has the ability to set up a
point-to-point tunnel. You can read more about it here:

http://bodhizazen.net/Tutorials/VPN-Over-SSH

and here:

http://blog.brixandersen.dk/?p=47

It works well and lets me get real IPv6 wherever I go, plus in some places
I route using real public IPs which can be used to present services, do
NAT, et cetera.
The creation of tun0 (or tun whatever number) doesn't touch the routing
table, but making tun0 useful does. I just want to do ssh -w0:0 as a
non-root user and worry about the rest later.
Hmmm... Looks interesting. I'll have to play with it.

Thanks,
John

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hmm- reading both of those things makes me a bit ... squiggly.

"I just want to do ssh -w0:0 as a non-root user and worry about the rest later."

What you're talking about is a (user/UUID)-specific abstracted
object->network layer that all your applications can flow through,
which AFAIK has only been weakly conceptualized and barely implemented
in even the most esoteric Plan-9 kinds of operating systems.
Feel like inventing something?

-SS
--
NUNQUAM NON PARATUS
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hi,
Won't change the problem - it opens a /dev/tunX device, ifconfigs IPv4
(and IPv6 in -current) on it, and forwards packets over the SSL link.

Buy you'd still need root access on the client end, and you need to have
an openvpn daemon running on the server side - so if you already have
ssh+tun, OpenVPN is "just a different protocol to do the same thing",
but it won't solve your non-root-issue.

gert

Recent SSH can do real network tunnels using the tun interface.