Jon
2010-Aug-14 14:45 UTC
bind_address ignored? as in "ssh -R [bind_address]:12491:127.0.0.1:500"
No answers on secureshell at securityfocus.com I must be doing something wrong or the server seems to ignore my bind request. Port forwarding is working it just bind to all ips and ignores my bind request. I've also tried this with an rfc1918 address opposed to a loopback and had the same results. Google and the archive haven't helped. Thanks in advance for your time and consideration. -server- uname -a Linux example.com 2.6.18-128.7.1.el5xen #1 SMP Mon Aug 24 10:08:55 EDT 2009 i686 i686 i386 GNU/Linux OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 -sshd_config- AllowTcpForwarding yes GatewayPorts yes -from other system- ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com -messages- Aug 12 16:22:45 xxx sshd[1440]: debug1: server_input_global_request: tcpip-forward listen 127.0.0.10 port 12491 Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on :: port 12491. Aug 12 16:22:45 xxx sshd[1440]: debug1: channel 0: new [port listener] Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on 0.0.0.0 port 12491. Aug 12 16:22:45 xxx sshd[1440]: error: bind: Address already in use -check- netstat -an | grep 12491 tcp ? ? ? ?0 ? ? ?0 :::12491 ? ? ? ? ? ? ? ? ? ?:::* ? ? LISTEN okay that didn't work lets see if "GatewayPorts" is related -sshd_config- AllowTcpForwarding yes GatewayPorts no -from other system- ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com -messages- Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on 127.0.0.1 port 12491. Aug 12 16:25:26 xxx sshd[1578]: debug1: channel 0: new [port listener] Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on ::1 port 12491. -check- netstat -an | grep 12491 tcp ? ? ? ?0 ? ? ?0 127.0.0.1:12491 ? ? ? ? ? ? 0.0.0.0:* ? ? LISTEN tcp ? ? ? ?0 ? ? ?0 ::1:12491 ? ? ? ? ? ? ? ? ? :::* ? ? LISTEN -networking- eth0 ? ? ?Link encap:Ethernet ?HWaddr xx:xx:xx:xx:xx:xx ? ? ? ? ?inet addr:xxx.xxx.xxx.xxx ?Bcast:xxx.xxx.xxx.xxx ?Mask:255.255.252.0 ? ? ? ? ?inet6 addr: fe80::216:3eff:fe6b:1e1d/64 Scope:Link ? ? ? ? ?UP BROADCAST RUNNING MULTICAST ?MTU:1500 ?Metric:1 ? ? ? ? ?RX packets:33160 errors:0 dropped:0 overruns:0 frame:0 ? ? ? ? ?TX packets:1240 errors:0 dropped:0 overruns:0 carrier:0 ? ? ? ? ?collisions:0 txqueuelen:1000 ? ? ? ? ?RX bytes:2158440 (2.0 MiB) ?TX bytes:228786 (223.4 KiB) lo ? ? ? ?Link encap:Local Loopback ? ? ? ? ?inet addr:127.0.0.1 ?Mask:255.0.0.0 ? ? ? ? ?inet6 addr: ::1/128 Scope:Host ? ? ? ? ?UP LOOPBACK RUNNING ?MTU:16436 ?Metric:1 ? ? ? ? ?RX packets:124 errors:0 dropped:0 overruns:0 frame:0 ? ? ? ? ?TX packets:124 errors:0 dropped:0 overruns:0 carrier:0 ? ? ? ? ?collisions:0 txqueuelen:0 ? ? ? ? ?RX bytes:11631 (11.3 KiB) ?TX bytes:11631 (11.3 KiB) lo:1 ? ? ?Link encap:Local Loopback ? ? ? ? ?inet addr:127.0.0.10 ?Mask:255.0.0.0 ? ? ? ? ?UP LOOPBACK RUNNING ?MTU:16436 ?Metric:1 -check- ping 127.0.0.10 PING 127.0.0.10 (127.0.0.10) 56(84) bytes of data. 64 bytes from 127.0.0.10: icmp_seq=1 ttl=64 time=0.025 ms -check- ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms -from man- GatewayPorts ? ? ? ? ? ? Specifies whether remote hosts are allowed to connect to ports forwarded for the client. ?By default, sshd binds remote port for- ? ? ? ? ? ? wardings to the loopback address. ?This prevents other remote hosts from connecting to forwarded ports. ?GatewayPorts can be used ? ? ? ? ? ? to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to con- ? ? ? ? ? ? nect. ?The argument may be "no" to force remote port forwardings to be available to the local host only, "yes" to force remote ? ? ? ? ? ? port forwardings to bind to the wildcard address, or "clientspecified" to allow the client to select the address to which the ? ? ? ? ? ? forwarding is bound. ?The default is "no".
Damien Miller
2010-Aug-14 20:55 UTC
bind_address ignored? as in "ssh -R [bind_address]:12491:127.0.0.1:500"
you want GatewayPorts=clientspecified on the server. On Sat, 14 Aug 2010, Jon wrote:> No answers on secureshell at securityfocus.com > > I must be doing something wrong or the server seems to ignore my bind request. > > Port forwarding is working it just bind to all ips and ignores my bind > request. I've also tried this with an rfc1918 address opposed to a > loopback and had the same results. > > Google and the archive haven't helped. > > Thanks in advance for your time and consideration. > > -server- > uname -a > Linux example.com 2.6.18-128.7.1.el5xen #1 SMP Mon Aug 24 10:08:55 EDT > 2009 i686 i686 i386 GNU/Linux > OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > -sshd_config- > AllowTcpForwarding yes > GatewayPorts yes > > -from other system- > ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com > > -messages- > Aug 12 16:22:45 xxx sshd[1440]: debug1: server_input_global_request: > tcpip-forward listen 127.0.0.10 port 12491 > Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on > :: port 12491. > Aug 12 16:22:45 xxx sshd[1440]: debug1: channel 0: new [port listener] > Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on > 0.0.0.0 port 12491. > Aug 12 16:22:45 xxx sshd[1440]: error: bind: Address already in use > > -check- > netstat -an | grep 12491 > tcp 0 0 :::12491 :::* > LISTEN > > okay that didn't work lets see if "GatewayPorts" is related > > -sshd_config- > AllowTcpForwarding yes > GatewayPorts no > > -from other system- > ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com > > -messages- > Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on > 127.0.0.1 port 12491. > Aug 12 16:25:26 xxx sshd[1578]: debug1: channel 0: new [port listener] > Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on > ::1 port 12491. > > -check- > netstat -an | grep 12491 > tcp 0 0 127.0.0.1:12491 0.0.0.0:* > LISTEN > tcp 0 0 ::1:12491 :::* > LISTEN > > -networking- > eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx > inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx Mask:255.255.252.0 > inet6 addr: fe80::216:3eff:fe6b:1e1d/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:33160 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1240 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:2158440 (2.0 MiB) TX bytes:228786 (223.4 KiB) > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:124 errors:0 dropped:0 overruns:0 frame:0 > TX packets:124 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:11631 (11.3 KiB) TX bytes:11631 (11.3 KiB) > > lo:1 Link encap:Local Loopback > inet addr:127.0.0.10 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > > -check- > ping 127.0.0.10 > PING 127.0.0.10 (127.0.0.10) 56(84) bytes of data. > 64 bytes from 127.0.0.10: icmp_seq=1 ttl=64 time=0.025 ms > > -check- > ping 127.0.0.1 > PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. > 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms > > -from man- > GatewayPorts > Specifies whether remote hosts are allowed to connect to > ports forwarded for the client. By default, sshd binds remote port > for- > wardings to the loopback address. This prevents other > remote hosts from connecting to forwarded ports. GatewayPorts can be > used > to specify that sshd should allow remote port forwardings > to bind to non-loopback addresses, thus allowing other hosts to con- > nect. The argument may be "no" to force remote port > forwardings to be available to the local host only, "yes" to force > remote > port forwardings to bind to the wildcard address, or > "clientspecified" to allow the client to select the address to which > the > forwarding is bound. The default is "no". > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Seemingly Similar Threads
- [Bug 2592] New: -R bind_address not working, always bind 0.0.0.0
- [Bug 1804] New: ssh option -R 127.0.0.2:10443:<dest ip>:443 does not work
- BUG: opens all interfaces.
- [Bug 2473] New: sshd and -R port forwardings on 127.0.0.0/8
- [PATCH] ssh.1: Clarify remote bind_address usage