openssh bugs - Nov 2003 - [Bug 756] sshd does not support global request cancel-tcpip-forward

http://bugzilla.mindrot.org/show_bug.cgi?id=756

           Summary: sshd does not support global request cancel-tcpip-
                    forward
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: z3p at twistedmatrix.com


The SSHv2 connection draft specifies a global request
'cancel-tcpip-forward'
which will cancel a remote->local TCP/IP forwarding connection.  sshd does
not
understand this request.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From djm at mindrot.org  2003-11-08 21:32 -------
Created an attachment (id=494)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=494&action=view)
Attempt at cancel-tcpip-forward support

Please give this diff a try.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From z3p at twistedmatrix.com  2003-11-09 17:35
-------
Nope.  It appears that the issue is that channel_cancel_rport_listener only
closes open remote->local forwarding channels.  If there are no channels open
for forwarding, then nothing happens.  What should happen is that the socket
listening on the remote port should be closed so that attempts to connect to
that port fail.  As it stands, remote->local forwarding requests are still
passed on to the client even after cancel-tcpip-forward.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From markus at openbsd.org  2003-11-11 14:33 -------
are you sure? the patch looks ok to me, since
only the listen socket will
have type SSH_CHANNEL_RPORT_LISTENER.
forwarded connections will have a different type.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From z3p at twistedmatrix.com  2003-11-11 15:59
-------
Yes, I've tried the patch and the problem still exists.  Netstat shows the
listening socket before and after the cancel-tcpip-forward, and the server still
passes on a forwarded-tcpip request to the client.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From djm at mindrot.org  2003-11-17 04:44 -------
Please attach a debug output "sshd -d -d -d" from a patch sshd,
receiving a
cancel message.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From z3p at twistedmatrix.com  2003-11-21 09:31
-------
Created an attachment (id=505)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=505&action=view)
Log of a connection with cancel-tcpip-forwarding




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From djm at mindrot.org  2003-11-21 16:56 -------
hm, try cancelling 127.0.0.1:8080 - unless you have GatewayPorts=yes



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From z3p at twistedmatrix.com  2003-11-22 00:01
-------
The log shows that I ask for forwarding to be listening on all  interfaces by
binding to '0.0.0.0'.  If sshd ignores this and binds to 127.0.0.1, how
else do
I indicate ports to listen on all interfaces? 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From djm at mindrot.org  2003-11-22 00:06 -------
You specify GatewayPorts=yes on the server. This is off by default as server
administrators may not want random users to be able to listen on arbitrary
high-numbered ports.

I'll probably correct the patch so that it closes the forwardings based on
the
original forward request rather than the listening address, but I'd like to
see
if it works first. Does it work if you ask to cancel 127.0.0.1:8080?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=756





------- Additional Comments From z3p at twistedmatrix.com  2003-11-22 00:48
-------
Nope, doesn't work even I cancel forwarding for 127.0.0.1:1080.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.