openssh bugs - Aug 2010 - [Bug 1804] New: ssh option -R 127.0.0.2:10443:<dest ip>:443 does not work

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

           Summary: ssh option  -R 127.0.0.2:10443:<dest ip>:443 does not
                    work
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: Walter.Pfannenmueller at siemens.com


Starting ssh with the option

-R 127.0.0.2:10443:<dest ip>:443 

results in opening listeners on the <dest ip> with listener ip
127.0.0.1, ::1  and not 127.0.0.2

Adding the following code to
channels.c after line 2660

        } else if (host) {
            addr = listen_addr;

results in having the sshd start the 127.0.0.2 listener.
Maybe there has to be some check against the
GatewayPorts option as well.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
What is the setting of GatewayPorts on the server?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

--- Comment #2 from Walter.Pfannenmueller at siemens.com  ---
It is the default setting:
#GatewayPorts no

Client command:
ssh -R 127.0.0.2:10000:<whatever>:443 target

yields on the target
tcp        0      0 127.0.0.1:10000         0.0.0.0:*              
LISTEN 

Setting 
GatewayPorts yes
results in 
tcp        0      0 0.0.0.0:10000           0.0.0.0:*              
LISTEN

Therefore I prefer "no".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #3 from Darren Tucker <dtucker at zip.com.au>  ---
You want "GatewayPorts clientspecified".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

--- Comment #4 from Walter.Pfannenmueller at siemens.com  ---
I'm not sure.
Just reading the ssh man pages for -R


     -R [bind_address:]port:host:hostport
....
             Specifying a remote bind_address will only succeed if the
             server's GatewayPorts option is enabled (see
sshd_config(5)).

tells me, my specified bind_address will only succeed, if
GatewayPorts is enabled.

But this means all Port forwarding will result in global listeners
on the target machine. This is not, what I want.

Therefore a suggestion for a solution might be:

GatewayPorts no:

Allow and use 
bind_address only if it is a localhost (e.g. 127.*) address.

GatewayPorts yes:
just use bind_address.

But you probably should change the man pages as well, then.

Please tell me, if I'm totally wrong.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

--- Comment #5 from Damien Miller <djm at mindrot.org>  ---
from sshd_config(5):
>   GatewayPorts
>           Specifies whether remote hosts are allowed to connect to ports
>           forwarded for the client.  By default, sshd(8) binds remote port
>           forwardings to the loopback address.  This prevents other remote
>           hosts from connecting to forwarded ports.  GatewayPorts can be
>           used to specify that sshd should allow remote port forwardings to
>           bind to non-loopback addresses, thus allowing other hosts to
>           connect.  The argument may be ``no'' to force remote port
>           forwardings to be available to the local host only,
``yes'' to
>           force remote port forwardings to bind to the wildcard address, or
>           ``clientspecified'' to allow the client to select the
address to
>           which the forwarding is bound.  The default is ``no''.
Have you tried setting GatewayPorts=clientspecified? It does exactly
what you are asking for.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

Walter.Pfannenmueller at siemens.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #6 from Walter.Pfannenmueller at siemens.com  ---
I tried it now and it does work as I expect. Thanks a lot.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1804

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Darren Tucker <dtucker at zip.com.au>  ---
With the release of OpenSSH 5.6p1 this bug is now considered closed. 
If you have further problems please reopen or file a new bug as
appropriate.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.