openssh bugs - Sep 2015 - [Bug 2473] New: sshd and -R port forwardings on 127.0.0.0/8

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

            Bug ID: 2473
           Summary: sshd and -R port forwardings on 127.0.0.0/8
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: florianhilgenberg at googlemail.com

Hello,

we are trying to connect several devices to one master node in the mid.
For this szenario we need some remote forwardings by ssh where each
satellite node should establish a socket on another 127.0.0.0/8 address
but each time the same port.
Now it looks like we are going to be forced to 127.0.0.1 as long as we
have GatewayPorts set to "no" by default.

More explainations:
client A is going to open a channel by:
autossh -i privkey -R 127.0.0.2:2222:127.0.0.1:22 user at host
client B is going to open a channel by:
autossh -i privkey -R 127.0.0.3:2222:127.0.0.1:22 user at host
client C is going to open a channel by:
autossh -i privkey -R 127.0.0.4:2222:127.0.0.1:22 user at host

But none of this clients is going to work this way as sshd is going to
force each socket to 127.0.0.1.

This works well if I set GatewayPorts to clientspecified.

The documentation states: 
GatewayPorts can be used to specify that sshd should allow remote port
forwardings to bind to non-loopback addresses, thus allowing other
hosts to connect.  

tl;dr;
Is it supposed by you to have sshd going to refuse a listening socket
on other lo addresses than 127.0.0.1?

Best regards,
Florian

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

florianhilgenberg at googlemail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |normal

--- Comment #1 from florianhilgenberg at googlemail.com ---
I have concerns about security with set GatewayPorts to other settings
than no.
So I am going to increase the importance on this issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2720
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2720&action=edit
add GatewayPortsAddresses option

Maybe we could provide a filter to take a list of allowed bind
addresses. E.g.

GatewayPorts clientspecified
GatewayPortsAddresses 127.0.0.0/8,2033::/24

untested patch attached.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

Gerik Bonaert <gbo at escaux.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gbo at escaux.com

--- Comment #3 from Gerik Bonaert <gbo at escaux.com> ---
I have tested this patch against the version of OpenSSH distributed in
Ubuntu 16.04 (7.2p2). It works quite well, but I had to make some small
changes:

On line 1353, I believe it should be:

if (arg == NULL || *arg == '\0') 

instead of:

if (arg == NULL || *arg != '\0') 

I was also wondering why we cannot enforce these limitations for the
loopback addresses as well?

if (type == SSH_CHANNEL_RPORT_LISTENER && !is_loopback &&
    fwd_opts->gateway_ports_explicit != NULL &&
    addr_match_cidr_list(ntop,
    fwd_opts->gateway_ports_explicit) != 1) {

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2473

Jaime <jaime.higgins at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jaime.higgins at gmail.com

--- Comment #4 from Jaime <jaime.higgins at gmail.com> ---
Hello,

Wanted to comment that I too have found this bug.  It still exists in
the most recent sshd servers I have available to me to try this on (at
work).

Unfortunately, recompiling the server from edited source code isn't an
option for me - nor is editing the server's config file (work's
security restrictions).  It seems like Gerik has a solution that could
be included in future releases.  Is there any chance this could get
assigned to someone [much more competent/capable than I] so it could be
pulled into future releases?

I have to end by saying:  Holy cow you guys are awesome for
coding/developing sshd so well!  Thank you so much!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.