bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-26 20:07 UTC
[Bug 2473] New: sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Bug ID: 2473 Summary: sshd and -R port forwardings on 127.0.0.0/8 Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: florianhilgenberg at googlemail.com Hello, we are trying to connect several devices to one master node in the mid. For this szenario we need some remote forwardings by ssh where each satellite node should establish a socket on another 127.0.0.0/8 address but each time the same port. Now it looks like we are going to be forced to 127.0.0.1 as long as we have GatewayPorts set to "no" by default. More explainations: client A is going to open a channel by: autossh -i privkey -R 127.0.0.2:2222:127.0.0.1:22 user at host client B is going to open a channel by: autossh -i privkey -R 127.0.0.3:2222:127.0.0.1:22 user at host client C is going to open a channel by: autossh -i privkey -R 127.0.0.4:2222:127.0.0.1:22 user at host But none of this clients is going to work this way as sshd is going to force each socket to 127.0.0.1. This works well if I set GatewayPorts to clientspecified. The documentation states: GatewayPorts can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. tl;dr; Is it supposed by you to have sshd going to refuse a listening socket on other lo addresses than 127.0.0.1? Best regards, Florian -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Sep-26 20:36 UTC
[Bug 2473] sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 florianhilgenberg at googlemail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal --- Comment #1 from florianhilgenberg at googlemail.com --- I have concerns about security with set GatewayPorts to other settings than no. So I am going to increase the importance on this issue. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Oct-05 18:52 UTC
[Bug 2473] sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 2720 --> https://bugzilla.mindrot.org/attachment.cgi?id=2720&action=edit add GatewayPortsAddresses option Maybe we could provide a filter to take a list of allowed bind addresses. E.g. GatewayPorts clientspecified GatewayPortsAddresses 127.0.0.0/8,2033::/24 untested patch attached. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2015-Oct-05 18:52 UTC
[Bug 2473] sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-May-02 11:14 UTC
[Bug 2473] sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Gerik Bonaert <gbo at escaux.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gbo at escaux.com --- Comment #3 from Gerik Bonaert <gbo at escaux.com> --- I have tested this patch against the version of OpenSSH distributed in Ubuntu 16.04 (7.2p2). It works quite well, but I had to make some small changes: On line 1353, I believe it should be: if (arg == NULL || *arg == '\0') instead of: if (arg == NULL || *arg != '\0') I was also wondering why we cannot enforce these limitations for the loopback addresses as well? if (type == SSH_CHANNEL_RPORT_LISTENER && !is_loopback && fwd_opts->gateway_ports_explicit != NULL && addr_match_cidr_list(ntop, fwd_opts->gateway_ports_explicit) != 1) { -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Mar-06 15:48 UTC
[Bug 2473] sshd and -R port forwardings on 127.0.0.0/8
https://bugzilla.mindrot.org/show_bug.cgi?id=2473 Jaime <jaime.higgins at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jaime.higgins at gmail.com --- Comment #4 from Jaime <jaime.higgins at gmail.com> --- Hello, Wanted to comment that I too have found this bug. It still exists in the most recent sshd servers I have available to me to try this on (at work). Unfortunately, recompiling the server from edited source code isn't an option for me - nor is editing the server's config file (work's security restrictions). It seems like Gerik has a solution that could be included in future releases. Is there any chance this could get assigned to someone [much more competent/capable than I] so it could be pulled into future releases? I have to end by saying: Holy cow you guys are awesome for coding/developing sshd so well! Thank you so much! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.