openssh unix dev - Oct 2000 - Remote port forwarding

I have the following line in the sshd_config file:

		GatewayPorts no

	If I launch the ssh client as this:

		ssh -l user host -R 9000:otherHost:25

	the port forwarding is successful! :-( As you can see, the
	'netstat -na' command shows the Secure Shell daemon listening
	to the port 9000.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      

	I've checked the code and the only use of the "gateway_ports"
variable
	is when calling the getaddrinfo function (inside
	channel_request_local_forwarding).

	The right behaviour should be to deny the port fordwarding request,
	shouldn't it?

	Any help? BTW, I'm using openssh-2.2.0p1 on Linux (RedHat).

	Thanks in advance,
	Jose
_______________________________________________________________________________
Jose A. Rodriguez		OOO  Universitat Politecnica de Catalunya (UPC)
josear at ac.upc.es		OOO  Departament d'Arquitectura de Computadors
Tel. 6990                       OOO                 -*- LCAC -*- 
                                UPC

> 	The right behaviour should be to deny the port fordwarding request,
> 	shouldn't it?
No.  From the sshd man page:

 GatewayPorts
   Specifies whether remote hosts are allowed to connect to ports
   forwarded for the client.  The argument must be ``yes'' or
   ``no''. The default is ``no''.

GatewayPorts does not control whether port-forwarding requests are
accepted or not; it controls which addresses are bound for listening.  If
it is "yes," SSH listens on all interfaces; if "no," only
the loopback.

-- 
  Richard Silverman
  slade at shore.net

On Mon, Oct 09, 2000 at 02:19:02PM +0200, Jose A. Rodriguez
wrote:
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN
> 
> 	I've checked the code and the only use of the
"gateway_ports" variable
> 	is when calling the getaddrinfo function (inside
> 	channel_request_local_forwarding).
in ssh1 channel_request_local_forwarding() is re-used by sshd.
> 
> 	The right behaviour should be to deny the port fordwarding request,
> 	shouldn't it?
you can see above that sshd only listens on 127.0.0.1:9000, and this
is what 'GatewayPorts no' means.

right now there is no option for turning off -R/-L style forwarding in
the server config.

-markus