Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I believe this is a bug. Can anyone else replicate this? On any given SSH machine (let's call it 'test'), start ssh like this: ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 (where mail.blah.com is some machine running sendmail, you have a login account, etc.) In a just world (and this works with f-secure SSH1), you should be able to do this on test: telnet 127.0.0.1 2526 and connect to mail.blah.com port 25 over the secure channel. This works. But if I am sitting on -some other machine- and type: telnet test.blah.com 2526 the connection should be rejected -unless- I have given ssh the -g option (again, this works 'right' with f-secure ssh1). OpenSSH accepts non-local connections whether or not I give the -g option. This is pretty broken. Put another way: ssh is clearly binding to addresses other than localhost, even without the -g option. I am looking for feedback to determine: 1) Is this bug repeatable for others on Linux? 2) Is it repeatable on other OS's? 3) Am I simply misunderstanding the use of this feature completely, and this is not in fact a bug? If so, I'd like an example of correct use. I'm not on the list, so carbon copies would be appreciated. Thanks! Peter Berger Network Dilettante http://peterb.telerama.com
On Mon, 20 Nov 2000, Peter Berger wrote:> Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I > believe this is a bug. Can anyone else replicate this? > > On any given SSH machine (let's call it 'test'), start ssh like > this: > > ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 > > (where mail.blah.com is some machine running sendmail, you have a login > account, etc.) > > In a just world (and this works with f-secure SSH1), you should be able to > do this on test: > > telnet 127.0.0.1 2526 > > and connect to mail.blah.com port 25 over the secure channel. This works. > > But if I am sitting on -some other machine- and type: > > telnet test.blah.com 2526Works fine for me (RHL 7.0, 2.4 kernel, the latest ssh-2.3.0p2 snapshot; also tested RHL 6.0, 2.2.16-3 kernel, ssh-2.3.0p1): --- debug: Connections to local port 2526 forwarded to remote address netcore.fi:25 debug: Local forwarding listening on 127.0.0.1 port 2456. --- --- tcp 0 0 127.0.0.1:2526 0.0.0.0:* LISTEN --- You haven't defined GatewayPorts in ssh configuration by mistake, have you? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall"
Yes, I had GatewayPorts set to 'no' -- this is clearly not a bug in ssh, but in the version of Linux I'm using. When I debugged, ssh was binding to 0.0.0.0. Oh well. We shouldn't be using Linux as a firewall anyway. -p On Mon, 20 Nov 2000, Jarno Huuskonen wrote:> On Mon, Nov 20, Peter Berger wrote: > > > > > > Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I > > believe this is a bug. Can anyone else replicate this? > > > > On any given SSH machine (let's call it 'test'), start ssh like > > this: > > > > ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 > > > > (where mail.blah.com is some machine running sendmail, you have a login > > account, etc.) > > > > In a just world (and this works with f-secure SSH1), you should be able to > > do this on test: > > > > telnet 127.0.0.1 2526 > > > > and connect to mail.blah.com port 25 over the secure channel. This works. > > > > But if I am sitting on -some other machine- and type: > > > > telnet test.blah.com 2526 > > > > the connection should be rejected -unless- I have given ssh the -g option > > (again, this works 'right' with f-secure ssh1). OpenSSH accepts > > non-local connections whether or not I give the -g option. This is pretty > > broken. Put another way: ssh is clearly binding to addresses other than > > localhost, even without the -g option. > > I couldn't reproduce this. For me OpenSSH 2.3.0p1 works correctly. > You can use lsof -i tcp to check what processes are listening. For me > I can see > ssh 29854 jhuuskon 7u IPv4 215895 TCP localhost:5000 (LISTEN) > when using ssh -L5000:xxx:110 or whatever. > > Did you check your/system ssh_config ? > Does it have GatewayPorts set to yes ? > > -Jarno > > -- > Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi > University of Kuopio - Computer Centre | Work: +358 17 162822 > PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 >
On Mon, 20 Nov 2000, Peter Berger wrote:> > > Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I > believe this is a bug. Can anyone else replicate this? > > On any given SSH machine (let's call it 'test'), start ssh like > this: > > ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 > > (where mail.blah.com is some machine running sendmail, you have a login > account, etc.) > > In a just world (and this works with f-secure SSH1), you should be able to > do this on test: > > telnet 127.0.0.1 2526 > > and connect to mail.blah.com port 25 over the secure channel. This works. > > But if I am sitting on -some other machine- and type: > > telnet test.blah.com 2526 > > the connection should be rejected -unless- I have given ssh the -g option > (again, this works 'right' with f-secure ssh1). OpenSSH accepts > non-local connections whether or not I give the -g option. This is pretty > broken. Put another way: ssh is clearly binding to addresses other than > localhost, even without the -g option. > > I am looking for feedback to determine: > 1) Is this bug repeatable for others on Linux?I am unable to repeat this problem on Linux with the current snapshot, nor on OpenSSH-2.1 as shipped with OpenBSD 2.7. Do you have a 'GatewayPorts yes' in your ssh_config or ~/.ssh/config? Regards, Damien Miller -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | <djm at mindrot.org> | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org