David Terrell
2001-Jun-07 08:53 UTC
[PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1
On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote:> + * Oh yeah? Setting hostname to NULL and hints.ai_flags to > + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with > + * Linux kernel 2.2.14 does no such thing. On that system > + * "::" and "0.0.0.0" (and maybe one other value which slips > + * my memory) are returned. Setting hostname to "127.0.0.1" > + * does the trick, at least for IPv4 uses; I don't know what > + * it does for IPv6. Without this hack, local ("-L") tunnel > + * end-points (which are supposed to be private unless "-g" > + * or "-o 'GatewayPorts yes'" is specified when "ssh" is > + * started) are [ab]usable by any host which has a route > + * to/from the this host.Perhaps you should point your operating system vendor (or whomever they get their libc from) at RFC 2553: If the AI_PASSIVE bit is not set in the ai_flags member of the hints structure, then the returned socket address structure will be ready for a call to connect() (for a connection-oriented protocol) or either connect(), sendto(), or sendmsg() (for a connectionless protocol). In this case, if the nodename argument is a NULL pointer, then the IP address portion of the socket address structure will be set to the loopback address. -- David Terrell | "... a grandiose, wasteful drug war that will never dbt at meat.net | be won as long as so many Americans need to Nebcorp Prime Minister | anesthetize themselves to get through the day." http://wwn.nebcorp.com/ | -Camille Paglia
Markus Friedl
2001-Jun-07 09:20 UTC
[PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1
can anyone confirm this broken linux behaviour? On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote:> diff -u -r -N openssh-2.9p1/channels.c openssh-2.9p1-ajf.1/channels.c > --- openssh-2.9p1/channels.c Tue Apr 17 14:14:35 2001 > +++ openssh-2.9p1-ajf.1/channels.c Wed Jun 6 23:25:36 2001 > @@ -1815,13 +1815,25 @@ > /* > * getaddrinfo returns a loopback address if the hostname is > * set to NULL and hints.ai_flags is not AI_PASSIVE > + * > + * Oh yeah? Setting hostname to NULL and hints.ai_flags to > + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with > + * Linux kernel 2.2.14 does no such thing. On that system > + * "::" and "0.0.0.0" (and maybe one other value which slips > + * my memory) are returned. Setting hostname to "127.0.0.1" > + * does the trick, at least for IPv4 uses; I don't know what > + * it does for IPv6. Without this hack, local ("-L") tunnel > + * end-points (which are supposed to be private unless "-g" > + * or "-o 'GatewayPorts yes'" is specified when "ssh" is > + * started) are [ab]usable by any host which has a route > + * to/from the this host. > */ > memset(&hints, 0, sizeof(hints)); > hints.ai_family = IPv4or6; > hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; > hints.ai_socktype = SOCK_STREAM; > snprintf(strport, sizeof strport, "%d", listen_port); > - if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) > + if (getaddrinfo(gateway_ports ? NULL : "127.0.0.1", strport, &hints, &aitop) != 0) > packet_disconnect("getaddrinfo: fatal error"); > > for (ai = aitop; ai; ai = ai->ai_next) { > >
Albert John FitzPatrick III
2001-Jun-09 23:48 UTC
[PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1
diff -u -r -N openssh-2.9p1/channels.c openssh-2.9p1-ajf.1/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 14:14:35 2001 +++ openssh-2.9p1-ajf.1/channels.c Wed Jun 6 23:25:36 2001 @@ -1815,13 +1815,25 @@ /* * getaddrinfo returns a loopback address if the hostname is * set to NULL and hints.ai_flags is not AI_PASSIVE + * + * Oh yeah? Setting hostname to NULL and hints.ai_flags to + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with + * Linux kernel 2.2.14 does no such thing. On that system + * "::" and "0.0.0.0" (and maybe one other value which slips + * my memory) are returned. Setting hostname to "127.0.0.1" + * does the trick, at least for IPv4 uses; I don't know what + * it does for IPv6. Without this hack, local ("-L") tunnel + * end-points (which are supposed to be private unless "-g" + * or "-o 'GatewayPorts yes'" is specified when "ssh" is + * started) are [ab]usable by any host which has a route + * to/from the this host. */ memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", listen_port); - if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) + if (getaddrinfo(gateway_ports ? NULL : "127.0.0.1", strport, &hints, &aitop) != 0) packet_disconnect("getaddrinfo: fatal error"); for (ai = aitop; ai; ai = ai->ai_next) {