Hi, Enclosed is a patch against the "portable" OpenSSH version 3.02p1. It enables the -g switch when applied to -R (remote) forwardings. This allows remote hosts to connect to forwarded ports on the sshd host. To be consistent with the behavior of the SSH1 clients and servers, the GatewayPorts option will activate both remote and local port gatewaying when set to "yes". Best regards, Lincoln -- =======================================================================Lincoln D. Stein Cold Spring Harbor Laboratory lstein at cshl.org Cold Spring Harbor, NY NOW HIRING BIOINFORMATICS POSTDOCTORAL FELLOWS AND PROGRAMMERS. PLEASE WRITE FOR DETAILS. =======================================================================-------------- next part -------------- A non-text attachment was scrubbed... Name: remote_forward_patch Type: text/x-c Size: 4209 bytes Desc: lets the -g flag work on -R forwardings Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011208/76f99dde/attachment.bin
On Sat, Dec 08, 2001 at 12:03:45AM -0500, Lincoln Stein wrote:> Enclosed is a patch against the "portable" OpenSSH version 3.02p1. It > enables the -g switch when applied to -R (remote) forwardings. This allows > remote hosts to connect to forwarded ports on the sshd host.+ gateway_ports = (strncmp(listen_address,"0.0.0.0",7) == 0) || options.gateway_ports; this would violate the policy of the server. if the sshd_config says: gatewayports==no, then the socket should be bound to 127.0.0.1 only, regardless of what the client wants. gateway_ports = options.gateway_ports && (strncmp(listen_address,"0.0.0.0",7) == 0); would be correct.
I was worried about that too, but the current behavior is if the server says gatewayports "yes", then all ports are remotely accessible regardless of what the client wants. Lincoln On Sunday 09 December 2001 08:42, Markus Friedl wrote:> On Sat, Dec 08, 2001 at 12:03:45AM -0500, Lincoln Stein wrote: > > Enclosed is a patch against the "portable" OpenSSH version 3.02p1. It > > enables the -g switch when applied to -R (remote) forwardings. This > > allows remote hosts to connect to forwarded ports on the sshd host. > > + gateway_ports = (strncmp(listen_address,"0.0.0.0",7) == 0) || > options.gateway_ports; > > this would violate the policy of the server. > > if the sshd_config says: gatewayports==no, then the > socket should be bound to 127.0.0.1 only, regardless > of what the client wants. > > gateway_ports = options.gateway_ports && > (strncmp(listen_address,"0.0.0.0",7) == 0); > > would be correct.-- =======================================================================Lincoln D. Stein Cold Spring Harbor Laboratory lstein at cshl.org Cold Spring Harbor, NY NOW HIRING BIOINFORMATICS POSTDOCTORAL FELLOWS AND PROGRAMMERS. PLEASE WRITE FOR DETAILS. ========================================================================
Enclosed is a revised patch which respects the server policy with respect to GatewayPorts. Lincoln On Sunday 09 December 2001 08:42, Markus Friedl wrote:> On Sat, Dec 08, 2001 at 12:03:45AM -0500, Lincoln Stein wrote: > > Enclosed is a patch against the "portable" OpenSSH version 3.02p1. It > > enables the -g switch when applied to -R (remote) forwardings. This > > allows remote hosts to connect to forwarded ports on the sshd host. > > + gateway_ports = (strncmp(listen_address,"0.0.0.0",7) == 0) || > options.gateway_ports; > > this would violate the policy of the server. > > if the sshd_config says: gatewayports==no, then the > socket should be bound to 127.0.0.1 only, regardless > of what the client wants. > > gateway_ports = options.gateway_ports && > (strncmp(listen_address,"0.0.0.0",7) == 0); > > would be correct.-- =======================================================================Lincoln D. Stein Cold Spring Harbor Laboratory lstein at cshl.org Cold Spring Harbor, NY NOW HIRING BIOINFORMATICS POSTDOCTORAL FELLOWS AND PROGRAMMERS. PLEASE WRITE FOR DETAILS. =======================================================================-------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.0.2p1-gateway.patch Type: text/x-c Size: 2920 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011209/bc997da5/attachment.bin
Enclosed is a re-revised patch that includes documentation changes! Please ignore the two previous patches. I hope this is it. Lincoln On Sunday 09 December 2001 11:51, Lincoln Stein wrote:> Enclosed is a revised patch which respects the server policy with respect > to GatewayPorts. > > Lincoln > > On Sunday 09 December 2001 08:42, Markus Friedl wrote: > > On Sat, Dec 08, 2001 at 12:03:45AM -0500, Lincoln Stein wrote: > > > Enclosed is a patch against the "portable" OpenSSH version 3.02p1. It > > > enables the -g switch when applied to -R (remote) forwardings. This > > > allows remote hosts to connect to forwarded ports on the sshd host. > > > > + gateway_ports = (strncmp(listen_address,"0.0.0.0",7) == 0) || > > options.gateway_ports; > > > > this would violate the policy of the server. > > > > if the sshd_config says: gatewayports==no, then the > > socket should be bound to 127.0.0.1 only, regardless > > of what the client wants. > > > > gateway_ports = options.gateway_ports && > > (strncmp(listen_address,"0.0.0.0",7) == 0); > > > > would be correct.---------------------------------------- Content-Type: text/x-c; charset="iso-8859-1"; name="openssh-3.0.2p1-gateway.patch" Content-Transfer-Encoding: base64 Content-Description: ---------------------------------------- -- =======================================================================Lincoln D. Stein Cold Spring Harbor Laboratory lstein at cshl.org Cold Spring Harbor, NY NOW HIRING BIOINFORMATICS POSTDOCTORAL FELLOWS AND PROGRAMMERS. PLEASE WRITE FOR DETAILS. =======================================================================-------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.0.2p1-gateway.patch Type: text/x-c Size: 4766 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20011210/f840ce0a/attachment.bin