openssh unix dev - Apr 2003 - [Bug 530] problems with port forwarding

http://bugzilla.mindrot.org/show_bug.cgi?id=530

           Summary: problems with port forwarding
           Product: Portable OpenSSH
           Version: 3.5p1
          Platform: ix86
        OS/Version: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: gilbert at student.math.hr


Here is my problem. I'm not sure if it is a bug or a 'feature' but i
don't know
where else to ask.

http://bugzilla.mindrot.org/show_bug.cgi?id=530

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From dtucker at zip.com.au  2003-04-03 18:58 -------
This is a Feature.  By default, port forwards listen only on the loopback 
interface, which means that only processes on the local machine can connect via 
the forward.  You can see this with netstat:

$ ssh -L 20022:127.0.0.1:22 myhost
myhost> netstat -an
Proto Recv-Q Send-Q Local Address      Foreign Address   State 
[snip]
tcp   0      0      127.0.0.1:20022    0.0.0.0:*         LISTEN

As you saw, using -g (or GatewayPorts=yes) allows connections on any interface.
This is known as a "wildcard binding" and shows a different
"Local Address" in
netstat: 

$ ssh -g -L 20022:127.0.0.1:22 myhost
myhost> netstat -an
Proto Recv-Q Send-Q Local Address      Foreign Address   State 
[snip]
tcp   0      0      0.0.0.0:20022      0.0.0.0:*         LISTEN 

Using GatewayPorts means that anyone who can connect to your machines can 
connect via your tunnel, which is why it defaults to listening on the loopback 
only.  If you don't like the default you can put "GatewayPorts
yes" in
ssh_config.

If different ssh software behaved differently, perhaps it has a different 
default or the config file had the equivalent of "GatewayPorts yes"
set.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From gilbert at student.math.hr  2003-04-03 20:31
-------
This ony partialy answers my question.

I know about -g option, and it works O.K. for forwarding LOCAL port.
But I wanted to forward port 20022 on my_host as a REMOTE port by connectin to 
my_host from some_host like this:

some_host$ ssh -R 20022:my_other_host:22 user at my_host

and it works only for local connections form my_host. Since the -g option 
doesn't help here, how do I get aorund this? Thx.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From binder at arago.de  2003-04-03 20:44
-------
> Since the -g option doesn't help here, how do I get aorund this?
Maybe by reading the docs, especially sshd_config(5)?

-- snip --
     GatewayPorts
          Specifies whether remote hosts are allowed  to  connect
          to  ports  forwarded  for the client.  By default, sshd
          binds remote port forwardings to the loopback  address.
          This  prevents  other  remote  hosts from connecting to
          forwarded ports.  GatewayPorts can be used  to  specify
          that  sshd  should  bind remote port forwardings to the
          wildcard address, thus allowing remote hosts to connect
          to  forwarded  ports.   The argument must be ``yes'' or
          ``no''.  The default is ``no''.
-- snap --



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From dtucker at zip.com.au  2003-04-03 21:09 -------
Sorry, missed that.  At the moment that's controlled by the server-side 
GatewayPorts (ie in sshd_config).  There's a patch attached to bug #413 
(attachment #229) that allows greater control over which interface a remote port
forward listens on (subject to the server's Gatewayports setting).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From gilbert at student.math.hr  2003-04-03 21:18
-------
> Maybe by reading the docs, especially sshd_config(5)?
This only relates to allowing connections to forwarded ports on the server 
side, but I don't have root access on the machine and cant change sshd 
configuration. I'd like to set forwarding completely on the clinet side.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From binder at arago.de  2003-04-03 22:17
-------
> This only relates to allowing connections to forwarded ports
> on the server side, but I don't have root access on the machine
As you _are_ creating a forwarded port on the server side, this
does relate to your problem. If you can't change the remote
server's sshd_config, and can't convince the admin to change it
(he'll maybe have a reason for not allowing gateway ports), there's
nothing else you can do. It's a server option, not a client option.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530





------- Additional Comments From samuel at bcgreen.com  2003-04-04 08:19 -------
Easy solution:

ssh my_host
  (login)
myhost% ssh -g -L 44000:other_host:22
(login again)


with the second ssh, you are forwarding the LOCAL port for my_host,
using the ssh client. which is quite legal to make a server port.   Job done.

Note: the connection between myhost and other_host is NOT being 
encrypted. You are simply using ssh as a port redirection tool 
at this poing. If you're connecting to an ssh demon on other_host, 
this isn't a problem. If you're doing pretty much anything else, 
you'd probably want to do:

my_host%  ssh -g -L 44000:localhost:25   other_host

That would forward an encrypted channel to other_host that then 
connects to it's port 25 locally.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=530

gilbert at student.math.hr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED



------- Additional Comments From gilbert at student.math.hr  2003-04-04 10:04
-------
> Note: the connection between myhost and other_host is NOT being encrypted
Yea, I'm completely aware of that, and familiar with how port forwarding
works.

But acctually only forwarding remote ports works for me since I want to forward 
a port from a machine I can't reach from outside regulary.

Anyway, I'm in good relations with the system root on myhost so we set

GatewayPorts yes

and restarted sshd, and it worked.

Thanks all for the info and help.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.