openssh unix dev - Mar 2021 - Feature Request: Ability to specify local bind address for ssh(1) -W

Hello.

I have deployed an SSH bastion host, and would prefer to use the ssh(1)
-W option to establish a forwarding from that host to the others that it
can access.

However, the bastion host has multiple IP addresses, and I need ssh(1)
to make the connection from a specific source address.

There is currently no way to accomplish this with the -W option, as it
only takes a destination address. This means that I need to instruct my
SSH client to start a nc(1) command and use its -s option instead, but
those commands sometimes linger (as children of PID 1) for a long time
after the connection has long since died, and I would prefer that the
login not have the ability to run commands at all.

Would it be possible to extend the syntax to take an optional source
address? For example (showing my current configuration commented out,
and how this could be specified using -W instead):



Host foo.example.net
    BatchMode       Yes
    ControlMaster   auto
    ControlPath     ~/.ssh/control-path.d/%r@%h:%p.sock
    ControlPersist  3
    ProxyCommand    none
    RequestTTY      No
    User            bar

Host *.example.net
#   ProxyCommand    ssh foo.example.net 'nc -6 -s 2001:db8::2 %h %p'
    ProxyCommand    ssh -W [2001:db8::2]:[%h]:%p foo.example.net



Regards,
Aaron Jones

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210325/3bee1de1/attachment.asc>

On 25.03.21 16:30, Aaron Jones wrote:
> I have deployed an SSH bastion host, and would prefer to use the ssh(1)
> -W option to establish a forwarding from that host to the others that it
> can access.
> 
> However, the bastion host has multiple IP addresses, and I need ssh(1)
> to make the connection from a specific source address.
I do not speak for the OpenSSH developers, but I have a hunch that
they'll deny that request. Selecting the source address for an outgoing
connection usually is the job of the OS(*) and an application needs to
carry quite a bit of extra code to override that. OK for an explicit
networking tool like nc, but maybe not for ssh.

However, assuming that there's some *regularity* to your need, you might
be able to tell the kernel itself to adhere to it (e.g., for Linux, use
iptables to explicitly SNAT connections matching a pattern to a specific
source IP). No more extra processes that can linger that way.

(*) Off the top of my head: Look up the outgoing interface in the
default(!!) routing table, then choose the IP added last (Linux) / set
first (SunOS/Solaris) / round robin (*BSD) from those set on that interface.

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210326/ab9cc7db/attachment-0001.p7s>