Bug 1012

Summary: Trouble creating remote port forwarding to ssh.com 2.4.0 server.
Product: Portable OpenSSH Reporter: David Rothenberger <daveroth>
Component: sshAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal Keywords: patch
Priority: P2    
Version: 4.0p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 1222    
Attachments:
Description Flags
Default to 0.0.0.0 as bind address for ssh.com 2.4.0 servers.
none
Updated and tweaked patch dtucker: ok+

Description David Rothenberger 2005-04-08 02:48:41 AEST 
I'm having a problem with OpenSSH_4.0p1 when trying to do remote port
forwards to a server running SSH Secure Shell 2.4.0. The problem appears
to be that 2.4.0 chokes on bind addresses that aren't numeric addresses,
such as "localhost" and "".

The following commands are failing for me from the 4.0p1 client to the
2.4.0 server:

  ssh -R 50000:localhost:50000 server
  ssh -R localhost:50000:localhost:50000 server
  ssh -R :50000:localhost:50000 server
  ssh -R \*:50000:localhost:50000 server

although these commands work just fine:

  ssh -R 127.0.0.1:50000:localhost:50000 server
  ssh -R 0.0.0.0:50000:localhost:50000 server
  ssh -R 192.168.1.1:50000:localhost:50000 server
Comment 1 David Rothenberger 2005-04-08 02:50:57 AEST 
Created attachment 870 [details]
Default to 0.0.0.0 as bind address for ssh.com 2.4.0 servers.

The attached patch solves the problem for me. It sends "0.0.0.0" as the
address_to_bind for these cases

  ssh -R 50000:localhost:50000 server
  ssh -R :50000:localhost:50000 server
  ssh -R \*:50000:localhost:50000 server

but still passes through the specified address for cases like

  ssh -R 192.168.1.1:50000:localhost:50000 server
Comment 2 Damien Miller 2005-04-18 15:49:42 AEST 
Comment on attachment 870 [details]
Default to 0.0.0.0 as bind address for ssh.com 2.4.0 servers.

>diff -Naur openssh-4.0p1-1/channels.c openssh-4.0p1-2/channels.c
>--- openssh-4.0p1-1/channels.c	2005-03-01 02:24:33.000000000 -0800
>+++ openssh-4.0p1-2/channels.c	2005-04-04 17:27:44.230250000 -0700
>@@ -2370,9 +2370,15 @@
> 	if (compat20) {
> 		const char *address_to_bind;
> 		if (listen_host == NULL)
>-			address_to_bind = "localhost";
>+			if (datafellows & SSH_BUG_NUMERICRFWDADDR)
>+				address_to_bind = "0.0.0.0";

I think that should be "127.0.0.1", not "0.0.0.0". Or did you have a 
specific reason for changing this?
Comment 3 David Rothenberger 2005-04-19 02:29:11 AEST 
(In reply to comment #2)
> (From update of attachment 870 [details] [edit])
> >diff -Naur openssh-4.0p1-1/channels.c openssh-4.0p1-2/channels.c
> >--- openssh-4.0p1-1/channels.c	2005-03-01 02:24:33.000000000 -0800
> >+++ openssh-4.0p1-2/channels.c	2005-04-04 17:27:44.230250000 -0700
> >@@ -2370,9 +2370,15 @@
> > 	if (compat20) {
> > 		const char *address_to_bind;
> > 		if (listen_host == NULL)
> >-			address_to_bind = "localhost";
> >+			if (datafellows & SSH_BUG_NUMERICRFWDADDR)
> >+				address_to_bind = "0.0.0.0";
> 
> I think that should be "127.0.0.1", not "0.0.0.0". Or did you have a 
> specific reason for changing this?

I did have 127.0.0.1 at first, but I changed it for two reasons. One was that I
think 0.0.0.0 was the old pre-4.0 behavior. The second was that I think
127.0.0.1 will only work for IPv4. I'm no expert here, and I'm not even sure
ssh.com 2.4 works with IPv6.

I have no problem with changing this to 127.0.0.1 if the above reasons make no
sense.
Comment 4 Damien Miller 2005-10-12 22:29:24 AEST 
Created attachment 989 [details]
Updated and tweaked patch

This makes the client default to requesting locahost (127.0.0.1) forwarding to servers with the bug, unless they explicitly request a wildcard forward.
Comment 5 Darren Tucker 2005-10-13 00:09:13 AEST 
Comment on attachment 989 [details]
Updated and tweaked patch

Looks OK to me (I don't have a server to test against, though).
Comment 6 Darren Tucker 2005-10-13 00:12:14 AEST 
Comment on attachment 989 [details]
Updated and tweaked patch

> 		{ "2.3.*",		SSH_BUG_DEBUG|SSH_BUG_RSASIGMD5|
> 					SSH_BUG_FIRSTKEX },
> 		{ "2.4",		SSH_OLD_SESSIONID },	/* Van Dyke */
>-		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX },
>+		{ "2.*",		SSH_BUG_DEBUG|SSH_BUG_FIRSTKEX|
>+					SSH_BUG_RFWD_ADDR },

Since the compat checks are first-match, shouldn't the other 2.x entries have the SSH_BUG_RFWD_ADDR flag too?
Comment 7 David Rothenberger 2006-08-31 02:02:36 AEST 
I'm still interested in seeing this fixed. I see that it was bumped from the 4.3 release to the 4.4. release and now to the 4.5 release.

Is there anything I can do to get this patch committed? Any testing?

(In reply to comment #6)
> Since the compat checks are first-match, shouldn't the other 2.x
> entries have the SSH_BUG_RFWD_ADDR flag too?

I only have 2.4.0 servers to test against. The current match is fine with those servers (I guess because 2.4.0 doesn't match 2.4). Should I try with the SSH_BUG_RFWD_ADDR flag in the other 2.x entries?
Comment 8 Damien Miller 2006-08-31 13:59:38 AEST 
sorry that this slipped, I'll try to commit it as soon as the OpenBSD tree unlocks.
Comment 9 David Rothenberger 2006-12-02 03:17:57 AEDT 
Has the OpenBSD tree unlocked yet? Any change this can go into the new OpenSSH release?
Comment 10 Damien Miller 2006-12-12 14:59:39 AEDT 
patch applied, will be in 4.6/4.6p1
Comment 11 Damien Miller 2008-04-04 09:55:04 AEDT 
Close resolved bugs after release.