Bug 1804

Summary: ssh option -R 127.0.0.2:10443:<dest ip>:443 does not work
Product: Portable OpenSSH Reporter: Walter.Pfannenmueller
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: normal CC: dajoker, djm, dtucker
Priority: P2    
Version: 5.5p1   
Hardware: All   
OS: All   

Description Walter.Pfannenmueller 2010-08-07 18:27:04 AEST 
Starting ssh with the option

-R 127.0.0.2:10443:<dest ip>:443 

results in opening listeners on the <dest ip> with listener ip
127.0.0.1, ::1  and not 127.0.0.2

Adding the following code to
channels.c after line 2660

        } else if (host) {
            addr = listen_addr;

results in having the sshd start the 127.0.0.2 listener.
Maybe there has to be some check against the
GatewayPorts option as well.
Comment 1 Damien Miller 2010-08-08 03:17:40 AEST 
What is the setting of GatewayPorts on the server?
Comment 2 Walter.Pfannenmueller 2010-08-08 18:08:38 AEST 
It is the default setting:
#GatewayPorts no

Client command:
ssh -R 127.0.0.2:10000:<whatever>:443 target

yields on the target
tcp        0      0 127.0.0.1:10000         0.0.0.0:*               LISTEN 

Setting 
GatewayPorts yes
results in 
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN
 
Therefore I prefer "no".
Comment 3 Darren Tucker 2010-08-08 18:21:13 AEST 
You want "GatewayPorts clientspecified".
Comment 4 Walter.Pfannenmueller 2010-08-08 18:43:32 AEST 
I'm not sure.
Just reading the ssh man pages for -R


     -R [bind_address:]port:host:hostport
....
             Specifying a remote bind_address will only succeed if the
             server's GatewayPorts option is enabled (see sshd_config(5)).

tells me, my specified bind_address will only succeed, if
GatewayPorts is enabled.

But this means all Port forwarding will result in global listeners
on the target machine. This is not, what I want.

Therefore a suggestion for a solution might be:

GatewayPorts no:

Allow and use 
bind_address only if it is a localhost (e.g. 127.*) address.

GatewayPorts yes:
just use bind_address.

But you probably should change the man pages as well, then.

Please tell me, if I'm totally wrong.
Comment 5 Damien Miller 2010-08-09 02:37:35 AEST 
from sshd_config(5):

>   GatewayPorts
>           Specifies whether remote hosts are allowed to connect to ports
>           forwarded for the client.  By default, sshd(8) binds remote port
>           forwardings to the loopback address.  This prevents other remote
>           hosts from connecting to forwarded ports.  GatewayPorts can be
>           used to specify that sshd should allow remote port forwardings to
>           bind to non-loopback addresses, thus allowing other hosts to
>           connect.  The argument may be ``no'' to force remote port
>           forwardings to be available to the local host only, ``yes'' to
>           force remote port forwardings to bind to the wildcard address, or
>           ``clientspecified'' to allow the client to select the address to
>           which the forwarding is bound.  The default is ``no''.

Have you tried setting GatewayPorts=clientspecified? It does exactly what you are asking for.
Comment 6 Walter.Pfannenmueller 2010-08-09 03:52:36 AEST 
I tried it now and it does work as I expect. Thanks a lot.
Comment 7 Darren Tucker 2010-08-27 10:28:15 AEST 
With the release of OpenSSH 5.6p1 this bug is now considered closed.  If you have further problems please reopen or file a new bug as appropriate.