This could be a documentation bug. The manual page states: IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Keyword here is "or." I've found that the syntax REQUIRES square brackets around an IPv6 address regardless of which syntax is used. That is, if the old "colon" separator is used, or the "slash" separator is used. The man page implies that if you use the alternative (slash) syntax, the square brackets may be omitted. This is tested on several OS and versions of OpenSSH: Ubuntu Server 9.10 ssh -v -6 -L 5902/::1/5902 host.example.com OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007 Bad local forwarding specification '5902/::1/5902' Gentoo Linux ssh -v -6 -L 5902/::1/5902 host.example.com OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 Bad local forwarding specification '5902/::1/5902' Cygwin 1.7.1 ssh -v -6 -L 5902/::1/5902 host.example.com OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010 Bad local forwarding specification '5902/::1/5902' Using square brackets works with either syntax (brackets escaped for shell of course): ssh -6 -L 5902/\[::1\]/5902 host.example.com jim@host.example.com's password: ssh -6 -L 5902:\[::1\]:5902 host.example.com jim@host.example.com's password:
The cause of this seems to be misc.c:hpdelim(): 373 if (*s == '[') { 374 if ((s = strchr(s, ']')) == NULL) 375 return NULL; 376 else 377 s++; 378 } else if ((s = strpbrk(s, ":/")) == NULL) Consider a forwarding string of 2222/::1/22. hpdelim() will correctly extract the first argument, but when called again will break inside the IPv6 address. This must have been broken for some time, since I don't think this code has been touched in a while. Perhaps it would be better to just remove the promise of '/' separating the strings and just require square brackets?
(In reply to comment #1) > The cause of this seems to be misc.c:hpdelim(): > > 373 if (*s == '[') { > 374 if ((s = strchr(s, ']')) == NULL) > 375 return NULL; > 376 else > 377 s++; > 378 } else if ((s = strpbrk(s, ":/")) == NULL) > > Consider a forwarding string of 2222/::1/22. hpdelim() will correctly > extract the first argument, but when called again will break inside the > IPv6 address. This must have been broken for some time, since I don't > think this code has been touched in a while. > > Perhaps it would be better to just remove the promise of '/' separating > the strings and just require square brackets? Perhaps. But it's a bit annoying to have to type the escaped square brackets. Maybe use something shells don't treat as special instead? But then doing something like that would be just as much effort as fixing the bug. :-)
You shouldn't need to escape the square brackets for shells unless you happen to have files in the local directory that match the pattern generated, since they should pass patterns that fail to match through verbatim.
I have removed mention of the alternate syntax from our manpages. It is non-standard, rarely used and was implemented at a time before [addr]:port was supported in OpenSSH or as popular.
With the release of OpenSSH 5.6p1 this bug is now considered closed. If you have further problems please reopen or file a new bug as appropriate.