2017 – Multiple dynamically allocated remote ports all connect to the same local port

Bug 2017 - Multiple dynamically allocated remote ports all connect to the same local port

Summary: Multiple dynamically allocated remote ports all connect to the same local port

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.0p1
Hardware:	All All

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-06-09 01:10 AEST by Joseph Dunn
Modified:	2015-08-11 23:03 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Dunn 2012-06-09 01:10:10 AEST

From the documentation:
If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.

When using this functionality I found that if multiple remote ports were dynamically allocated then connections to any of those ports will forward back to the first forward requested. Though not a severe problem this behavior can be extremely misleading.

On the local host (margarita):
jdunn@margarita~$ ssh www.tdt.com -R 0:localhost:22 -R 0:localhost:80
Allocated port 33029 for remote forward to localhost:22
Allocated port 33719 for remote forward to localhost:80

On the remote host (www):
jdunn@www:~$ nc localhost 33029
SSH-2.0-OpenSSH_5.9
^C
jdunn@www:~$ nc localhost 33719
SSH-2.0-OpenSSH_5.9
^C

Apparently both remote ports are being mapped to the same local port. Looking through the code I found that 0 is being passed as the listen port to channel_connect_by_listen_address. The for loop in that function then finds the first permitted_opens[i] with a listen port of 0.

I was hoping to provide a simple fix, but it appears to require changing the client-server protocol since the dynamically allocated port is not supplied in the server packet unpacked in client_request_forwarded_tcpip. I suspect that the correct solution is just to replace the listen_port used in the communication with the dynamically allocated port. The port number would also have to be updated in the permitted_opens list when the server allocated the remote port.

I was able to replicate this first in Fedora17, Debian Squeeze, and then checked the nightly snapshots of Portable OpenSSH where I found the same problem.

Comment 1 Damien Miller 2012-07-06 12:01:48 AEST

I can't replicate this with openssh-6.0 on the client and server end. We did fix some bugs in automatic port allocation recently, and I think you might be running in to one of them as www.tdt.com seems to be running a slightly older sshd.

Please reopen if you can replicate this with 6.0 on the server and attach full debug traces from both the client and server (sshd -ddd / ssh -vvv)

Comment 2 Joseph Dunn 2012-09-11 03:34:17 AEST

I finally had a chance to check this solution on a Fedora Rawhide system (openssh-6.0p1-1.fc18.i686) and can confirm that it is fixed.  It is definitely necessary for both the client and server to be at least version 6.0 or else the behavior looks like it did before.

I'll look into upgrading openssh on the couple systems I need this to work on before the various distros get around to it.

Thank you for your time.

Comment 3 Damien Miller 2015-08-11 23:03:29 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1