2189 – Client fails to consider hostname when matching rfwd channel opens

Bug 2189 - Client fails to consider hostname when matching rfwd channel opens

Summary: Client fails to consider hostname when matching rfwd channel opens

Status:	CLOSED INVALID

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	-current
Hardware:	Other All

Importance:	P5 minor
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-12-19 12:14 AEDT by Damien Miller
Modified:	2021-03-04 09:52 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Damien Miller 2013-12-19 12:14:31 AEDT

From bug 2147:

> I've been doing some more testing on this, and I think it may have
> been a mistake for me to replace the hostname in the channel open
> message with the actual listening address. By doing that, it makes it
> more difficult for the client to match up against the right listener.
>
> That said, the reason I didn't discover this in my testing is that
> the current openssh client code doesn't actually try to match on
> the hostname at all when matching which remote listener it is -- it
> only matches on port! So, if you try to set up multiple listeners
> at once from a client on the same server-side port (by setting
> GatewayPorts=clientspecified in the server config and binding to
> different addresses), the client always matches on the first listener
> with that port, as seen in the following code snippet:
>
> Channel *
> channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
> {
>         int i;
>
>         for (i = 0; i < num_permitted_opens; i++) {
>                 if (permitted_opens[i].host_to_connect != NULL &&
>                     port_match(permitted_opens[i].listen_port, listen_port)) {
>                         return connect_to(
>                             permitted_opens[i].host_to_connect,
>                             permitted_opens[i].port_to_connect, ctype, rname);
>                 }
>         }
>         error("WARNING: Server requests forwarding for unknown listen_port %d",
>             listen_port);
>         return NULL;
> }
>
> Note that it checks here that a host_to_connect is set, but it doesn't
> even pass in the listen_address to match against when this is called
> from client_request_forwarded_tcpip() in clientloop.c. This means
> you can't actually have two different listeners on the server side
> with the same port listening on different addresses and forwarding to
> different destinations.
>
> My suggestion is to keep the portion of my change which fills in the
> proper listening port instead of 0, but leaves the reported listening
> address as the hostname/address which was requested. That way, a
> client which does proper matching of both the listening host & port
> would always be able to do so (since it got the actual licensing
> port back in the global request's response when dynamic ports were
> requested). To make this work right with OpenSSH as a client, though,
> additional changes would be needed on the client side to extend the
> listener matching to include both the host & port.

Comment 1 Damien Miller 2020-07-17 14:32:20 AEST

I have no idea what I was talking about in 2013

Comment 2 Damien Miller 2021-03-04 09:52:49 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle