If GatewayPorts = no, then forwarding a port listener for a given port (ssh -R option), will disregard the address field in the request, and expand the address number with getaddrinfo(). getaddrinfo() will expand the localhost address as IPv6 and IPv4 in some order, and sshd returns success if listening on either address succeeded, without mentioning the address being used. If other services are listening on only IPv4 (but not IPv6), this may lead to a situation where a request for forwarding 127.0.0.1:PORTNUMBER succeeds, but the forwarded port is only on [::1]:PORT-NUMBER. This is confusing (we spent a couple of days debugging the fallout of this). Moreover, if the sshd is running on a multi-user system, a malicious user may use this to intercept or modify the traffic over the forwarded port. Suggested fix: do not call discard the incoming address in channel_setup_fwd_listener() if it is either 127.0.0.1 or ::1
Created attachment 2419 [details] Allow explicit IPv4/IPv6 localhost address regardless of GatewayPorts Something like this diff should do what you want, but I need to think through if there are any consequences.
Patch applied - this will be in openssh-6.7. Thanks!
Close all bugs left open from 6.6 and 6.7 releases.