2393 – (Rem.dyn.port.Fwding) Remote dynamic port forwarding for OpenSSH client

Bug 2393 (Rem.dyn.port.Fwding) - Remote dynamic port forwarding for OpenSSH client

Summary: Remote dynamic port forwarding for OpenSSH client

Status:	CLOSED FIXED

Alias:	Rem.dyn.port.Fwding

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	6.8p1
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:	http://d3s.mff.cuni.cz/~steinhauser/o...
Keywords:	openbsd, patch

Depends on:
Blocks:

Reported:	2015-05-05 02:59 AEST by Anthony Steinhauser
Modified:	2021-04-23 14:55 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Remote dynamic port forwarding patch against OpenSSH Portable 70860b6d07 (20.88 KB, patch) 2015-05-05 02:59 AEST, Anthony Steinhauser	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anthony Steinhauser 2015-05-05 02:59:36 AEST

Created attachment 2615 [details]
Remote dynamic port forwarding patch against OpenSSH Portable 70860b6d07

It would be nice to have the fourth combination of static/dynamic and local/remote TCP port forwarding. Local static (-L), remote static (-R) and local dynamic (-D) combinations are already supported. What is missing is the remote dynamic port forwarding.

Remote dynamic port forwarding would be useful to extend possibilities and deployability of both remote static port forwarding and local dynamic port forwarding.

Remote static port forwarding allows client to reach a particular TCP port on their client machine from a remote SSH session. With remote dynamic port forwarding clients would be able to execute arbitrary programs on a remote SSH server completely retaining their TCP connectivity and network identity. If their TCP payload doesn't support SOCKS protocol natively, it can be packed into SOCKS requests with a SOCKS wrapper such as proxychains or socksify. Similarly, using remote static port forwarding clients can publish a single service on the SSH server. With remote dynamic port forwarding they would be able to publish their whole connectivity to all users of the SSH server or even to all those, who have access to a particular TCP port on the server.

Local dynamic port forwarding enables clients to use basically any SSH server as a SOCKS proxy server. However, sometimes it's not possible to operate an SSH server on a particular machine (due to firewall constrains, impossibility to bind sockets to privileged ports, etc.). Remote dynamic port forwarding allows the potential proxy servers to circumvent the condition of running an SSH server with running just an SSH client. Local dynamic port forwarding allows clients to assume the connectivity and network identity of the SSH server. Remote dynamic port forwarding in combination with local static port forwarding allows clients to assume also the connectivity and network identity of fellow SSH clients.

There is already a patch against OpenSSH portable (commit 70860b6d07461906730632f9758ff1b7c98c695a) that provides remote dynamic port forwarding support.

http://d3s.mff.cuni.cz/~steinhauser/openssh.html

Comment 1 Andreas Gnau 2018-04-04 02:14:14 AEST

This is implemented in 7.6.

 * ssh(1): add support for reverse dynamic forwarding. In this mode,
   ssh will act as a SOCKS4/5 proxy and forward connections
   to destinations requested by the remote SOCKS client. This mode
   is requested using extended syntax for the -R and RemoteForward
   options and, because it is implemented solely at the client,
   does not require the server be updated to be supported.

Comment 2 Damien Miller 2021-04-23 14:55:38 AEST

closing resolved bugs as of 8.6p1 release