[Bug 413] Port forwarding: [localhost:]localport:remotehost:remoteport

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jan 28 12:30:16 EST 2005


------- Additional Comments From djm at mindrot.org  2005-01-28 12:30 -------
OK, here is a concrete proposal and a rationale:

I don't think the risks of sending "localhost" are too great; if a system is so
badly misconfigured to be susceptible to attack via this method, then it has far
greater problems than we can work around. Anyway, it isn't a common problem (see

Special-casing "" and "" seems ugly: if we do that they how can
you remotely specify an IPv4-only listener for any or loopback?

So, I think:

1. The server should special-case the empty string to be a wildcard (NULL,
2. The server should special-case "localhost" to be a loopback (NULL, 0) bind
3. The client should send the empty string for wildcard binds
4. The client should send "localhost" for loopback binds

Some interoperabiliy considerations of this approach

a. For OpenSSH old client, OpenSSH new server

The client always sends "", so this will break IPv6 for 
the gateway_ports case.

b. For OpenSSH new client, OpenSSH old server

The server doesn't care what is sent, so this will work (as far as it works now,

c. For other client, OpenSSH new server

OpenSSH sshd will do what the client tells it to :) Potential problems as per
"a" above.

d. For OpenSSH new client, other server

This is the only case there Darren's concern over the sending of "localhost"
manifests, because OpenSSH hasn't (and won't) interpret the name.

We may break gateway_ports rforwards on other servers if they haven't
special-cased the empty string to mean a wildcard bind. An easy workaround is to
just specify a bind address manually

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list