[Bug 2147] New: OpenSSH remote forwarding of dynamic ports doesn't work when you create more than one

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Sep 1 03:06:21 EST 2013 

https://bugzilla.mindrot.org/show_bug.cgi?id=2147

            Bug ID: 2147
           Summary: OpenSSH remote forwarding of dynamic ports doesn't
                    work when you create more than one
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ronf at timeheart.net

Created attachment 2330
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2330&action=edit
Patch for remote forwarding of dynamic ports

I recently ran across a problem with remote port forwarding in OpenSSH
when trying to use dynamic ports. While it is possible to use OpenSSH
to request a dynamic port and the OpenSSH sshd handles it just fine,
the OpenSSH client gets confused when multiple ports are opened this
way, due to the information passed in the "forwarded-tcpip"
SSH_MSG_CHANNEL_OPEN message which is sent back to the client when
connections are opened. To illustrate this problem, I tried the
following with OpenSSH 6.2p1:

ssh -v -R 0:localhost:80 -R 0:localhost:81 localhost

In the debug output, I saw the lines:

debug1: remote forward success for: listen 0, connect localhost:80
Allocated port 60013 for remote forward to localhost:80
debug1: Updating allowed port 60013 for forwarding to host localhost
port 80
debug1: remote forward success for: listen 0, connect localhost:81
Allocated port 60014 for remote forward to localhost:81
debug1: Updating allowed port 60014 for forwarding to host localhost
port 81

So far, so good!

Connecting to port 60013 worked fine, causing the client to connect to
localhost:80 as requested, with the following debug output:

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 5 win
2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 0,
originator ::1 port 60153
debug1: connect_next: host localhost ([::1]:80) in progress, fd=9
debug1: channel 1: new [::1]
debug1: confirm forwarded-tcpip
debug1: channel 1: connected to localhost port 80

However, connecting to port 60014 did not work as expected. In that
case, I saw:

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 5 win
2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 0,
originator ::1 port 60182
debug1: connect_next: host localhost ([::1]:80) in progress, fd=9
debug1: channel 1: new [::1]
debug1: confirm forwarded-tcpip
debug1: channel 1: connected to localhost port 80

Note that even though this was to the second listening port I set up,
the connection was locally forwarded to port 80. The reason is that the
SSH_MSG_CHANNEL_OPEN of type "forwarded-tcpip" from sshd reported the
destination host & port as "localhost" port 0 for both the 60013 and
60014 connections, instead of reporting the actual listening port. The
client seems to expect the 0 value here and does the right thing when
you only have one dynamic listening port, but this breaks in the case
where there are multiple, since there's nothing in the
SSH_MSG_CHANNEL_OPEN which distinguishes between the two dynamic
listeners. RFC 4254 is not completely clear on what is expected in the
message. It says:

  When a connection comes to a port for which remote forwarding has
  been requested, a channel is opened to forward the port to the other
  side.

     byte      SSH_MSG_CHANNEL_OPEN
     string    "forwarded-tcpip"
     uint32    sender channel
     uint32    initial window size
     uint32    maximum packet size
     string    address that was connected
     uint32    port that was connected
     string    originator IP address
     uint32    originator port

I was expecting "port that was connected" in this message to be the
dynamically allocated port so that it would always be a unique value,
but this is not the case (at least with OpenSSH's sshd). Instead, it
always seems to be the "port number to bind" value passed in the
original SSH_MSG_GLOBAL_REQUEST "tcpip-forward" message (which is 0
since we're asking for a dynamic port).

I did an experiment and was pleasantly surprised to find that the
OpenSSH client does work correctly when the real port number is
returned by the server. So, it won't break existing clients out there
if this is fixed. Both the "address that was connected" and the "port
that was connected" can be the real address and port rather than the
values passed in the original SSH_MSG_GLOBAL_REQUEST and everything
works fine.

I have attached a patch which can be applied to OpenSSH 6.2p2 which
fixes this problem. I would appreciate it if you would consider
including it in a future release.

One minor ugliness here is that I had to use "get_sock_port()" instead
of get_local_port(), as get_local_port() doesn't take a socket as an
argument the way get_local_ipaddr() does and there's no equivalent
function under another name. Cleaning this up would impact other files,
though, and I wanted to keep the diff as clean as possible.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list