[Bug 2038] permitopen functionality but for remote forwards

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue May 12 02:20:37 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #8 from Martin Häcker <spamfaenger at gmx.de> ---
I would like to add that we identified a possible security risk by not
being able to restrict the remote port forwarding.

Our use case is that we want to give one customer the ability to safely
(via ssh tunnel) access a service that is only accessible locally on a
machine, but noticed that if we allow him to locally (-L) forward a
port, he can also use ssh to bind to any other port via -R.

The problem with this is that ssh by default is perfectly happy to bind
to ipv6 addresses, even for ports where the ipv4 address is already
bound (8080 for some web server for example).

Now other more modern tools (e.g. apache) could try to connect to the
newly opened ipv6 port instead of the original service, if they are
configured to use symbolic names like 'localhost'

I don't think this is a big risk, but certainly very unexpected for us.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list