[Bug 3812] New: channel_setup_fwd_listener_tcpip reports success when some binds fail

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 15 15:03:16 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3812

            Bug ID: 3812
           Summary: channel_setup_fwd_listener_tcpip reports success when
                    some binds fail
           Product: Portable OpenSSH
           Version: 10.0p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: wiebe at halfgaar.net

TL;DR version: Expected behavior is that 'ExitOnForwardFailure=yes'
makes it exit when ANY bind+listen fails.

Longer version:

At least error-level wise, the logic at [0] assumes that when listening
on 'localhost', it's OK if the IPv6 one fails, as long as the IPv4 one
works. Assuming the IPv6 one is the first address in the list.

It seems to be an arbitrary distinction to report error when IPv4
fails, and a notice when IPv6 fails.

Additionally, a problem is that success will be set at [1] if ANY
binds+listens work. In combination with 'ExitOnForwardFailure=yes',
this gives very unpredictable results. You will get an error that the
bind failed, yet it won't exit.

I have servers that run a lot of SSH tunnels, rapidly being created and
disconnected, with clients doing '-R 0:localhost:xxx', and SSH runs
into itself all the time. The availability of the dynamically allocated
port starts to race between IPv4 and IPv6, and often one of them fails.
Many tunnels actually fail, but it's not reported.

Our need is that we need to connect to 127.0.0.1 on the hosts, but
often times that won't work if only the IPv6 listener is created.
Additionally, because the IPv6 socket is created with IPV6_V6ONLY, it
won't be able to accept connections from IPv4.

Expected behavior is that 'ExitOnForwardFailure=yes' makes it exit when
ANY bind+listen fails.


[0]
https://github.com/openssh/openssh-portable/blob/8725dbc5b5fcc3e326fc71189ef8dba4333362cc/channels.c#L3896
[1]
https://github.com/openssh/openssh-portable/blob/8725dbc5b5fcc3e326fc71189ef8dba4333362cc/channels.c#L3942

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list