OpenSSH Security bug: port forwarding

Peter Berger peterb at telerama.com
Mon Nov 20 23:39:00 EST 2000



Hi.  OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5.  I
believe this is a bug.  Can anyone else replicate this?

On any given SSH machine (let's call it 'test'), start ssh like
this:

./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 

(where mail.blah.com is some machine running sendmail, you have a login
account, etc.)

In a just world (and this works with f-secure SSH1), you should be able to
do this on test:

telnet 127.0.0.1 2526

and connect to mail.blah.com port 25 over the secure channel.  This works.

But if I am sitting on -some other machine- and type:

telnet test.blah.com 2526

the connection should be rejected -unless- I have given ssh the -g option
(again, this works 'right' with f-secure ssh1).   OpenSSH accepts
non-local connections whether or not I give the -g option.  This is pretty
broken.  Put another way:  ssh is clearly binding to addresses other than
localhost, even without the -g option.

I am looking for feedback to determine:
	1) Is this bug repeatable for others on Linux?
	2) Is it repeatable on other OS's?
	3) Am I simply misunderstanding the use of this feature
completely, and this is not in fact a bug?  If so, I'd like an example of
correct use.

I'm not on the list, so carbon copies would be appreciated.

Thanks!

Peter Berger
Network Dilettante
http://peterb.telerama.com






More information about the openssh-unix-dev mailing list