OpenSSH Security bug: port forwarding
Peter Berger
peterb at telerama.com
Mon Nov 20 23:39:00 EST 2000
Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I
believe this is a bug. Can anyone else replicate this?
On any given SSH machine (let's call it 'test'), start ssh like
this:
./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000
(where mail.blah.com is some machine running sendmail, you have a login
account, etc.)
In a just world (and this works with f-secure SSH1), you should be able to
do this on test:
telnet 127.0.0.1 2526
and connect to mail.blah.com port 25 over the secure channel. This works.
But if I am sitting on -some other machine- and type:
telnet test.blah.com 2526
the connection should be rejected -unless- I have given ssh the -g option
(again, this works 'right' with f-secure ssh1). OpenSSH accepts
non-local connections whether or not I give the -g option. This is pretty
broken. Put another way: ssh is clearly binding to addresses other than
localhost, even without the -g option.
I am looking for feedback to determine:
1) Is this bug repeatable for others on Linux?
2) Is it repeatable on other OS's?
3) Am I simply misunderstanding the use of this feature
completely, and this is not in fact a bug? If so, I'd like an example of
correct use.
I'm not on the list, so carbon copies would be appreciated.
Thanks!
Peter Berger
Network Dilettante
http://peterb.telerama.com
More information about the openssh-unix-dev
mailing list