OpenSSH Security bug: port forwarding

[Peter Berger]

Yes, I had GatewayPorts set to 'no' -- this is clearly not a bug in ssh,
but in the version of Linux I'm using.  When I debugged, ssh was binding
to 0.0.0.0.

Oh well.  We shouldn't be using Linux as a firewall anyway.

-p


On Mon, 20 Nov 2000, Jarno Huuskonen wrote:

> On Mon, Nov 20, Peter Berger wrote:
> > 
> > 
> > Hi.  OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5.  I
> > believe this is a bug.  Can anyone else replicate this?
> > 
> > On any given SSH machine (let's call it 'test'), start ssh like
> > this:
> > 
> > ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000 
> > 
> > (where mail.blah.com is some machine running sendmail, you have a login
> > account, etc.)
> > 
> > In a just world (and this works with f-secure SSH1), you should be able to
> > do this on test:
> > 
> > telnet 127.0.0.1 2526
> > 
> > and connect to mail.blah.com port 25 over the secure channel.  This works.
> > 
> > But if I am sitting on -some other machine- and type:
> > 
> > telnet test.blah.com 2526
> > 
> > the connection should be rejected -unless- I have given ssh the -g option
> > (again, this works 'right' with f-secure ssh1).   OpenSSH accepts
> > non-local connections whether or not I give the -g option.  This is pretty
> > broken.  Put another way:  ssh is clearly binding to addresses other than
> > localhost, even without the -g option.
> 
> I couldn't reproduce this. For me OpenSSH 2.3.0p1 works correctly.
> You can use lsof -i tcp to check what processes are listening. For me
> I can see 
> ssh     29854 jhuuskon    7u  IPv4 215895       TCP localhost:5000 (LISTEN)
> when using ssh -L5000:xxx:110 or whatever.
> 
> Did you check your/system ssh_config ? 
> Does it have GatewayPorts set to yes ?
> 
> -Jarno
> 
> -- 
> Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen at uku.fi
> University of Kuopio - Computer Centre   |  Work:   +358 17 162822
> PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169
>