OpenSSH Security bug: port forwarding
Damien Miller
djm at mindrot.org
Tue Nov 21 14:30:25 EST 2000
On Mon, 20 Nov 2000, Peter Berger wrote:
>
>
> Hi. OpenSSH 2.3.0p1 exhibits the following behavior on Linux 2.2.5. I
> believe this is a bug. Can anyone else replicate this?
>
> On any given SSH machine (let's call it 'test'), start ssh like
> this:
>
> ./ssh -L2526:mail.blah.com:25 -f mail.blah.com sleep 1000
>
> (where mail.blah.com is some machine running sendmail, you have a login
> account, etc.)
>
> In a just world (and this works with f-secure SSH1), you should be able to
> do this on test:
>
> telnet 127.0.0.1 2526
>
> and connect to mail.blah.com port 25 over the secure channel. This works.
>
> But if I am sitting on -some other machine- and type:
>
> telnet test.blah.com 2526
>
> the connection should be rejected -unless- I have given ssh the -g option
> (again, this works 'right' with f-secure ssh1). OpenSSH accepts
> non-local connections whether or not I give the -g option. This is pretty
> broken. Put another way: ssh is clearly binding to addresses other than
> localhost, even without the -g option.
>
> I am looking for feedback to determine:
> 1) Is this bug repeatable for others on Linux?
I am unable to repeat this problem on Linux with the current snapshot, nor
on OpenSSH-2.1 as shipped with OpenBSD 2.7.
Do you have a 'GatewayPorts yes' in your ssh_config or ~/.ssh/config?
Regards,
Damien Miller
--
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, /
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org
More information about the openssh-unix-dev
mailing list