[PATCH] Make "-L" local ports bind to "" in openssh-2.9p1

Chris Adams cmadams at hiwaay.net
Fri Jun 8 00:35:48 EST 2001

Once upon a time, David Terrell <dbt at meat.net> said:
> On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote:
> > +	 * Oh yeah?  Setting hostname to NULL and hints.ai_flags to
> > +	 * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with
> > +	 * Linux kernel 2.2.14 does no such thing.  On that system
> > +	 * "::" and "" (and maybe one other value which slips
> > +	 * my memory) are returned.  Setting hostname to ""
> > +	 * does the trick, at least for IPv4 uses; I don't know what
> > +	 * it does for IPv6.  Without this hack, local ("-L") tunnel
> > +	 * end-points (which are supposed to be private unless "-g"
> > +	 * or "-o 'GatewayPorts yes'" is specified when "ssh" is
> > +	 * started) are [ab]usable by any host which has a route
> > +	 * to/from the this host.
> Perhaps you should point your operating system vendor (or whomever they
> get their libc from) at RFC 2553:
>    If the AI_PASSIVE bit is not set in the ai_flags member of the hints
>    structure, then the returned socket address structure will be ready
>    for a call to connect() (for a connection-oriented protocol) or
>    either connect(), sendto(), or sendmsg() (for a connectionless
>    protocol).  In this case, if the nodename argument is a NULL pointer,
>    then the IP address portion of the socket address structure will be
>    set to the loopback address.

What you quoted is the opposite case of what the original patch changes.
The patch changes behaviour if AI_PASSIVE _is_ set.  According to the
man page for getaddrinfo, if AI_PASSIVE is set and the node is NULL,
"the network address in each socket structure will be left unspecified."

The quoted comment is also misleading, as it is in response to the
following comment that you snipped:

         * getaddrinfo returns a loopback address if the hostname is
         * set to NULL and hints.ai_flags is not AI_PASSIVE

So the "does no such thing" part of the comment is incorrect because it
is describing a different case.

Looking at the patch, if it changes anything, then something is broken
on the original poster's computer.  The original code sets AI_PASSIVE
only if gateway_ports is set, and then calls getaddrinfo with the node
NULL.  The new code changes the getaddrinfo to only get NULL when
gateway_ports is set (and AI_PASSIVE is set).

I just tested local port forwarding with Red Hat 7.1 and the OpenSSH
RPMs from ftp.OpenBSD.org, and I do NOT see any problem (when I use -L,
the port forwardings only work for localhost unless I also use "-o
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the openssh-unix-dev mailing list