[Bug 495] New: local port forwards start before authentication is complete (password auth)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Feb 18 08:00:45 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=495
Summary: local port forwards start before authentication is
complete (password auth)
Product: Portable OpenSSH
Version: 3.5p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: rhaig at hackboy.com
when doing a local port forward (ssh www.foo.com -L8080:localhost:80) the
forward becomes active before the authentication is complete.
repeat by running the above command to your server that is running ssh and a web
server, before entering the password (but after the password prompt appears),
open the local end of the port forward, and observe it's operability (if it's a
web server, "GET /"). This is without any keys in place or the password being
entered.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list