Can't get LocalForward to work when using ControlPath

Daniel Kahn Gillmor at
Fri Nov 11 16:39:51 EST 2005

Hello All--

First, thanks for ControlPath/ControlMaster.  It's very handy, and
ControlMaster=autoask is just what i wanted!

I'm having difficulty with a common use case, however.  I want to
LocalForward on secondary connections using an already-established
ControlPath.  From what i can tell, the second ssh connection doesn't
report any errors, but silently ignores the supplied LocalForward

Is this an expected behavior?  from man ssh_config(5), i see that:

     X11 and ssh-agent(1) forwarding is supported over these
     multiplexed connections, however the display and agent fowarded
     will be the one belonging to the master connection i.e. it is not
     possible to forward multiple displays or agents.

But i couldn't find any reference to whether LocalForward (or for that
matter, RemoteForward or DynamicForward) should work or not work with
multiplexed connections.

For my purposes, it would be fine if the master connection opened the
new forwarded port, instead of the secondary connection, as long as
the secondary one could initiate the forwarding.  I'd like for the
secondary to be able to tear it down when it's done too, of course,
but i could do without that for now.

Here's an example of an attempt which appears to fail for me, with a
bit of debugging verbosity thrown in:

("5th" is a host with an IMAP server answering on the loopack address)

[dkg at squeak ~]$ ssh -Nf -MS ~/.ssh/controls/fubar -L 9999:localhost:143 5th true 
[dkg at squeak ~]$ ssh -vvv -Nf -S ~/.ssh/controls/fubar -L 8888:localhost:143 5th true
OpenSSH_4.2p1 Debian-5.dkg0, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /home/dkg/.ssh/config
debug1: Applying options for 5th
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug2: Received exit status from master 0
debug2: Received EOF from master
[dkg at squeak ~]$ nmap -p 8888,9999 localhost

Starting nmap 3.93 ( ) at 2005-11-11 00:04 EST
Interesting ports on localhost.localdomain (
8888/tcp closed sun-answerbook
9999/tcp open   abyss

Nmap finished: 1 IP address (1 host up) scanned in 0.141 seconds
[dkg at squeak ~]$ 

As you can see, the initial LocalForward (over localhost port 9999)
works just fine, but the second attempted connection (port 8888) never
happens and just mysteriously goes away without complaint.

Any suggestions or insight you have would be appreciated.

As you can see, i'm using a slightly-modified debian openssh 4.2p1-5
(only ./configure flags were changed to include opensc support) on a
debian etch/sid system.  If this works on other platforms or with
other build options, i'd be happy to hear about it.

Thanks again for this great tool,


More information about the openssh-unix-dev mailing list