tcpip-forward with port 0 and 'want reply'

William Ahern william at
Thu Apr 20 04:59:48 EST 2006

RFC 4254 says, in regards to the "tcpip-forward" request message:

	Section 7.1


	If a client passes 0 as port number to bind and has 'want reply' as
	TRUE, then the server allocates the next available unprivileged port
	number and replies with the following message; otherwise, there is
	no response-specific data.
	uint32	port that was bound on the server

However, it doesn't seem like OpenSSH supports this. If you request a port
of zero, the code never 1) returns or 2) listens for the allocated port,
even though 'want reply' is _always_ TRUE.

So I'm left wondering, what happens if you request multiple forwardings w/
port 0 with different hostnames? Seems like there's a silent collision; not
sure if it blows up.

I'm no longer surprised nobody has added domain socket support yet. FWIW,
the route I've take so far is replacing all the host/port pairs with a
SocketName structure, and added the streamloceal-forward at and
forward-streamlocal at messages.

In the process I've run into trouble w/ ForwardPermissions. I suspect
there's a bug in the SSH 2.0 support since it doesn't keep track of
listening hostnames, only the port. Again, there's a silent collision and
either the permissions are too strict or too loose.

- Bill

More information about the openssh-unix-dev mailing list