BUG: opens all interfaces.

jbug at ednixon.com jbug at ednixon.com
Thu May 4 05:41:35 EST 2006


Summary: the newish fourth forwarding argument does not correctly
specify the interface on the remote machine for a tunnel in -R

On OpenSSH_4.3p2 OpenSSL 0.9.7g 11 Apr 2005,
on  Kanotix 2.9 kernel 2.6.16.2
and Cygwin 1.5.19(0.150/4/2)
and (old) FreeBSD 4.6-RELEASE
   

sshd_config file:
AllowTcpForwarding yes
GatewayPorts yes

Set up a forwarding tunnel:
 From a Kanotix box inside my firewall:
ssh me at public.com -R public.com:3120:localhost:22

 From other.com
ssh -o 'UserKnownHostsFile /home/me/.ssh/alt1' -p 3120 gus at public.com

note that "gus" is a user on my Kanotix box.  The host key does not come
from public.com, so I have to specify an alternate knownhosts file.

sshd or ssh is still broken, you can't specify other than localhost
or everyone in the universe for the receiving address; the -R public.com
works as what's documented to be '*', all interfaces on the machine.

(lsof)
sshd      73447   root    4u  IPv4 0xd5b3c280        0t0      TCP *:rsh-spx (LISTEN)

and connecting from other.com
ssh -o 'UserKnownHostsFile /home/me/.ssh/alt1' -p 3120 gus at public-second-ip.com
succeeds, where only public.com was specified in the initial tunnel, and
not the documented '*'.

General comment:  The histrionics about "consult all documentation before
reporting a bug" could be remedied by accepting a mid-grade level of
volunteers who preen through bug reports for the ones that are truly
new and valid. They can request reporters to do further tests, and so on,
before actually contacting the first line developers.  More bugs will
get reported more quickly, even if with a bit of redundancy, if you
remove the emotional insularity toward reporting; while the first-line
developers don't get overloaded, by using intermediaries.

BTW, building this on FreeBSD 4.6-RELEASE resulted in several
complaints of the form:
(though, it built, and appears to work.)

checking net/if_tap.h usability... no
checking net/if_tap.h presence... yes
configure: WARNING: net/if_tap.h: present but cannot be compiled
configure: WARNING: net/if_tap.h:     check for missing prerequisite headers?
configure: WARNING: net/if_tap.h: see the Autoconf documentation
configure: WARNING: net/if_tap.h:     section "Present But Cannot Be Compiled"
configure: WARNING: net/if_tap.h: proceeding with the preprocessor's result
configure: WARNING: net/if_tap.h: in the future, the compiler will take preceden
ce
configure: WARNING:     ## ------------------------------------------- ##
configure: WARNING:     ## Report this to openssh-unix-dev at mindrot.org ##
configure: WARNING:     ## ------------------------------------------- ##
checking for net/if_tap.h... yes


checking login_cap.h usability... no
checking login_cap.h presence... yes
configure: WARNING: login_cap.h: present but cannot be compiled
configure: WARNING: login_cap.h:     check for missing prerequisite headers?
configure: WARNING: login_cap.h: see the Autoconf documentation
configure: WARNING: login_cap.h:     section "Present But Cannot Be Compiled"
configure: WARNING: login_cap.h: proceeding with the preprocessor's result
configure: WARNING: login_cap.h: in the future, the compiler will take precedenc
e
configure: WARNING:     ## ------------------------------------------- ##
configure: WARNING:     ## Report this to openssh-unix-dev at mindrot.org ##
configure: WARNING:     ## ------------------------------------------- ##
checking for login_cap.h... yes



checking sys/mman.h usability... no
checking sys/mman.h presence... yes
configure: WARNING: sys/mman.h: present but cannot be compiled
configure: WARNING: sys/mman.h:     check for missing prerequisite headers?
configure: WARNING: sys/mman.h: see the Autoconf documentation
configure: WARNING: sys/mman.h:     section "Present But Cannot Be Compiled"
configure: WARNING: sys/mman.h: proceeding with the preprocessor's result
configure: WARNING: sys/mman.h: in the future, the compiler will take precedence
configure: WARNING:     ## ------------------------------------------- ##
configure: WARNING:     ## Report this to openssh-unix-dev at mindrot.org ##
configure: WARNING:     ## ------------------------------------------- ##
checking for sys/mman.h... yes


checking sys/select.h usability... no
checking sys/select.h presence... yes
configure: WARNING: sys/select.h: present but cannot be compiled
configure: WARNING: sys/select.h:     check for missing prerequisite headers?
configure: WARNING: sys/select.h: see the Autoconf documentation
configure: WARNING: sys/select.h:     section "Present But Cannot Be Compiled"
configure: WARNING: sys/select.h: proceeding with the preprocessor's result
configure: WARNING: sys/select.h: in the future, the compiler will take preceden
ce
configure: WARNING:     ## ------------------------------------------- ##
configure: WARNING:     ## Report this to openssh-unix-dev at mindrot.org ##
configure: WARNING:     ## ------------------------------------------- ##
checking for sys/select.h... yes





More information about the openssh-unix-dev mailing list