BUG: opens all interfaces.

Damien Miller djm at mindrot.org
Thu May 4 08:21:46 EST 2006

On Wed, 3 May 2006, jbug at ednixon.com wrote:

> Summary: the newish fourth forwarding argument does not correctly
> specify the interface on the remote machine for a tunnel in -R
> On OpenSSH_4.3p2 OpenSSL 0.9.7g 11 Apr 2005,
> on  Kanotix 2.9 kernel
> and Cygwin 1.5.19(0.150/4/2)
> and (old) FreeBSD 4.6-RELEASE
> sshd_config file:
> AllowTcpForwarding yes
> GatewayPorts yes

This is wrong. From the manual:

> GatewayPorts
>     Specifies whether remote hosts are allowed to connect to ports
>     forwarded for the client.  By default, sshd(8) binds remote port
>     forwardings to the loopback address.  This prevents other remote
>     hosts from connecting to forwarded ports.  GatewayPorts can be
>     used to specify that sshd should allow remote port forwardings to
>     bind to non-loopback addresses, thus allowing other hosts to con-
>     nect.  The argument may be ``no'' to force remote port forward-
>     ings to be available to the local host only, ``yes'' to force re-
>     mote port forwardings to bind to the wildcard address, or
>     ``clientspecified'' to allow the client to select the address to
>     which the forwarding is bound.  The default is ``no''.

So you should set:

GatewayPorts clientspecified

in sshd_config.

> General comment: The histrionics about "consult all documentation
> before reporting a bug" could be remedied by accepting a mid-grade
> level of volunteers who preen through bug reports for the ones
> that are truly new and valid.

I think you have just proved why those "histrionics" are necessary.


More information about the openssh-unix-dev mailing list