BUG: opens all interfaces.
Damien Miller
djm at mindrot.org
Thu May 4 08:21:46 EST 2006
On Wed, 3 May 2006, jbug at ednixon.com wrote:
> Summary: the newish fourth forwarding argument does not correctly
> specify the interface on the remote machine for a tunnel in -R
>
> On OpenSSH_4.3p2 OpenSSL 0.9.7g 11 Apr 2005,
> on Kanotix 2.9 kernel 2.6.16.2
> and Cygwin 1.5.19(0.150/4/2)
> and (old) FreeBSD 4.6-RELEASE
>
> sshd_config file:
> AllowTcpForwarding yes
> GatewayPorts yes
This is wrong. From the manual:
> GatewayPorts
> Specifies whether remote hosts are allowed to connect to ports
> forwarded for the client. By default, sshd(8) binds remote port
> forwardings to the loopback address. This prevents other remote
> hosts from connecting to forwarded ports. GatewayPorts can be
> used to specify that sshd should allow remote port forwardings to
> bind to non-loopback addresses, thus allowing other hosts to con-
> nect. The argument may be ``no'' to force remote port forward-
> ings to be available to the local host only, ``yes'' to force re-
> mote port forwardings to bind to the wildcard address, or
> ``clientspecified'' to allow the client to select the address to
> which the forwarding is bound. The default is ``no''.
So you should set:
GatewayPorts clientspecified
in sshd_config.
> General comment: The histrionics about "consult all documentation
> before reporting a bug" could be remedied by accepting a mid-grade
> level of volunteers who preen through bug reports for the ones
> that are truly new and valid.
I think you have just proved why those "histrionics" are necessary.
-d
More information about the openssh-unix-dev
mailing list