"on-the-fly" SSH Port Forwarding

Damien Miller djm at mindrot.org
Sun Sep 7 21:21:52 EST 2008

On Sun, 7 Sep 2008, Chris Mason wrote:

> Hi,
> I am using the following version of OpenSSH for reference:
> root at proxy:/root# ssh -V
> OpenSSH_4.8, OpenSSL 0.9.7j 04 May 2006
> root at proxy:/root# uname -a
> OpenBSD proxy.localdomain 4.3 GENERIC#698 i386
> I am developing an application which uses on-the-fly SSH port forwarding
> by using the "~C" escape sequence to add local port forwards when needed
> (through Expect). It would appear that there is no option to remove
> local port forwards and only remote port forwards:
> ssh> -h
> Commands:
>       -L[bind_address:]port:host:hostport    Request local forward
>       -R[bind_address:]port:host:hostport    Request remote forward
>       -KR[bind_address:]port                 Cancel remote forward
> I am hitting scalability issues as I am not able to cancel local
> forwards and after about 251 tunnels I am unable to add any more. (I am
> assuming this is platform/machine dependent as it complains about "No
> buffer space").

Could you please send a debug trace of this happening? ("ssh -vvv")
There is IIRC a fixed limit to the number of forwards that you can
establish, but it should give at least a more friendly error message.

> How come there isn't an option to remove local forwards when there is to
> remove remote ones? Is this by design or something that was never
> implemented?

It was never implemented, but probably would be quite easy to do. 

Another option, which would probably be way better for your application
is to use the dynamic/SOCKS port forwarding and possibly a small helper

Still another option is to implement addition/removal of port-forwards
via the control multiplexing socket. This has been on my TODO list for
quite a while.


More information about the openssh-unix-dev mailing list