bind_address ignored? as in "ssh -R [bind_address]:12491:127.0.0.1:500"

Damien Miller djm at mindrot.org
Sun Aug 15 06:55:18 EST 2010 

you want GatewayPorts=clientspecified on the server.

On Sat, 14 Aug 2010, Jon wrote:

> No answers on secureshell at securityfocus.com
> 
> I must be doing something wrong or the server seems to ignore my bind request.
> 
> Port forwarding is working it just bind to all ips and ignores my bind
> request. I've also tried this with an rfc1918 address opposed to a
> loopback and had the same results.
> 
> Google and the archive haven't helped.
> 
> Thanks in advance for your time and consideration.
> 
> -server-
> uname -a
> Linux example.com 2.6.18-128.7.1.el5xen #1 SMP Mon Aug 24 10:08:55 EDT
> 2009 i686 i686 i386 GNU/Linux
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> 
> -sshd_config-
> AllowTcpForwarding yes
> GatewayPorts yes
> 
> -from other system-
> ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com
> 
> -messages-
> Aug 12 16:22:45 xxx sshd[1440]: debug1: server_input_global_request:
> tcpip-forward listen 127.0.0.10 port 12491
> Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on
> :: port 12491.
> Aug 12 16:22:45 xxx sshd[1440]: debug1: channel 0: new [port listener]
> Aug 12 16:22:45 xxx sshd[1440]: debug1: Local forwarding listening on
> 0.0.0.0 port 12491.
> Aug 12 16:22:45 xxx sshd[1440]: error: bind: Address already in use
> 
> -check-
> netstat -an | grep 12491
> tcp        0      0 :::12491                    :::*
>     LISTEN
> 
> okay that didn't work lets see if "GatewayPorts" is related
> 
> -sshd_config-
> AllowTcpForwarding yes
> GatewayPorts no
> 
> -from other system-
> ssh -R 127.0.0.10:12491:127.0.0.1:5000 foo at example.com
> 
> -messages-
> Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on
> 127.0.0.1 port 12491.
> Aug 12 16:25:26 xxx sshd[1578]: debug1: channel 0: new [port listener]
> Aug 12 16:25:26 xxx sshd[1578]: debug1: Local forwarding listening on
> ::1 port 12491.
> 
> -check-
> netstat -an | grep 12491
> tcp        0      0 127.0.0.1:12491             0.0.0.0:*
>     LISTEN
> tcp        0      0 ::1:12491                   :::*
>     LISTEN
> 
> -networking-
> eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
>          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:255.255.252.0
>          inet6 addr: fe80::216:3eff:fe6b:1e1d/64 Scope:Link
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:33160 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:1240 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:2158440 (2.0 MiB)  TX bytes:228786 (223.4 KiB)
> 
> lo        Link encap:Local Loopback
>          inet addr:127.0.0.1  Mask:255.0.0.0
>          inet6 addr: ::1/128 Scope:Host
>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:11631 (11.3 KiB)  TX bytes:11631 (11.3 KiB)
> 
> lo:1      Link encap:Local Loopback
>          inet addr:127.0.0.10  Mask:255.0.0.0
>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
> 
> -check-
> ping 127.0.0.10
> PING 127.0.0.10 (127.0.0.10) 56(84) bytes of data.
> 64 bytes from 127.0.0.10: icmp_seq=1 ttl=64 time=0.025 ms
> 
> -check-
> ping 127.0.0.1
> PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms
> 
> -from man-
> GatewayPorts
>             Specifies whether remote hosts are allowed to connect to
> ports forwarded for the client.  By default, sshd binds remote port
> for-
>             wardings to the loopback address.  This prevents other
> remote hosts from connecting to forwarded ports.  GatewayPorts can be
> used
>             to specify that sshd should allow remote port forwardings
> to bind to non-loopback addresses, thus allowing other hosts to con-
>             nect.  The argument may be "no" to force remote port
> forwardings to be available to the local host only, "yes" to force
> remote
>             port forwardings to bind to the wildcard address, or
> "clientspecified" to allow the client to select the address to which
> the
>             forwarding is bound.  The default is "no".
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list