openSSH 5.8p2 BindPort patch

Darren Tucker dtucker at
Wed Jul 20 14:12:38 EST 2011

On Tue, Jul 19, 2011 at 10:41 PM, Rory McNamara
< at> wrote:
>>possibly, although it's more likely that it'll be IO bound on the
>>network.  Try it.
> ./ssh -B 10000 -i ~/.ssh/id_rsa USER at HOST -p 443 'find /'
> 3.046 seconds
> ./ssh -o "ProxyCommand=nc -p 10000 %h %p" -i ~/.ssh/id_rsa USER at HOST
> -p 443 'find /'
> 2.592 seconds
> This is over the internet, to a ddwrt router.
> This therefore shows that my patch is slower by 0.5 seconds in this
> instance. However, i still believe it is of benefit if you need to use
> something else for your ProxyCommand

I disagree.  With your patch:

$ strace -e trace=bind ./ssh -B 12345 localhost true 2>&1 | grep AF_INET
bind(3, {sa_family=AF_INET, sin_port=htons(12345),
sin_addr=inet_addr("")}, 16) = 0

$ strace -e trace=bind ./ssh -B 12345 -o proxycommand="nc %h %p"
localhost true 2>&1 | grep AF_INET

So when there's a proxycommand there's no bind at all.

>>In that case, how do you do use the bindport at all?  Using a
>>proxycommand doesn't allocate a tcp socket.
> The proxy im trying to get through only allows ssl on ports 443 from
> port 443, i have no idea why,

That sounds quite broken since TCP connections are uniquely identified
by the 4-tuple of source IP, source port, destination IP, destination
port.  If your proxy does what you describe it would limit you to only
one outbound SSL connection at any time and I would suspect something
is misconfigured.

> but it means i have to set the source
> port to be 443 and the destination port to be 443, as well as the
> proxycommand to be able to get through it.

I remain unconvinced that your patch has any effect at all in this case.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list