Dynamic port remote listener - a BUG?

Damien Miller djm at mindrot.org
Fri Sep 9 20:44:04 EST 2011


On Fri, 9 Sep 2011, Damien Miller wrote:

> On Fri, 9 Sep 2011, Damien Miller wrote:
> 
> > 
> > > Hello,
> > > 
> > > Today I tried using "dynamically assigned" port for remote listener, by
> > > requesting listener on port 0. This is supposed to create a listener on a
> > > port choosen by server. Everything seemed OK (the choosen port was sent back
> > > to client), but forwarding was refused. So I checked the source.
> > 
> > it works for me on both portable and OpenBSD, with -R forwardings on
> > the initial ssh commandline or set up using -O forward.
> 
> there is a bug in there though - is more than one -R 0:... foward is
> created, the later ones will all direct their connections to the
> destination specified for the first -R0 forward.
> 
> i'll look at it when i have slept...

Couldn't get to sleep. 

The problem is our s->c forwarded-tcpip channel opens use a listen_port
of 0, which causes client_request_forwarded_tcpip()->
channel_connect_by_listen_address() to always return the same destination.

So we should set c->listening_port, but we need to fix up permitted_opens
when we receive the open confirmation message otherwise the client will
refuse the requests. I think this will break backwards compat for -R 0...
forwardings from a new server (>=openssh-6.0) to an older client, since
the older clients expect a listen_port of 0 in the channel open messages.
We could do a compat.[ch] hack or live with the breakage...

-d


More information about the openssh-unix-dev mailing list