Issue with OpenSSH remote forwarding of dynamic ports

Ángel González keisial at
Fri Aug 16 10:14:52 EST 2013

On 08/08/13 06:22, Ron Frederick wrote:
>     When a connection comes to a port for which remote forwarding has
>     been requested, a channel is opened to forward the port to the other
>     side.
>        byte      SSH_MSG_CHANNEL_OPEN
>        string    "forwarded-tcpip"
>        uint32    sender channel
>        uint32    initial window size
>        uint32    maximum packet size
>        string    address that was connected
>        uint32    port that was connected
>        string    originator IP address
>        uint32    originator port
> I was expecting "port that was connected" in this message to be the dynamically allocated port so that it would always be a unique value, but this is not the case (at least with OpenSSH's sshd). Instead, it always seems to be the "port number to bind" value passed in the original SSH_MSG_GLOBAL_REQUEST "tcpip-forward" message (which is 0 since we're asking for a dynamic port).
> Unfortunately, I would imagine changing this behavior on the server side might break existing clients out there which are expecting to get this 0 value back in channel open requests when they set up a dynamic listener, and I don't really see a good way to resolve this. Does anyone have any suggestions?
It could pass 0 for the first forward and the real port in the next ones 
(which are already open), but IMHO the right thing would be to always 
provide the real port.

More information about the openssh-unix-dev mailing list