Remote port forwarding in a multiplexed connection: possible "clientspecified" bug

Sami.Hartikainen at Sami.Hartikainen at
Thu Sep 11 22:58:35 EST 2014

Remote port forwarding with sshd_config option 'GatewayPorts' set to "clientspecified" does not seem to work as specified, when configured from a  "slave" ssh using a multiplexed connection. Ssh man page on remote port forwarding says:

"-R [bind_address:]port:host:hostport
             By default, the listening socket on the server will be bound to the loopback
             interface only.  This may be overridden by specifying a bind_address.  An empty
             bind_address, or the address '*', indicates that the remote socket should listen
             on all interfaces.

Now the following mux command (on client with ControlMaster connected and running and ControlPath set appropriately):

    $ ssh -O forward -R ':0:localhost:3502' <hostaddr>
    Allocated port 48293 for remote forward to localhost:3502

results in (on server):

    $ netstat -lt
    Active Internet connections (only servers)
    Proto	Recv-Q	Send-Q	Local Address	Foreign Address State      
    tcp	0	0	localhost:48293	*:*                     LISTEN     
    tcp	0	0	*:ssh		*:*                     LISTEN     
    tcp6	0	0	localhost:48293	[::]:*                  LISTEN     
    tcp6	0	0	[::]:ssh		[::]:*                  LISTEN     

Port 48293 (set with an empty bind_address) should be bind to wildcard address, not localhost. The same -R option given for ControlMaster (or non-multiplexed ssh client) works as expected.

Looks like a bug in ssh client code?

Client version: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014

Sami Hartikainen

More information about the openssh-unix-dev mailing list