Feature Request: Ability to specify local bind address for ssh(1) -W

Sat Mar 27 01:47:18 AEDT 2021

On Mar 26, 2021, at 1:10 AM, Jochen Bern <Jochen.Bern at binect.de> wrote:
> On 25.03.21 16:30, Aaron Jones wrote:
>> I have deployed an SSH bastion host, and would prefer to use the ssh(1)
>> -W option to establish a forwarding from that host to the others that it
>> can access.
>> 
>> However, the bastion host has multiple IP addresses, and I need ssh(1)
>> to make the connection from a specific source address.
> 
> I do not speak for the OpenSSH developers, but I have a hunch that
> they'll deny that request. Selecting the source address for an outgoing
> connection usually is the job of the OS(*) and an application needs to
> carry quite a bit of extra code to override that. OK for an explicit
> networking tool like nc, but maybe not for ssh.
> 
> However, assuming that there's some *regularity* to your need, you might
> be able to tell the kernel itself to adhere to it (e.g., for Linux, use
> iptables to explicitly SNAT connections matching a pattern to a specific
> source IP). No more extra processes that can linger that way.
> 
> (*) Off the top of my head: Look up the outgoing interface in the
> default(!!) routing table, then choose the IP added last (Linux) / set
> first (SunOS/Solaris) / round robin (*BSD) from those set on that interface.

OpenSSH already supports the concept of setting a source address today via the BindAddress config option, and it’s straightforward to implement via the socket API without getting into anything OS-specific. The only thing missing here is the ability to pass a requested bind address through on a port-forwarding request.

Supporting this would require a protocol change, to add a new bind address (and probably also port) to the "direct-tcpip” request. This might require the introduction of a new channel type in the SSH_MSG_CHANNEL_OPEN request to allow the extra argument to be added without breaking interoperability with other SSH servers. When used,  this new channel type would request that the remote SSH server do a bind() call on the outbound socket before doing a connect() to the requested target host/port.

It might be worth doing something similar to be able to specify a bind address on incoming forwarded TCP connection requests, such that the SSH client would bind() to a specific address/port before making the local connection. I think this could be done without any protocol changes. It would just be new fields in the -R argument (and RemoteForward config option).
-- 
Ron Frederick
ronf at timeheart.net