RemoteForward Dynamic Port Allocation
Jochen Bern
Jochen.Bern at binect.de
Wed Jul 10 02:28:58 AEST 2024
Hello, we have a server that appliances "in the field" SSH into with a
config including:
> RemoteForward 127.0.0.1:0 127.0.0.1:22
> RemoteForward 0 127.0.0.1:443
so that our support desk can then use these forwards to access SSH and
HTTPS on them. Note that the remote endpoint of one is limited to IPv4,
while the other defaults to v4+v6; That's how we tell on the server
which Port LISTENed on by a given sshd PID leads to the remote SSH and
which to HTTPS.
Today, for the first time, we noticed that two logins had "dynamically
allocated" the *same* port, one for SSH, one for HTTPS:
> # ss -natp | grep 34014
> LISTEN 0 128 127.0.0.1:34014 *:* users:(("sshd",pid=22509,fd=9))
> LISTEN 0 128 [::1]:34014 [::]:* users:(("sshd",pid=22511,fd=10))
> # ps -eo pid,lstart,cmd | egrep '(22509|22511) '
> 22509 Sun Jul 7 20:30:10 2024 sshd: <user>
> 22511 Sun Jul 7 20:30:10 2024 sshd: <user>
which successfully confused our detection mechanisms. (Access by the
support staff is currently limited to IPv4, so they wanted to use the
WebUI via the v4 port 34014 and the browser choked on the SSH server
hello of the other appliance.)
Is there anything I can do to prevent a port number being double
assigned like this?
(The server is, so far, a CentOS 7 with CentOS' OpenSSH packages.)
Thanks in advance,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3447 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240709/40082c6b/attachment.p7s>
More information about the openssh-unix-dev
mailing list