Port forwarding feature suggestion: bind to port 0

Damien Miller djm at mindrot.org
Sat Aug 2 21:18:26 EST 2008



On Sat, 2 Aug 2008, Yaniv Aknin wrote:

> Hi,
>
> Sometimes it's desirable to bind a port forward to port 0: especially
> when scripting port forwarding, and more especially so with the '-f
> -N' options.
>
> The version of OpenSSH bundled with OSX (4.7p1) accepts '-L
> 0:192.168.1.1:22', but only if ran as root (I guess this was more an
> accident than a feature). I saw that the current version (5.1p1) will
> decline such an options, saying 'Bad local forwarding specification'.
>
> I think that's a shame and would like to suggest a feature that
> would further ease port forwarding; namely, not only allow port 0
> forwarding, but also have ssh automagically get the chosen port number
> from the kernel with getsockname and print it out.

If it worked before it was by accident. We do not properly implement
port-0 forwarding, as the peer is supposed to send back a message
indicating the port that was actually bound (see RFC 4254 section 7.1).

https://bugzilla.mindrot.org/show_bug.cgi?id=1003 had a patch to
implement it, but it contained some problems the last time I checked it.
Since then I have implemented some infrastructure (expected response
queues) that will make it much easier to implement.

I'm also not sure how the bound port will be reported back to the
client. It would be easy to logit(), but that doesn't make it
particularly accessible to scripts. If you have any ideas, add yourself
to the bug and mention them there.

I'll put it on the list for 5.2, but it will more likely to be 5.3 as
5.2 is looking more and more like a bugfix-only release.

> A bit off topic, but I have to say this: I'm an avid fan (and a humble
> recurring donator...) of OpenSSH for years now, I think when combining
> all the metrices of good software, it's one of the best on the planet.
> Thank you to all submitters wherever you are.

Thanks!

-d


More information about the openssh-unix-dev mailing list