openSSH 5.8p2 BindPort patch

Rory McNamara pink.banana.fish at gmail.com
Wed Jul 20 19:05:39 EST 2011


> That sounds quite broken since TCP connections are uniquely identified
> by the 4-tuple of source IP, source port, destination IP, destination
> port.  If your proxy does what you describe it would limit you to only
> one outbound SSL connection at any time and I would suspect something
> is misconfigured.
> [...]
> I remain unconvinced that your patch has any effect at all in this case.
Well maybe it is, i can't verify anything until september, but this is
the only configuration i found to work. albeit with a modified putty,
but the connection was the same.

On Wed, Jul 20, 2011 at 5:12 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Jul 19, 2011 at 10:41 PM, Rory McNamara
> <pink.banana.fish at gmail.com> wrote:
>>>possibly, although it's more likely that it'll be IO bound on the
>>>network.  Try it.
>> ./ssh -B 10000 -i ~/.ssh/id_rsa USER at HOST -p 443 'find /'
>> 3.046 seconds
>> ./ssh -o "ProxyCommand=nc -p 10000 %h %p" -i ~/.ssh/id_rsa USER at HOST
>> -p 443 'find /'
>> 2.592 seconds
>>
>> This is over the internet, to a ddwrt router.
>> This therefore shows that my patch is slower by 0.5 seconds in this
>> instance. However, i still believe it is of benefit if you need to use
>> something else for your ProxyCommand
>
> I disagree.  With your patch:
>
> $ strace -e trace=bind ./ssh -B 12345 localhost true 2>&1 | grep AF_INET
> bind(3, {sa_family=AF_INET, sin_port=htons(12345),
> sin_addr=inet_addr("0.0.0.0")}, 16) = 0
>
> $ strace -e trace=bind ./ssh -B 12345 -o proxycommand="nc %h %p"
> localhost true 2>&1 | grep AF_INET
> $
>
> So when there's a proxycommand there's no bind at all.
>
>>>In that case, how do you do use the bindport at all?  Using a
>>>proxycommand doesn't allocate a tcp socket.
>>
>> The proxy im trying to get through only allows ssl on ports 443 from
>> port 443, i have no idea why,
>
> That sounds quite broken since TCP connections are uniquely identified
> by the 4-tuple of source IP, source port, destination IP, destination
> port.  If your proxy does what you describe it would limit you to only
> one outbound SSL connection at any time and I would suspect something
> is misconfigured.
>
>> but it means i have to set the source
>> port to be 443 and the destination port to be 443, as well as the
>> proxycommand to be able to get through it.
>
> I remain unconvinced that your patch has any effect at all in this case.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


More information about the openssh-unix-dev mailing list