RemoteForward Dynamic Port Allocation

Jochen Bern Jochen.Bern at binect.de
Wed Jul 10 02:28:58 AEST 2024


Hello, we have a server that appliances "in the field" SSH into with a 
config including:

>         RemoteForward   127.0.0.1:0     127.0.0.1:22
>         RemoteForward           0       127.0.0.1:443

so that our support desk can then use these forwards to access SSH and 
HTTPS on them. Note that the remote endpoint of one is limited to IPv4, 
while the other defaults to v4+v6; That's how we tell on the server 
which Port LISTENed on by a given sshd PID leads to the remote SSH and 
which to HTTPS.

Today, for the first time, we noticed that two logins had "dynamically 
allocated" the *same* port, one for SSH, one for HTTPS:

> # ss -natp | grep 34014
> LISTEN  0   128 127.0.0.1:34014      *:*   users:(("sshd",pid=22509,fd=9))
> LISTEN  0   128     [::1]:34014   [::]:*   users:(("sshd",pid=22511,fd=10))

> # ps -eo pid,lstart,cmd | egrep '(22509|22511) '
> 22509 Sun Jul  7 20:30:10 2024 sshd: <user>
> 22511 Sun Jul  7 20:30:10 2024 sshd: <user>

which successfully confused our detection mechanisms. (Access by the 
support staff is currently limited to IPv4, so they wanted to use the 
WebUI via the v4 port 34014 and the browser choked on the SSH server 
hello of the other appliance.)

Is there anything I can do to prevent a port number being double 
assigned like this?

(The server is, so far, a CentOS 7 with CentOS' OpenSSH packages.)

Thanks in advance,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3447 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240709/40082c6b/attachment.p7s>


More information about the openssh-unix-dev mailing list