I'm submitting this as closed approved automatic as the fucntionality
was already approved in 2007/034. This case is really only to record
the client/server version number update so that this can be properly
integrated. This case implicitly moves integrating this functionality
as part of 2007/034 into this case.
Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI
This information is Copyright 2007 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
ssh(1) binding address for port forwarding
1.2. Name of Document Author/Supplier:
Author: Jan Pechanec
1.3 Date of This Document:
22 October, 2007
2. Project Summary
2.1. Project Description:
Allow for optional specification of bind address for local, remote and
dynamic port forwardings while keeping backward compatibility, like this
on example of dynamic forwarding: -D [bind_address:]port
Also, this enhancement was previously part of "PSARC/2007/034 ssh/sshd
resync with OpenSSH". However, it was discovered that current version of
SunSSH is not fully RFC 4254 compliant with regard to remote port
forwarding. So, aside from the resynced functionality this case asks for
a resync of compatibility flag SSH_OLD_FORWARD_ADDR and a version bump
from Sun_SSH_1.1 to Sun_SSH_1.2 so that older releases can be treated in
a backward compatible way.
2.2. Risks and Assumptions:
None.
3. Business Summary
3.4. Competitive Analysis:
The most often used player is OpenSSH project which is what SunSSH
forked from in 2001. We want to resync this feature from 4.7p1 version.
Another important player is Tectia SSH which also supports the binding
address feature requested.
4. Technical Description:
4.1. Details:
Binding address extension will be resynced from OpenSSH 4.7p1.
With regard to RFC 4254 incompatibility, it was discovered that SunSSH
doesn't treat "0.0.0.0" as an alias for all IPv4 addresses as requested
by RFC 4254, section 7.1. It is incorrectly treated as an alias for all
IPv4 AND IPv6 addresses. While this doesn't seem to be a problem now it
could be in the future. This bug came from OpenSSH from which we forked.
(note: an empty string "" is the correct RFC 4254 compliant alias for
all protocol families supported on the server side).
OpenSSH already fixed this in OpenSSH 4.0p1 release and introduced
SSH_OLD_FORWARD_ADDR compatibility flag so that old clients can be
treated in a backward compatible way. All OpenSSH versions before 4.0
were flagged with this flag in compat.c file. SunSSH is based on 3.5
version so we should also flag all our existing versions - Sun_SSH_1.0,
1.0.1 and 1.1 with such a flag, and then fix this incompatibility.
This means that we need a version bump to distinguish between older, not
fully RFC compliant SunSSH releases, and the new one. We should change
the version from 1.1 to 1.2 together with the code change for 6506674
(see 6619347 below).
4.2. Bug/RFE Number(s):
6506674 allow specific binding address to be used with -DLR
options for ssh(1)
6619347 SunSSH is not fully compatible with RFC4254 with regard to port
forwarding
4.5. Interfaces:
All -DLR and (Dynamic|Local|Remote)Forward interfaces will be extended
in a backward compatible way such that apart from listening port an
optional binding listening address can be also provided as part of the
forwarding specification, like this:
-D [bind_address:]port
-L [bind_address:]port:host:hostport
-R [bind_address:]port:host:hostport
DynamicForward [bind_address:]port
LocalForward [bind_address:]port host:hostport
RemoteForward [bind_address:]port host:hostport
IPv6 addresses can be specified by enclosing the address in square
braces or using an alternative syntax: [bind_address/]host/port/hostport
GatewayPorts on server side will be extended with "clientspecified"
value which will honour the bind_address sent from the client.
Otherwise, GatewayPorts setting will always force to use localhost
("no") or wildcard addresses ("yes") no matter what bind_address was
provided.
bind_address for listening on client side will always override
client's setting for GatewayPorts.
4.6. Doc Impact:
Manual pages for ssh(1), ssh_config(5) and ssh-keygen(1) will be
changed. Diff follows:
ssh [-afgknqstvxACNTX1246] [-b bind_address] [-m mac_spec]
[-c cipher_spec] [-e escape_char] [-i identity_file]
[-l login_name] [-F configfile] [-o option] [-p port]
- [-L port:host:hostport] [-R port:host:hostport]
- [-D port] hostname | user at hostname [command]
+ [-L [bind_address:]port:host:hostport]
+ [-R [bind_address:]port:host:hostport]
+ [-D [bind_address:]port] hostname | user at hostname [command]
- -L port:host:hostport Specifies that the given port on
+ -L [bind_address:]port:host:hostport
+
+ Specifies that the given port on
the local (client) host is to be
forwarded to the given host and
port on the remote side. This
works by allocating a socket to
listen to the port on the local
- side. Then, whenever a connec-
+ side, optionally bound to the specified
+ bind_address. Then, whenever a connec-
tion is made to this port, the
connection is forwarded over the
secure channel and a connection
is made to host port hostport
from the remote machine. Port
forwardings can also be speci-
fied in the configuration file.
- Only root can forward privileged
+ Only a user with enough privileges
+ can forward privileged
ports. IPv6 addresses can be
specified with an alternative
- syntax: port/host/hostport.
+ syntax:
+ [bind_address/]port/host/hostport
+ or by enclosing the address in
+ square brackets.
+ By default, the local port is
+ bound in accordance with the
+ GatewayPorts setting. How-
+ ever, an explicit bind_address
+ may be used to bind the
+ connection to a specific
+ address. The bind_address of
+ ``localhost'' indicates that
+ the listening port be bound for
+ local use only, while an empty
+ address or `*' indicates that
+ the port should be available
+ from all interfaces.
- -R port:host:hostport Specifies that the given port on
+ -R [bind_address:]port:host:hostport
+
+ Specifies that the given port on
the remote (server) host is to
be forwarded to the given host
and port on the local side. This
works by allocating a socket to
listen to the port on the remote
side. Then, whenever a connec-
tion is made to this port, the
connection is forwarded over the
secure channel and a connection
is made to host port hostport
from the local machine. Port
forwardings can also be speci-
fied in the configuration file.
Privileged ports can be for-
- warded only when logging in as
- root on the remote machine.
+ warded only when logging in
+ on the remote machine as
+ a user with enough privileges.
+ IPv6 addresses can be specified
+ by enclosing the address in
+ square braces or using an
+ alternative syntax:
+ [bind_address/]host/port/hostport.
+ By default, the listening socket
+ on the server will be bound to
+ the loopback interface only.
+ This may be overriden by
+ specifying a bind_address. An
+ empty bind_address, or the
+ address `*', indicates that
+ the remote socket should listen
+ on all interfaces. Specifying a
+ remote bind_address will only
+ succeed if the server's
+ GatewayPorts option is enabled
+ (see sshd_config(4)).
- -D port Specifies a local ``dynamic''
+ -D [bind_address:]port Specifies a local ``dynamic''
application-level port forward-
ing. This works by allocating a
socket to listen to port on the
- local side, and whenever a con-
+ local side, optionally bound to the specified
+ bind_address. Whenever a con-
nection is made to this port,
the connection is forwarded over
the secure channel. The applica-
tion protocol is then used to
determine where to connect to
from the remote machine.
- Currently, the SOCKS4 protocol
- is supported and ssh acts as a
- SOCKS4 server. Only root can
- forward privileged ports.
+ Currently, the SOCKS4 and SOCKS5 protocols
+ are supported and ssh acts as a
+ SOCKS server. Only a user with
+ enough privileges can forward privileged
ports.
Dynamic port forwardings can
also be specified in the confi-
guration file.
+ IPv6 addresses can be specified
+ with an alternative syntax:
+ [bind_address/]port or by
+ enclosing the address in square
+ brackets. Only the superuser can
+ forward privileged ports. By
+ default, the local port is bound
+ in accordance with the
+ GatewayPorts setting. However,
+ an explicit bind_address may be
+ used to bind the connection to a
+ specific address. The
+ bind_address of ``localhost''
+ indicates that the listening
+ port be bound for local use
+ only, while an empty address or
+ `*' indicates that the port
+ should be available from all
+ interfaces.
DynamicForward
Specifies that a TCP/IP port on the local machine be
forwarded over the secure channel. The application pro-
tocol is then used to determine where to connect to from
- the remote machine. The argument must be a port number.
- Currently the SOCKS4 protocol is supported, and ssh will
- act as a SOCKS4 server. Multiple forwardings can be
- specified and additional forwardings can be specified on
- the command line. Only the superuser can forward
- privileged ports.
+ the remote machine.
+
+ The argument must be [bind_address:]port. IPv6 addresses
+ can be specified by enclosing addresses in square
+ brackets or by using an alternative syntax:
+ [bind_address/]port. By default, the local port is
+ bound in accordance with the GatewayPorts setting.
+ However, an explicit bind_address may be used to bind
+ the connection to a specific address. The bind_address
+ of ``localhost'' indicates that the listening port be
+ bound for local use only, while an empty address or `*'
+ indicates that the port should be available from all
+ interfaces.
+ Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will
+ act as a SOCKS server. Multiple forwardings can be
+ specified and additional forwardings can be specified on
+ the command line. Only a user with enough privileges
+ can forward privileged ports.
LocalForward
Specifies that a TCP/IP port on the local machine be
forwarded over the secure channel to a given host:port
from the remote machine. The first argument must be a
- port number, and the second must be host:port. IPv6
- addresses can be specified with an alternative syntax:
- host/port. Multiple forwardings can be specified and
- additional forwardings can be given on the command line.
- Only the superuser can forward privileged ports.
+ [bind_address:]port and the second must be host:port.
+ IPv6 addresses can be specified by enclosing addresses
+ in square brackets or by using an alternative syntax:
+ [bind_address/]port and host/port. Multiple
+ forwardings can be specified and additional
+ forwardings can be given on the command line. Only a
+ user with enough privileges can forward privileged
+ ports. By default, the local port is bound in accor-
+ dance with the GatewayPorts setting. However, an
+ explicit bind_address may be used to bind the connection
+ to a specific address. The bind_address of
+ ``localhost'' indicates that the lis- tening port be
+ bound for local use only, while an empty address or `*'
+ indicates that the port should be available from all in-
+ terfaces.
RemoteForward
Specifies that a TCP/IP port on the remote machine be
forwarded over the secure channel to a given host:port
- from the local machine. The first argument must be a
- port number, and the second must be host:port. IPv6
- addresses can be specified with an alternative syntax:
- host/port. You can specify multiple forwardings and give
- additional forwardings on the command line. Only the
- superuser can forward privileged ports.
+ from the local machine. The first argument must be
+ [bind_address:]port and the second argument must be
+ host:port. IPv6 addresses can be specified by enclosing
+ addresses in square brackets or by using an alternative
+ syntax: [bind_address/]port and host/port. You can
+ specify multiple forwardings and give additional
+ forwardings on the command line. Only a user with
+ enough privileges can forward privileged ports.
+ If the bind_address is not specified, the default is to
+ only bind to loopback addresses. If the bind_address is
+ `*' or an empty string, then the forwarding is requested
+ to listen on all interfaces. Specifying a remote
+ bind_address will only succeed if the server's
+ GatewayPorts option is enabled (see sshd_config(4)).
GatewayPorts
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. By default, sshd binds
remote port forwardings to the loopback address. This
prevents other remote hosts from connecting to forwarded
ports. GatewayPorts can be used to specify that sshd
should bind remote port forwardings to the wildcard
address, thus allowing remote hosts to connect to for-
- warded ports. The argument must be yes or no. The
- default is no.
+ warded ports.
+ The argument may be ``no'' to force remote port
+ forwardings to be available to the local host only,
+ ``yes'' to force remote port forwardings to bind to the
+ wildcard address, or ``clientspecified'' to allow the
+ client to select the address to which the forwarding is
+ bound. The default is ``no''. See also RemoteForward in
+ ssh_config(4).
4.7. Admin/Config Impact:
We just extend new command line options and configuration file keywords
but default behaviour won't be changed.
New compatibility flag will not impact administration or configuration
of the system.
4.9. I18N/L10N Impact:
All new messages will be localized.
4.10. Packaging & Delivery:
SUNWsshcu, SUNWsshdu, SUNWman
6. Resources and Schedule:
6.1. Projected Availability:
project inception and integration: 3Q/2007
6.4. Steering Committee requested information
6.4.1. Consolidation C-team Name:
ON
6.5. ARC review type: Automatic
6.6. ARC Exposure: open
