New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/ssh: TCP/IP port forwarding expects IP addresses #37239
Comments
I should mention that it's of course possible to treat |
/cc @hanwen @FiloSottile |
+1. I'm particularly interested in |
+1 The address should be resolved by the remote host, as is where the listen() call will happen, not the originating ssh client. |
Just adding some more information, supposing it is a multi-homed server, with multiple IP addresses, calling net. Listen () using a hostname needs to resolve the name within the remote server to figure out which interface it should bind. The current implementation doesn't allow this. |
wow...this is so insurmountable.... SSH Protocol : "channel forward message address is a string" All the above, plus I would add that a domain might not be "resolvable" from the client side in instances where a remote forward |
+1 This should be resolved on the remote host and treated as a string client side to allow the remote host to preform the lookup on what hostname qualifies to access the connection |
or just simply not to handle update: |
(*ssh.Client).ListenTCP
expects an IP address (via*net.TCPAddr
) and therefore(*ssh.Client).Listen
attempts to resolve addresses.However, section 7.1 of RFC 4254 states:
There are two consequences of the current interface:
You can only provide resolvable names. This prohibits two of the strings with special-case semantics from working (
""
, reported in x/crypto/ssh: listening on remote address blocks indefinitely when address doesn't contain a host part #33227, and"::"
).Resolution happens client side. This changes the meaning of the string
"localhost"
from being "all protocol families supported by the SSH implementation on loopback addresses only" to being only one of those and may provide a different result for other names (AWS hostnames resolving to internal addresses inside a data center comes to mind).Outside of defining a new public interface, I think the least breaking change would be to extract an unexported
listenTCP
function taking a string address and call this fromListen
which can then drop resolution but of course if you're relying on that behavior, it will still be surprising.I'm happy to submit a pull request but I'd appreciate some thoughts on how to best evolve the interface into something that both supports the scope of the RFC and doesn't disregard current users.
The text was updated successfully, but these errors were encountered: