Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: tcpip.go forward and remove compare on ip and port #8977

Closed
gopherbot opened this issue Oct 21, 2014 · 4 comments
Closed

x/crypto/ssh: tcpip.go forward and remove compare on ip and port #8977

gopherbot opened this issue Oct 21, 2014 · 4 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@gopherbot
Copy link

by matt.knopp:

In tcpip.go, forward(...) and remote(...) scan forwardList entries for an entry that
matches laddr on both IP and PORT as part of creating/removing a forward channel. It
looks like it should only be comparing on PORT rather than PORT and IP.

I came across this because some SSH servers (e.g. Apache Mina) (appear?) to pass the
originating interface's IP  when creating a 'forwarded-tcpip' channel rather than the IP
we requested, e.g. 0.0.0.0. The forwarding request is ultimately rejected because
forward() is unable to find a matching IP, PORT pair in forwardList. Removing the IP
check appears to fix the problem.

RFC-4253 states "Implementations MUST reject these messages unless they have
previously requested a remote TCP/IP port forwarding with the given port number". 

Matt
@ianlancetaylor
Copy link
Contributor

Comment 1:

Labels changed: added repo-crypto, release-none.

@bradfitz bradfitz removed the new label Dec 18, 2014
@mikioh mikioh changed the title go.crypto/ssh: tcpip.go forward and remove compare on ip and port ssh: tcpip.go forward and remove compare on ip and port Jan 7, 2015
@rsc rsc added this to the Unplanned milestone Apr 10, 2015
@rsc rsc removed the release-none label Apr 10, 2015
@rsc rsc changed the title ssh: tcpip.go forward and remove compare on ip and port x/crypto/ssh: tcpip.go forward and remove compare on ip and port Apr 14, 2015
@rsc rsc modified the milestones: Unreleased, Unplanned Apr 14, 2015
@rsc rsc removed the repo-crypto label Apr 14, 2015
@hanwen
Copy link
Contributor

hanwen commented Aug 21, 2015

while the RFC is not very clear here, I think the current behavior is correct. Since you can setup different port forwards on the same port number for eg. IPv6 and IPv4 (eg forward the former to local port N and latter to M), if we disregard the IP address, we won't know how to route an incoming connection.

However, we could add a bugfix mode to the code, by disregarding the IP check for specific version strings. To do this, we need to know exactly which server version strings exhibit this problem

@mhat
Copy link

mhat commented Dec 1, 2016
edited

I believe Apache Mina was the only sshd implementation I ran into this issue with. It just happened to be the one I was working with at the time. My/our experience with Go and the SSH library was positive enough we replaced the service that was using Mina with a Go-Ssh service. Given that it's been two years and I'm the only one that apparently ran into this, it seems fair to assume the issue is pretty narrowly scoped to Mina. My vote would be to close this unless/until someone comes back with the same issue and a list of SSH server version/strings.

Possibly not obvious: I'm the original reporter.

@hanwen
Copy link
Contributor

hanwen commented Dec 5, 2016

thanks for the update. Will close this issue for now.

@hanwen hanwen closed this as completed Dec 5, 2016
@golang golang locked and limited conversation to collaborators Dec 5, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@mhat @bradfitz @hanwen @rsc @ianlancetaylor @gopherbot