You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a Windows computer running OpenSSH_for_Windows_8.1p1 server installed via Windows Features. When I set up a reverse SOCKS proxy using the OpenSSH_for_Windows_8.1p1 client and then with the first connection still open set up another reverse SOCKS proxy connection to the same port on the server the second connection succeeds (instead of failing because the port is already in use) and traffic through the proxy is sent only over the first connection.
Is this intended behavior or a bug? Is there a way to configure the server not to allow the second reverse proxy on the same port, or to detect that the port is already in use and fail on the client when connecting to the server?
Here are the steps I used to reproduce this
Install OpenSSH_for_Windows_8.1p1 using Windows features on what we'll call WindowsServer.
My sshd_config is:
PermitRootLogin no
AllowUsers SshTest
X11Forwarding no
PermitTunnel no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AllowTcpForwarding remote
GatewayPorts no
MaxSessions 0
PermitListen 51000 51001 51002 51003 51004 51005
Install OpenSSH_for_Windows_8.1p1 using Windows features on what we'll call WindowsClient.
Make two reverse proxy connections from WindowsClient to WindowsServer at the command line:
Configure Firefox to use the created SOCKS5 proxy and open a URL so that traffic can be seen in the connection log.
Here's the log from connection 1 (with a few things obfuscated/snipped, let me know if you need more):
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to [...snip...].
debug1: Connection established.
[...snip...]
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to WindowsServer:22 as 'SshTest'
[...snip...]
debug1: Authentication succeeded (password).
Authenticated to [...snip...].
debug1: Remote connections from LOCALHOST:51000 forwarded to local address socks:0
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: remote forward success for: listen 51000, connect socks:0
debug1: All remote forwarding requests processed
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 62698
debug1: channel 0: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=4
debug1: channel 0: connected to [...snip...] port 80
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 62699
debug1: channel 1: new [127.0.0.1]
[...more traffic over the proxy snipped...]
Transferred: sent 60904, received 16784 bytes, in 120.9 seconds
Bytes per second: sent 503.6, received 138.8
debug1: Exit status -1
As you can see everything's working as expected here.
And here's the log from connection 2:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to [...snip...].
debug1: Connection established.
[...snip...]
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to WindowsServer:22 as 'SshTest'
[...snip...]
debug1: Authentication succeeded (password).
Authenticated to [...snip...].
debug1: Remote connections from LOCALHOST:51000 forwarded to local address socks:0
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: remote forward success for: listen 51000, connect socks:0
debug1: All remote forwarding requests processed
Transferred: sent 1884, received 2300 bytes, in 65.4 seconds
Bytes per second: sent 28.8, received 35.2
debug1: Exit status -1
As you can see the connection is successful even though port 51000 is already being used by connection 1 and ExitOnForwardFailure=true is set. When I send traffic over the proxy on port 51000 using Firefox it always goes through connection 1, never connection 2.
I was able to confirm that OpenSSH_8.4p1 Debian-5 server running on a Raspberry Pi has the behavior I expected, where connection 2 fails with an error (connecting from WindowsClient the same as for the previous test)
Connection 1:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to [...snip...].
debug1: Connection established.
[...snip...]
debug1: Authentication succeeded (password).
Authenticated to [...snip...].
debug1: Remote connections from LOCALHOST:51000 forwarded to local address socks:0
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: remote forward success for: listen 51000, connect socks:0
debug1: All remote forwarding requests processed
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52358
debug1: channel 0: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=4
debug1: channel 0: connected to [...snip...]
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 3 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52360
debug1: channel 1: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 4 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52362
debug1: channel 2: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 5 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52364
debug1: channel 3: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 6 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52366
debug1: channel 4: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=5
debug1: channel 1: connected to [...snip...]
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=6
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=7
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=8
debug1: channel 2: connected to [...snip...]
debug1: channel 3: connected to [...snip...]
debug1: channel 4: connected to [...snip...]
debug1: client_input_channel_open: ctype forwarded-tcpip rchan 7 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen localhost port 51000, originator 127.0.0.1 port 52368
debug1: channel 5: new [127.0.0.1]
debug1: confirm forwarded-tcpip
debug1: getsockopt TCP_NODELAY: Invalid argument
debug1: connect_next: host [...snip...] in progress, fd=9
debug1: channel 5: connected to [...snip...]
debug1: channel 0: free: 127.0.0.1, nchannels 6
debug1: channel 1: free: 127.0.0.1, nchannels 5
debug1: channel 2: free: 127.0.0.1, nchannels 4
debug1: channel 3: free: 127.0.0.1, nchannels 3
debug1: channel 4: free: 127.0.0.1, nchannels 2
debug1: channel 5: free: 127.0.0.1, nchannels 1
Transferred: sent 75776, received 11604 bytes, in 108.8 seconds
Bytes per second: sent 696.6, received 106.7
debug1: Exit status -1
(Working as expected.)
Connection 2:
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Connecting to [...snip...].
debug1: Connection established.
[...snip...]
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5
debug1: match: OpenSSH_8.4p1 Debian-5 pat OpenSSH* compat 0x04000000
[...snip...]
debug1: Authentication succeeded (password).
Authenticated to [...snip...].
debug1: Remote connections from LOCALHOST:51000 forwarded to local address socks:0
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: remote forward failure for: listen 51000, connect socks:0
Error: remote port forwarding failed for listen port 51000
As you can see this time the second connection attempt to the same port fails with an error as expected.
Environment data
Name Value
---------
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0,2.0,3.0,4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version
OpenSSH_for_Windows_8.1p1
The text was updated successfully, but these errors were encountered:
I have a Windows computer running OpenSSH_for_Windows_8.1p1 server installed via Windows Features. When I set up a reverse SOCKS proxy using the OpenSSH_for_Windows_8.1p1 client and then with the first connection still open set up another reverse SOCKS proxy connection to the same port on the server the second connection succeeds (instead of failing because the port is already in use) and traffic through the proxy is sent only over the first connection.
Is this intended behavior or a bug? Is there a way to configure the server not to allow the second reverse proxy on the same port, or to detect that the port is already in use and fail on the client when connecting to the server?
Here are the steps I used to reproduce this
Install OpenSSH_for_Windows_8.1p1 using Windows features on what we'll call WindowsServer.
My sshd_config is:
Install OpenSSH_for_Windows_8.1p1 using Windows features on what we'll call WindowsClient.
Make two reverse proxy connections from WindowsClient to WindowsServer at the command line:
Configure Firefox to use the created SOCKS5 proxy and open a URL so that traffic can be seen in the connection log.
Here's the log from connection 1 (with a few things obfuscated/snipped, let me know if you need more):
As you can see everything's working as expected here.
And here's the log from connection 2:
As you can see the connection is successful even though port 51000 is already being used by connection 1 and ExitOnForwardFailure=true is set. When I send traffic over the proxy on port 51000 using Firefox it always goes through connection 1, never connection 2.
I was able to confirm that OpenSSH_8.4p1 Debian-5 server running on a Raspberry Pi has the behavior I expected, where connection 2 fails with an error (connecting from WindowsClient the same as for the previous test)
Connection 1:
(Working as expected.)
Connection 2:
As you can see this time the second connection attempt to the same port fails with an error as expected.
Environment data
Version
OpenSSH_for_Windows_8.1p1
The text was updated successfully, but these errors were encountered: