- djm@cvs.openbsd.org 2005/09/19 11:37:34

[ssh_config.5 ssh.1] mention ability to specify bind_address for DynamicForward and -D options; bz#1077 spotted by Haruyama Seigo
author: Darren Tucker <dtucker@zip.com.au> 2005-10-03 18:13:42 +1000
committer: Darren Tucker <dtucker@zip.com.au> 2005-10-03 18:13:42 +1000
commit: c8d6421a645529a3c831dccc5d9d9e073de68657 (patch)
tree: cffc52ca23b243ff58e6b494973099aaf603e657
parent: ce321d8a30a81222d11a4c27fd353804a9afecd3 (diff)
3 files changed, 69 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index c8b2f3f86..7af3d15f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,10 @@
     [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
     scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
     ensure that stdio fds are attached; ok deraadt@
+   - djm@cvs.openbsd.org 2005/09/19 11:37:34
+     [ssh_config.5 ssh.1]
+     mention ability to specify bind_address for DynamicForward and -D options;
+     bz#1077 spotted by Haruyama Seigo
 20050930
 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
@@ -3050,4 +3054,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3904 2005/10/03 08:11:24 dtucker Exp $
+$Id: ChangeLog,v 1.3905 2005/10/03 08:13:42 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index b0749763b..135e3b6c5 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $
+.\" $OpenBSD: ssh.1,v 1.210 2005/09/19 11:37:34 djm Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -47,7 +47,12 @@
 .Op Fl 1246AaCfgkMNnqsTtVvXxY
 .Op Fl b Ar bind_address
 .Op Fl c Ar cipher_spec
-.Op Fl D Ar port
+.Oo Fl D\ \&
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Oc
 .Op Fl e Ar escape_char
 .Op Fl F Ar configfile
 .Op Fl i Ar identity_file
@@ -494,13 +499,20 @@ The default is
    arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
    aes192-ctr,aes256-ctr''
 .Ed
-.It Fl D Ar port
+.It Fl D Xo
+.Sm off
+.Oo Ar bind_address : Oc
+.Ar port
+.Sm on
+.Xc
 Specifies a local
 .Dq dynamic
 application-level port forwarding.
 This works by allocating a socket to listen to
 .Ar port
-on the local side, and whenever a connection is made to this port, the
+on the local side, optionally bound to the specified
+.Ar bind_address .
+Whenever a connection is made to this port, the
 connection is forwarded over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
@@ -509,6 +521,30 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and
 will act as a SOCKS server.
 Only root can forward privileged ports.
 Dynamic port forwardings can also be specified in the configuration file.
+.Pp
+IPv6 addresses can be specified with an alternative syntax:
+.Sm off
+.Xo
+.Op Ar bind_address No /
+.Ar port
+.Xc
+.Sm on
+or by enclosing the address in square brackets.
+Only the superuser can forward privileged ports.
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
 .It Fl e Ar ch | ^ch | none
 Sets the escape character for sessions with a pty (default:
 .Ql ~ ) .
diff --git a/ssh_config.5 b/ssh_config.5
index 9ddb09480..2e38be950 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.62 2005/09/19 11:37:34 djm Exp $
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -320,7 +320,29 @@ Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
 protocol is then used to determine where to connect to from the
 remote machine.
-The argument must be a port number.
+.Pp
+The argument must be
+.Sm off
+.Oo Ar bind_address : Oc Ar port .
+.Sm on
+IPv6 addresses can be specified by enclosing addresses in square brackets or
+by using an alternative syntax:
+.Oo Ar bind_address Ns / Oc Ns Ar port .
+By default, the local port is bound in accordance with the
+.Cm GatewayPorts
+setting.
+However, an explicit
+.Ar bind_address
+may be used to bind the connection to a specific address.
+The
+.Ar bind_address
+of
+.Dq localhost
+indicates that the listening port be bound for local use only, while an
+empty address or
+.Sq *
+indicates that the port should be available from all interfaces.
+.Pp
 Currently the SOCKS4 and SOCKS5 protocols are supported, and
 .Nm ssh
 will act as a SOCKS server.
author	Darren Tucker <dtucker@zip.com.au>	2005-10-03 18:13:42 +1000
committer	Darren Tucker <dtucker@zip.com.au>	2005-10-03 18:13:42 +1000
commit	c8d6421a645529a3c831dccc5d9d9e073de68657 (patch)
tree	cffc52ca23b243ff58e6b494973099aaf603e657
parent	ce321d8a30a81222d11a4c27fd353804a9afecd3 (diff)

diff --git a/ChangeLog b/ChangeLog index c8b2f3f86..7af3d15f7 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -10,6 +10,10 @@
10	[sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c	10	[sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
11	scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]	11	scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
12	ensure that stdio fds are attached; ok deraadt@	12	ensure that stdio fds are attached; ok deraadt@
		13	- djm@cvs.openbsd.org 2005/09/19 11:37:34
		14	[ssh_config.5 ssh.1]
		15	mention ability to specify bind_address for DynamicForward and -D options;
		16	bz#1077 spotted by Haruyama Seigo
13		17
14	20050930	18	20050930
15	- (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype	19	- (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
@@ -3050,4 +3054,4 @@
3050	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	3054	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
3051	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	3055	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3052		3056
3053	$Id: ChangeLog,v 1.3904 2005/10/03 08:11:24 dtucker Exp $	3057	$Id: ChangeLog,v 1.3905 2005/10/03 08:13:42 dtucker Exp $


diff --git a/ssh.1 b/ssh.1 index b0749763b..135e3b6c5 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $	37	.\" $OpenBSD: ssh.1,v 1.210 2005/09/19 11:37:34 djm Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -47,7 +47,12 @@
47	.Op Fl 1246AaCfgkMNnqsTtVvXxY	47	.Op Fl 1246AaCfgkMNnqsTtVvXxY
48	.Op Fl b Ar bind_address	48	.Op Fl b Ar bind_address
49	.Op Fl c Ar cipher_spec	49	.Op Fl c Ar cipher_spec
50	.Op Fl D Ar port	50	.Oo Fl D\ \&
		51	.Sm off
		52	.Oo Ar bind_address : Oc
		53	.Ar port
		54	.Sm on
		55	.Oc
51	.Op Fl e Ar escape_char	56	.Op Fl e Ar escape_char
52	.Op Fl F Ar configfile	57	.Op Fl F Ar configfile
53	.Op Fl i Ar identity_file	58	.Op Fl i Ar identity_file
@@ -494,13 +499,20 @@ The default is
494	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,	499	arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
495	aes192-ctr,aes256-ctr''	500	aes192-ctr,aes256-ctr''
496	.Ed	501	.Ed
497	.It Fl D Ar port	502	.It Fl D Xo
		503	.Sm off
		504	.Oo Ar bind_address : Oc
		505	.Ar port
		506	.Sm on
		507	.Xc
498	Specifies a local	508	Specifies a local
499	.Dq dynamic	509	.Dq dynamic
500	application-level port forwarding.	510	application-level port forwarding.
501	This works by allocating a socket to listen to	511	This works by allocating a socket to listen to
502	.Ar port	512	.Ar port
503	on the local side, and whenever a connection is made to this port, the	513	on the local side, optionally bound to the specified
		514	.Ar bind_address .
		515	Whenever a connection is made to this port, the
504	connection is forwarded over the secure channel, and the application	516	connection is forwarded over the secure channel, and the application
505	protocol is then used to determine where to connect to from the	517	protocol is then used to determine where to connect to from the
506	remote machine.	518	remote machine.
@@ -509,6 +521,30 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and
509	will act as a SOCKS server.	521	will act as a SOCKS server.
510	Only root can forward privileged ports.	522	Only root can forward privileged ports.
511	Dynamic port forwardings can also be specified in the configuration file.	523	Dynamic port forwardings can also be specified in the configuration file.
		524	.Pp
		525	IPv6 addresses can be specified with an alternative syntax:
		526	.Sm off
		527	.Xo
		528	.Op Ar bind_address No /
		529	.Ar port
		530	.Xc
		531	.Sm on
		532	or by enclosing the address in square brackets.
		533	Only the superuser can forward privileged ports.
		534	By default, the local port is bound in accordance with the
		535	.Cm GatewayPorts
		536	setting.
		537	However, an explicit
		538	.Ar bind_address
		539	may be used to bind the connection to a specific address.
		540	The
		541	.Ar bind_address
		542	of
		543	.Dq localhost
		544	indicates that the listening port be bound for local use only, while an
		545	empty address or
		546	.Sq *
		547	indicates that the port should be available from all interfaces.
512	.It Fl e Ar ch \| ^ch \| none	548	.It Fl e Ar ch \| ^ch \| none
513	Sets the escape character for sessions with a pty (default:	549	Sets the escape character for sessions with a pty (default:
514	.Ql ~ ) .	550	.Ql ~ ) .


diff --git a/ssh_config.5 b/ssh_config.5 index 9ddb09480..2e38be950 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $	37	.\" $OpenBSD: ssh_config.5,v 1.62 2005/09/19 11:37:34 djm Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH_CONFIG 5	39	.Dt SSH_CONFIG 5
40	.Os	40	.Os
@@ -320,7 +320,29 @@ Specifies that a TCP/IP port on the local machine be forwarded
320	over the secure channel, and the application	320	over the secure channel, and the application
321	protocol is then used to determine where to connect to from the	321	protocol is then used to determine where to connect to from the
322	remote machine.	322	remote machine.
323	The argument must be a port number.	323	.Pp
		324	The argument must be
		325	.Sm off
		326	.Oo Ar bind_address : Oc Ar port .
		327	.Sm on
		328	IPv6 addresses can be specified by enclosing addresses in square brackets or
		329	by using an alternative syntax:
		330	.Oo Ar bind_address Ns / Oc Ns Ar port .
		331	By default, the local port is bound in accordance with the
		332	.Cm GatewayPorts
		333	setting.
		334	However, an explicit
		335	.Ar bind_address
		336	may be used to bind the connection to a specific address.
		337	The
		338	.Ar bind_address
		339	of
		340	.Dq localhost
		341	indicates that the listening port be bound for local use only, while an
		342	empty address or
		343	.Sq *
		344	indicates that the port should be available from all interfaces.
		345	.Pp
324	Currently the SOCKS4 and SOCKS5 protocols are supported, and	346	Currently the SOCKS4 and SOCKS5 protocols are supported, and
325	.Nm ssh	347	.Nm ssh
326	will act as a SOCKS server.	348	will act as a SOCKS server.