diff options
| author | Damien Miller <djm@mindrot.org> | 2005-03-01 21:24:33 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2005-03-01 21:24:33 +1100 |
| commit | f91ee4c3def4de8b4b9409f07ab26a61e535e1e6 (patch) | |
| tree | 92d9f883c3c34f0d80b49a7855dcc2514798cf02 /ssh.1 | |
| parent | 1717fd422f2c5691d745a7daf6908df9a6458904 (diff) | |
- djm@cvs.openbsd.org 2005/03/01 10:09:52
[auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
[misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
[sshd_config.5]
bz#413: allow optional specification of bind address for port forwardings.
Patch originally by Dan Astorian, but worked on by several people
Adds GatewayPorts=clientspecified option on server to allow remote
forwards to bind to client-specified ports.
Diffstat (limited to 'ssh.1')
| -rw-r--r-- | ssh.1 | 59 |
1 files changed, 49 insertions, 10 deletions
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: ssh.1,v 1.199 2004/11/07 17:42:36 jmc Exp $ | 37 | .\" $OpenBSD: ssh.1,v 1.200 2005/03/01 10:09:52 djm Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSH 1 | 39 | .Dt SSH 1 |
| 40 | .Os | 40 | .Os |
| @@ -53,13 +53,13 @@ | |||
| 53 | .Op Fl i Ar identity_file | 53 | .Op Fl i Ar identity_file |
| 54 | .Oo Fl L Xo | 54 | .Oo Fl L Xo |
| 55 | .Sm off | 55 | .Sm off |
| 56 | .Oo Ar bind_address : Oc | ||
| 56 | .Ar port : | 57 | .Ar port : |
| 57 | .Ar host : | 58 | .Ar host : |
| 58 | .Ar hostport | 59 | .Ar hostport |
| 59 | .Sm on | 60 | .Sm on |
| 60 | .Xc | 61 | .Xc |
| 61 | .Oc | 62 | .Oc |
| 62 | .Ek | ||
| 63 | .Op Fl l Ar login_name | 63 | .Op Fl l Ar login_name |
| 64 | .Op Fl m Ar mac_spec | 64 | .Op Fl m Ar mac_spec |
| 65 | .Op Fl O Ar ctl_cmd | 65 | .Op Fl O Ar ctl_cmd |
| @@ -69,6 +69,7 @@ | |||
| 69 | .Ek | 69 | .Ek |
| 70 | .Oo Fl R Xo | 70 | .Oo Fl R Xo |
| 71 | .Sm off | 71 | .Sm off |
| 72 | .Oo Ar bind_address : Oc | ||
| 72 | .Ar port : | 73 | .Ar port : |
| 73 | .Ar host : | 74 | .Ar host : |
| 74 | .Ar hostport | 75 | .Ar hostport |
| @@ -570,6 +571,7 @@ configuration files). | |||
| 570 | Disables forwarding (delegation) of GSSAPI credentials to the server. | 571 | Disables forwarding (delegation) of GSSAPI credentials to the server. |
| 571 | .It Fl L Xo | 572 | .It Fl L Xo |
| 572 | .Sm off | 573 | .Sm off |
| 574 | .Oo Ar bind_address : Oc | ||
| 573 | .Ar port : host : hostport | 575 | .Ar port : host : hostport |
| 574 | .Sm on | 576 | .Sm on |
| 575 | .Xc | 577 | .Xc |
| @@ -577,7 +579,9 @@ Specifies that the given port on the local (client) host is to be | |||
| 577 | forwarded to the given host and port on the remote side. | 579 | forwarded to the given host and port on the remote side. |
| 578 | This works by allocating a socket to listen to | 580 | This works by allocating a socket to listen to |
| 579 | .Ar port | 581 | .Ar port |
| 580 | on the local side, and whenever a connection is made to this port, the | 582 | on the local side, optionally bound to the specified |
| 583 | .Ar bind_address . | ||
| 584 | Whenever a connection is made to this port, the | ||
| 581 | connection is forwarded over the secure channel, and a connection is | 585 | connection is forwarded over the secure channel, and a connection is |
| 582 | made to | 586 | made to |
| 583 | .Ar host | 587 | .Ar host |
| @@ -585,14 +589,30 @@ port | |||
| 585 | .Ar hostport | 589 | .Ar hostport |
| 586 | from the remote machine. | 590 | from the remote machine. |
| 587 | Port forwardings can also be specified in the configuration file. | 591 | Port forwardings can also be specified in the configuration file. |
| 588 | Only root can forward privileged ports. | ||
| 589 | IPv6 addresses can be specified with an alternative syntax: | 592 | IPv6 addresses can be specified with an alternative syntax: |
| 590 | .Sm off | 593 | .Sm off |
| 591 | .Xo | 594 | .Xo |
| 595 | .Oo Ar bind_address / Oc | ||
| 592 | .Ar port No / Ar host No / | 596 | .Ar port No / Ar host No / |
| 593 | .Ar hostport . | 597 | .Ar hostport |
| 594 | .Xc | 598 | .Xc |
| 595 | .Sm on | 599 | .Sm on |
| 600 | or by enclosing the address in square brackets. | ||
| 601 | Only the superuser can forward privileged ports. | ||
| 602 | By default, the local port is bound in accordance with the | ||
| 603 | .Cm GatewayPorts | ||
| 604 | setting. | ||
| 605 | However, an explicit | ||
| 606 | .Ar bind_address | ||
| 607 | may be used to bind the connection to a specific address. | ||
| 608 | The | ||
| 609 | .Ar bind_address | ||
| 610 | of | ||
| 611 | .Dq localhost | ||
| 612 | indicates that the listening port be bound for local use only, while an | ||
| 613 | empty address or | ||
| 614 | .Dq * | ||
| 615 | indicates that the port should be available from all interfaces. | ||
| 596 | .It Fl l Ar login_name | 616 | .It Fl l Ar login_name |
| 597 | Specifies the user to log in as on the remote machine. | 617 | Specifies the user to log in as on the remote machine. |
| 598 | This also may be specified on a per-host basis in the configuration file. | 618 | This also may be specified on a per-host basis in the configuration file. |
| @@ -724,6 +744,7 @@ Quiet mode. | |||
| 724 | Causes all warning and diagnostic messages to be suppressed. | 744 | Causes all warning and diagnostic messages to be suppressed. |
| 725 | .It Fl R Xo | 745 | .It Fl R Xo |
| 726 | .Sm off | 746 | .Sm off |
| 747 | .Oo Ar bind_address : Oc | ||
| 727 | .Ar port : host : hostport | 748 | .Ar port : host : hostport |
| 728 | .Sm on | 749 | .Sm on |
| 729 | .Xc | 750 | .Xc |
| @@ -738,16 +759,34 @@ made to | |||
| 738 | port | 759 | port |
| 739 | .Ar hostport | 760 | .Ar hostport |
| 740 | from the local machine. | 761 | from the local machine. |
| 762 | .Pp | ||
| 741 | Port forwardings can also be specified in the configuration file. | 763 | Port forwardings can also be specified in the configuration file. |
| 742 | Privileged ports can be forwarded only when | 764 | Privileged ports can be forwarded only when |
| 743 | logging in as root on the remote machine. | 765 | logging in as root on the remote machine. |
| 744 | IPv6 addresses can be specified with an alternative syntax: | 766 | IPv6 addresses can be specified by enclosing the address in square braces or |
| 745 | .Sm off | 767 | using an alternative syntax: |
| 746 | .Xo | 768 | .Xo |
| 747 | .Ar port No / Ar host No / | 769 | .Sm off |
| 748 | .Ar hostport . | 770 | .Oo Ar bind_address / Oc |
| 749 | .Xc | 771 | .Ar host/port/hostport |
| 750 | .Sm on | 772 | .Sm on |
| 773 | .Xc . | ||
| 774 | .Pp | ||
| 775 | By default, the listening socket on the server will be bound to the loopback | ||
| 776 | interface only. | ||
| 777 | This may be overriden by specifying a | ||
| 778 | .Ar bind_address . | ||
| 779 | An empty | ||
| 780 | .Ar bind_address , | ||
| 781 | or the address | ||
| 782 | .Ql * | ||
| 783 | indicates that the remote socket should listen on all interfaces. | ||
| 784 | Specifying a remote | ||
| 785 | .Ar bind_address | ||
| 786 | will only succeed if the server's | ||
| 787 | .Cm GatewayPorts | ||
| 788 | option is enabled (see | ||
| 789 | .Xr sshd_config 5 ). | ||
| 751 | .It Fl S Ar ctl_path | 790 | .It Fl S Ar ctl_path |
| 752 | Specifies the location of a control socket for connection sharing. | 791 | Specifies the location of a control socket for connection sharing. |
| 753 | Refer to the description of | 792 | Refer to the description of |