From c8d6421a645529a3c831dccc5d9d9e073de68657 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:13:42 +1000 Subject: - djm@cvs.openbsd.org 2005/09/19 11:37:34 [ssh_config.5 ssh.1] mention ability to specify bind_address for DynamicForward and -D options; bz#1077 spotted by Haruyama Seigo --- ChangeLog | 6 +++++- ssh.1 | 44 ++++++++++++++++++++++++++++++++++++++++---- ssh_config.5 | 26 ++++++++++++++++++++++++-- 3 files changed, 69 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index c8b2f3f86..7af3d15f7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,10 @@ [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] ensure that stdio fds are attached; ok deraadt@ + - djm@cvs.openbsd.org 2005/09/19 11:37:34 + [ssh_config.5 ssh.1] + mention ability to specify bind_address for DynamicForward and -D options; + bz#1077 spotted by Haruyama Seigo 20050930 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype @@ -3050,4 +3054,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3904 2005/10/03 08:11:24 dtucker Exp $ +$Id: ChangeLog,v 1.3905 2005/10/03 08:13:42 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index b0749763b..135e3b6c5 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.209 2005/07/06 09:33:05 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.210 2005/09/19 11:37:34 djm Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -47,7 +47,12 @@ .Op Fl 1246AaCfgkMNnqsTtVvXxY .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec -.Op Fl D Ar port +.Oo Fl D\ \& +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Oc .Op Fl e Ar escape_char .Op Fl F Ar configfile .Op Fl i Ar identity_file @@ -494,13 +499,20 @@ The default is arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, aes192-ctr,aes256-ctr'' .Ed -.It Fl D Ar port +.It Fl D Xo +.Sm off +.Oo Ar bind_address : Oc +.Ar port +.Sm on +.Xc Specifies a local .Dq dynamic application-level port forwarding. This works by allocating a socket to listen to .Ar port -on the local side, and whenever a connection is made to this port, the +on the local side, optionally bound to the specified +.Ar bind_address . +Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. @@ -509,6 +521,30 @@ Currently the SOCKS4 and SOCKS5 protocols are supported, and will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file. +.Pp +IPv6 addresses can be specified with an alternative syntax: +.Sm off +.Xo +.Op Ar bind_address No / +.Ar port +.Xc +.Sm on +or by enclosing the address in square brackets. +Only the superuser can forward privileged ports. +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Dq localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. .It Fl e Ar ch | ^ch | none Sets the escape character for sessions with a pty (default: .Ql ~ ) . diff --git a/ssh_config.5 b/ssh_config.5 index 9ddb09480..2e38be950 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.61 2005/07/08 12:53:10 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.62 2005/09/19 11:37:34 djm Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -320,7 +320,29 @@ Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. -The argument must be a port number. +.Pp +The argument must be +.Sm off +.Oo Ar bind_address : Oc Ar port . +.Sm on +IPv6 addresses can be specified by enclosing addresses in square brackets or +by using an alternative syntax: +.Oo Ar bind_address Ns / Oc Ns Ar port . +By default, the local port is bound in accordance with the +.Cm GatewayPorts +setting. +However, an explicit +.Ar bind_address +may be used to bind the connection to a specific address. +The +.Ar bind_address +of +.Dq localhost +indicates that the listening port be bound for local use only, while an +empty address or +.Sq * +indicates that the port should be available from all interfaces. +.Pp Currently the SOCKS4 and SOCKS5 protocols are supported, and .Nm ssh will act as a SOCKS server. -- cgit v1.2.3