Remote dynamic port forwarding for OpenSSH client

Basic OpenSSH client and other mainstream SSH clients support these three types of port forwarding:

  1. Local static forwarding
  2. Syntax: -L [bind_address:]port:host:hostport

    User specifies a local port and a remote host with its port. The local port is to be forwarded through the secure SSH tunnel to the specified host and port on the remote side. SSH client allocates a listening socket on the local port, that is optionally bound to a bind_address. Whenever a connection is accepted on this socket, it is forwarded through the SSH tunnel to the server. SSH server calls connect to the host and hostport and after the connection is established, it forwards data from this connection to the SSH tunnel and from the SSH tunnel to this connection. SSH client forwards data from the accepted connection to the SSH tunnel and from the SSH tunnel to the accepted connection.

  3. Remote static forwarding
  4. Syntax: -R [bind_address:]port:host:hostport

    User specifies a remote port and a local host with its port. The remote port is to be forwarded through the secure SSH tunnel to the specified host and hostport on the local side. SSH server allocates a listening socket on the specified port, that is optionally bound to a bind_address. Whenever a connection is accepted on this socket, it is forwarded through the SSH tunnel to the client. SSH client calls connect to the host and hostport and after the connection is established, it forwards data from this connection to the SSH tunnel and from the SSH tunnel to this connection. SSH server forwards data from the accepted connection to the SSH tunnel and from the SSH tunnel to the accepted connection.

  5. Local dynamic forwarding
  6. Syntax: -D [bind_address:]port

    User specifies just a local port. The SSH client impersonates a partial SOCKS proxy server using the connectivity and identity of the SSH server for processing all received CONNECT requests. SSH client allocates a listening socket on the specified port, that is optionally bound a to a bind_address. Whenever a connection is accepted on this socket, the client reads the SOCKS request and forwards its content through the secure SSH tunnel to the server. SSH server processes the request, eventually does a DNS translation, and calls connect to the target that was specified in the SOCKS request. After the connection is successfully established, it forwards data from this connection to the SSH tunnel and from the SSH tunnel to this connection. SSH client forwards data from the accepted connection to the SSH tunnel and from the SSH tunnel to the accepted connection.

This project adds to the OpenSSH client the fourth natural type of port forwarding:
  1. Remote dynamic forwarding
  2. Syntax: -d [bind_address:]port

    User specifies just a remote port. The SSH server impersonates a partial SOCKS proxy server using the connectivity and identity of the SSH client for processing all received CONNECT requests. SSH server allocates a listening socket on the specified port, that is optionally bound a to a bind_address. Whenever a connection is accepted on this socket, the server reads the SOCKS request and forwards its content through the secure SSH tunnel to the client. SSH client processes the request, eventually does a DNS translation, and calls connect to the target that was specified in the SOCKS request. After the connection is successfully established, it forwards data from this connection to the SSH tunnel and from the SSH tunnel to this connection. SSH server forwards data from the accepted connection to the SSH tunnel and from the SSH tunnel to the accepted connection.

The patched OpenSSH client is compatible with RFC 4254 and therefore with unpatched SSH servers (explicitly tested with the OpenSSH 6.8 and Dropbear 2015.67 servers). It employs only forwarding requests that the OpenSSH client already used for static remote forwarding (sends tcpip-forward and cancel-tcpip-forward messages, and accepts forwarded-tcpip messages).

Patched OpenSSH sources
Diff

Use cases

First set comprises use cases of remote dynamic forwarding, that are analogical to use cases of remote static forwarding. Only the power and variability of remote dynamic forwarding is substantially higher.

Second set comprises use cases of remote dynamic forwarding, that are analogical to use cases of local dynamic forwarding. Advantage of the remote dynamic forwarding is its more resilient and tolerant deployment.

Author: steinhauser@d3s.mff.cuni.cz