#129473 wish: option to make port forwarding failures non-critical

#129473#5
Date:
2002-01-16 08:29:27 UTC
From:
To:
If you set up an alias or .ssh/config to turn on forwarding by default
for a host, there doesn't seem to be a way to open a second connection
to the same host with the same command line.

I have been unable to find a way to say, with command line, "whatever
port forwarding was requested should be turned off after all".

The manual is not very clear on this, and the error message that you
get when a port is already in use is not helpful for troubleshooting
at all (typically I see just "bind: address already in use" and not
even an identification of the program which produced this error
message), especially in the event that forwarding is more or less
transparently involved (as is the case with an .ssh/config default,
oftentimes).

I'd like to propose the following changes:

    (i) make the error message less opaque. As a minimal suggestion,
        it should identify argv[0], and the address which it could not
        bind to (host and port number);

   (ii) document in the manual that enabling port forwarding for a
        host in your defaults will typically mean that you can only
        have one connection to that host;

  (iii) implement an option to specify that port forwarding errors
        should not be regarded as fatal; i.e. you'd still get the
        warning, but a session (without the failed forwardings in
        place, obviously) could nevertheless be started;

   (iv) implement a command-line option to disable port forwarding for
        a session, even though it was specified on the command line or
        in the config file. (Or, if it's somehow doable after all with
        the current ssh, document this better);

    (v) given that one ssh session is enough to forward all requests
        to a particular port, it would be nice if ssh could simply
        find out that port forwarding by way of ssh is already in
        place, and not attempt to grab the ports to be forwarded again

I have tried to prioritize these so that (i) should be the most urgent
and (v) the most wishlist-like.

I would imagine that it makes sense to route this request upstream,
unless I'm somehow confused. (It's happened before, and I'm running
Debian stable, so I don't see what's in the newest versions of this
package.)

To repeat:

    Minimally, do this:

        prompt$ ssh -f -R 2401:localhost:2401 remotesystem sleep 300

    (and then again within less than 300 seconds)

        prompt$ ssh -f -R 2401:localhost:2401 remotesystem sleep 300

        Received disconnect: bind: Address already in use

    Or, use a configuration like the following:

        .ssh/config:

        host remotesystem
            remoteforward 2401 localhost:2401

    and then attempt to open two ssh sessions to the target system,
    like

        prompt$ ssh -f remotesystem sleep 300
        prompt$ ssh -f remotesystem sleep 300

    The local host which you are connecting from doesn't need to be
    running anything on port 2401, I suppose (but if it means anything
    to you, this is the CVS server in my case. Change to a different
    port number if you like to try it with some other service).

Expected behavior:

    Get two sessions to the target system.

Actual behavior:

    Second and subsequent attempts to connect produces an error like

        bind: Address already in use

    and abort.

Sorry if this is already fixed in newer versions than what I have
available on Debian stable.

Thank you for your time,

/* era */

#129473#10
Date:
2002-11-04 00:17:54 UTC
From:
To:
I'm not sure which version of OpenSSH it got changed in, however I
believe *all* port forwarding failures are now non-critical (at least it
appears to be so in a brief test of using local-forward in both the
config and command line). Also with all flavors of SSH using "-o" on the
command line to set "ClearAllForwardings" to yes works around the
problem.

You'll still get the opaque error message, but it isn't fatal.

It is also not possible to cause OpenSSH to revert and treat forwarding
failures as fatal (this /might/ kill scripts, and also might cause a
problem if somebody grabs the port first and they expect a secure
connection).