[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issues with ssh_channel_accept_forward() and reverse port forwarding
[Thread Prev] | [Thread Next]
- Subject: Re: Issues with ssh_channel_accept_forward() and reverse port forwarding
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 12 Apr 2023 11:36:08 +0200
- To: libssh@xxxxxxxxxx
On 4/10/23 23:29, Orion Poplawski wrote:
It appears from reading https://api.libssh.org/stable/libssh_tutor_forwarding.html that in order to implement reverse port forwarding one must continually call ssh_channel_accept_forward() in order to accept any possible connections from the remote side. Is this correct? It presents a couple challenges: * It's a very inefficient method - polling vs. event driven * It can generate a huge amount of log messages as ssh_channel_accept() logs an error every time it is called and there is nothing to accept: [2023/04/10 12:17:34.044502, 1] ssh_channel_accept: No channel request of this type from server See also https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1421 So: * If polling is indeed the only mechanism available here, libssh should not be emitting an error in this case. Possibly a DEBUG or TRACE level message instead, but honestly enabling it for anything like x2goclient that does continual polling will just swamp the logs. * Is there a possibility of implementing a callback method to accept remote connections?
From what I read, this is about the client side logs. I think downgrading the message to DEBUG or TRACE would be the least thing we can do and it sounds like a reasonable solution. Do you want to open a merge request?
Regarding the polling, the tutorial is quite dated so it does not provide any information about the connectors and callbacks. Right now, there are x11 and auth_agent callbacks available in the channels. Adding a similar handler into the ssh_execute_client_request() for handling SSH_CHANNEL_FORWARDED_TCPIP should not be hard. I think the reason it is not there yet is that nobody asked for that before or nobody implemented this.
Skiming through the issue tracker, there is an request for this actually, even with a patch, but it will require some work and test coverage to get merged:
https://gitlab.com/libssh/libssh-mirror/-/issues/43 Help is always welcomed. Regards, -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
| Re: Issues with ssh_channel_accept_forward() and reverse port forwarding | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Issues with ssh_channel_accept_forward() and reverse port forwarding | Orion Poplawski <orion@xxxxxxxx> |