[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issues with ssh_channel_accept_forward() and reverse port forwarding


On 4/10/23 23:29, Orion Poplawski wrote:
It appears from reading
https://api.libssh.org/stable/libssh_tutor_forwarding.html that in order to
implement reverse port forwarding one must continually call
ssh_channel_accept_forward() in order to accept any possible connections from
the remote side.  Is this correct?

It presents a couple challenges:

* It's a very inefficient method - polling vs. event driven

* It can generate a huge amount of log messages as ssh_channel_accept() logs
an error every time it is called and there is nothing to accept:

[2023/04/10 12:17:34.044502, 1] ssh_channel_accept:  No channel request of
this type from server

See also https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1421

So:

* If polling is indeed the only mechanism available here, libssh should not be
emitting an error in this case.  Possibly a DEBUG or TRACE level message
instead, but honestly enabling it for anything like x2goclient that does
continual polling will just swamp the logs.

* Is there a possibility of implementing a callback method to accept remote
connections?

From what I read, this is about the client side logs. I think downgrading the message to DEBUG or TRACE would be the least thing we can do and it sounds like a reasonable solution. Do you want to open a merge request?

Regarding the polling, the tutorial is quite dated so it does not provide any information about the connectors and callbacks. Right now, there are x11 and auth_agent callbacks available in the channels. Adding a similar handler into the ssh_execute_client_request() for handling SSH_CHANNEL_FORWARDED_TCPIP should not be hard. I think the reason it is not there yet is that nobody asked for that before or nobody implemented this.

Skiming through the issue tracker, there is an request for this actually, even with a patch, but it will require some work and test coverage to get merged:

https://gitlab.com/libssh/libssh-mirror/-/issues/43

Help is always welcomed.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.


References:
Issues with ssh_channel_accept_forward() and reverse port forwardingOrion Poplawski <orion@xxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org