[GH-ISSUE #169] SSH Local Forward #42

New issue

Closed

opened 2026-05-07 00:18:00 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:18:00 +02:00

Owner

Originally created by @hparfr on GitHub (Apr 2, 2021).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/169

Hello,

My goal is to access an http server listening only to localhost through the bastion.
kind of ssh -L 9090:localhost:9090 someuser@server42

I tried to :
ssh -L 9090:localhost:9090 -t admin@bastion -- someuser@server42
But without success.

I've found in (bastion) /etc/ssh/sshd_config there is
AllowTcpForwarding no

Setting to yes didn't help.

Is it a good idea to change the bastion' sshd_config ? Is there a better way ?

PS: the http server is https://cockpit-project.org

Originally created by @hparfr on GitHub (Apr 2, 2021). Original GitHub issue: https://github.com/ovh/the-bastion/issues/169 Hello, My goal is to access an http server listening only to localhost through the bastion. kind of `ssh -L 9090:localhost:9090 someuser@server42` I tried to : `ssh -L 9090:localhost:9090 -t admin@bastion -- someuser@server42` But without success. I've found in (bastion) /etc/ssh/sshd_config there is `AllowTcpForwarding no` Setting to `yes` didn't help. Is it a good idea to change the bastion' sshd_config ? Is there a better way ? PS: the http server is https://cockpit-project.org

BreizhHardware closed this issue

2026-05-07 00:18:00 +02:00

BreizhHardware commented

2026-05-07 00:18:02 +02:00

Author

Owner

@speed47 commented on GitHub (Apr 8, 2021):

Hello,

Local, Remote and TCP forwarding are all disabled intentionally, because those features could be used to bypass security mechanisms in place, such as accessing (network-wise) to assets that should only be accessible through the bastion's logic, and bypassing full traceability, as in that case the bastion wouldn't know what's going on inside the local/remote/tcp forwards.

Now, the settings change you tried didn't work because the bastion is doing a protocol break, and when you're connecting to a remote server through it, there are actually 2 distinct SSH connections taking place, one between you and the bastion, and another one (started by the bastion on your behalf) between the bastion and the remote server, then those 2 connections are transparently "plugged" together. The -L you're trying to use would only apply to the first connection, so it would expose the port 9090 of the bastion itself, not the port of the remote server. For this to work, a double port forward should take place: the bastion should also do a -L to connect to the remote server. But as the bastion is a shared asset between a lot of accounts and teams, such ports forwards happening on the bastion could collide and users might be able to access port forwards opened by others, so that would be a security issue. This issue doesn't exist with a direct connection because there's no shared asset in the middle.

@speed47 commented on GitHub (Apr 8, 2021): Hello, Local, Remote and TCP forwarding are all disabled intentionally, because those features could be used to bypass security mechanisms in place, such as accessing (network-wise) to assets that should only be accessible through the bastion's logic, and bypassing full traceability, as in that case the bastion wouldn't know what's going on inside the local/remote/tcp forwards. Now, the settings change you tried didn't work because the bastion is doing a protocol break, and when you're connecting to a remote server through it, there are actually 2 distinct SSH connections taking place, one between you and the bastion, and another one (started by the bastion on your behalf) between the bastion and the remote server, then those 2 connections are transparently "plugged" together. The `-L` you're trying to use would only apply to the first connection, so it would expose the port 9090 of the bastion itself, not the port of the remote server. For this to work, a double port forward should take place: the bastion should also do a `-L` to connect to the remote server. But as the bastion is a shared asset between a lot of accounts and teams, such ports forwards happening on the bastion could collide and users might be able to access port forwards opened by others, so that would be a security issue. This issue doesn't exist with a direct connection because there's no shared asset in the middle.

BreizhHardware commented

2026-05-07 00:18:02 +02:00

Author

Owner

@hparfr commented on GitHub (Apr 8, 2021):

Thanks for this great explanation why port forwarding can't work.

About the need of accessing an http server from a non-exposed to internet machine, I will have to find something else.

@hparfr commented on GitHub (Apr 8, 2021): Thanks for this great explanation why port forwarding can't work. About the need of accessing an http server from a non-exposed to internet machine, I will have to find something else.

BreizhHardware referenced this issue

2026-05-07 00:19:43 +02:00

[PR #42] [MERGED] fix: add missing echo #189