Mailing List Archive: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023

OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023

roland.mainz at nrubsig

Nov 11, 2023, 5:22 AM

Post #1 of 6 (143 views)

Hi!

----

I'm doing some testing with the ssh client OpenSSH on Windows 10
(10.0-19045) but due to firewall restrictions I need to run my
experiments from a local port < 1024 (not negotiable).

I thought that this was no problem... but ssh |bind()| fails with
"address in use" (yes, I checked netstat, no one is there) for any
port < 1023.
Then I checked $ netstat # and $ netsh int ipv4 show excludedportrange
protocol=tcp # and the same for IPv6, noone is using ports.

This *feels* like the "restricted port range" (1-1023) on UNIX/Linux,
where only "root" can do a |bind()| with a local port < 1023, but this
is Windows, and even as "Administrator" this still fails.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang
talks about a "... well-known ports that are used by services and
applications...", but I do not know where to set that (for a Cygwin
process).

Does anyone know what is going on ? Is there a way around this ?

----

Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz@nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023 [ In reply to ]

cedric.blancher at gmail

Nov 12, 2023, 3:20 PM

Post #2 of 6 (143 views)

On Sat, 11 Nov 2023 at 14:26, Roland Mainz <roland.mainz@nrubsig.org> wrote:
>
> Hi!
>
> ----
>
> I'm doing some testing with the ssh client OpenSSH on Windows 10
> (10.0-19045) but due to firewall restrictions I need to run my
> experiments from a local port < 1024 (not negotiable).
>
> I thought that this was no problem... but ssh |bind()| fails with
> "address in use" (yes, I checked netstat, no one is there) for any
> port < 1023.
> Then I checked $ netstat # and $ netsh int ipv4 show excludedportrange
> protocol=tcp # and the same for IPv6, noone is using ports.
>
> This *feels* like the "restricted port range" (1-1023) on UNIX/Linux,
> where only "root" can do a |bind()| with a local port < 1023, but this
> is Windows, and even as "Administrator" this still fails.
> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang
> talks about a "... well-known ports that are used by services and
> applications...", but I do not know where to set that (for a Cygwin
> process).
>
> Does anyone know what is going on ? Is there a way around this ?

How can Windows sshd bind() to port 22? How do they do that, and maybe
that is a solution?

Ced
--
Cedric Blancher <cedric.blancher@gmail.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023 [ In reply to ]

cedric.blancher at gmail

Nov 22, 2023, 2:50 PM

Post #3 of 6 (130 views)

?

On Mon, 13 Nov 2023 at 00:20, Cedric Blancher <cedric.blancher@gmail.com> wrote:
>
> On Sat, 11 Nov 2023 at 14:26, Roland Mainz <roland.mainz@nrubsig.org> wrote:
> >
> > Hi!
> >
> > ----
> >
> > I'm doing some testing with the ssh client OpenSSH on Windows 10
> > (10.0-19045) but due to firewall restrictions I need to run my
> > experiments from a local port < 1024 (not negotiable).
> >
> > I thought that this was no problem... but ssh |bind()| fails with
> > "address in use" (yes, I checked netstat, no one is there) for any
> > port < 1023.
> > Then I checked $ netstat # and $ netsh int ipv4 show excludedportrange
> > protocol=tcp # and the same for IPv6, noone is using ports.
> >
> > This *feels* like the "restricted port range" (1-1023) on UNIX/Linux,
> > where only "root" can do a |bind()| with a local port < 1023, but this
> > is Windows, and even as "Administrator" this still fails.
> > https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang
> > talks about a "... well-known ports that are used by services and
> > applications...", but I do not know where to set that (for a Cygwin
> > process).
> >
> > Does anyone know what is going on ? Is there a way around this ?
>
> How can Windows sshd bind() to port 22? How do they do that, and maybe
> that is a solution?
>
> Ced
> --
> Cedric Blancher <cedric.blancher@gmail.com>
> [https://plus.google.com/u/0/+CedricBlancher/]
> Institute Pasteur

--
Cedric Blancher <cedric.blancher@gmail.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023 [ In reply to ]

cedric.blancher at gmail

Nov 22, 2023, 2:50 PM

Post #4 of 6 (130 views)

?

On Mon, 13 Nov 2023 at 00:20, Cedric Blancher <cedric.blancher@gmail.com> wrote:
>
> On Sat, 11 Nov 2023 at 14:26, Roland Mainz <roland.mainz@nrubsig.org> wrote:
> >
> > Hi!
> >
> > ----
> >
> > I'm doing some testing with the ssh client OpenSSH on Windows 10
> > (10.0-19045) but due to firewall restrictions I need to run my
> > experiments from a local port < 1024 (not negotiable).
> >
> > I thought that this was no problem... but ssh |bind()| fails with
> > "address in use" (yes, I checked netstat, no one is there) for any
> > port < 1023.
> > Then I checked $ netstat # and $ netsh int ipv4 show excludedportrange
> > protocol=tcp # and the same for IPv6, noone is using ports.
> >
> > This *feels* like the "restricted port range" (1-1023) on UNIX/Linux,
> > where only "root" can do a |bind()| with a local port < 1023, but this
> > is Windows, and even as "Administrator" this still fails.
> > https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang
> > talks about a "... well-known ports that are used by services and
> > applications...", but I do not know where to set that (for a Cygwin
> > process).
> >
> > Does anyone know what is going on ? Is there a way around this ?
>
> How can Windows sshd bind() to port 22? How do they do that, and maybe
> that is a solution?
>
> Ced
> --
> Cedric Blancher <cedric.blancher@gmail.com>
> [https://plus.google.com/u/0/+CedricBlancher/]
> Institute Pasteur

--
Cedric Blancher <cedric.blancher@gmail.com>
[https://plus.google.com/u/0/+CedricBlancher/]
Institute Pasteur
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023 [ In reply to ]

dtucker at dtucker

Nov 22, 2023, 6:41 PM

Post #5 of 6 (130 views)

On Sun, 12 Nov 2023 at 00:31, Roland Mainz <roland.mainz@nrubsig.org> wrote:
> I'm doing some testing with the ssh client OpenSSH on Windows 10
> (10.0-19045) but due to firewall restrictions I need to run my
> experiments from a local port < 1024 (not negotiable).

Do you mean "make an SSH connection from a low-numbered port"? What
version are you using? Exactly what command(s) are you running? IPv4
or v6?

As of
https://github.com/openssh/openssh-portable/commit/73ddb25bae (version
7.8p1 and newer) ssh(1) just delegates the permission check to the
underlying operating system and doesn't enforce anything itself.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: OpenSSH on Windows, ssh cannot |bind()| localport to port < 1023 [ In reply to ]

vinschen at redhat

Nov 23, 2023, 8:26 AM

Post #6 of 6 (130 views)

On Nov 13 00:20, Cedric Blancher wrote:
> On Sat, 11 Nov 2023 at 14:26, Roland Mainz <roland.mainz@nrubsig.org> wrote:
> >
> > Hi!
> >
> > ----
> >
> > I'm doing some testing with the ssh client OpenSSH on Windows 10
> > (10.0-19045) but due to firewall restrictions I need to run my
> > experiments from a local port < 1024 (not negotiable).
> >
> > I thought that this was no problem... but ssh |bind()| fails with
> > "address in use" (yes, I checked netstat, no one is there) for any
> > port < 1023.

How do you do that? ssh -D?

> > Then I checked $ netstat # and $ netsh int ipv4 show excludedportrange
> > protocol=tcp # and the same for IPv6, noone is using ports.
> >
> > This *feels* like the "restricted port range" (1-1023) on UNIX/Linux,
> > where only "root" can do a |bind()| with a local port < 1023, but this
> > is Windows, and even as "Administrator" this still fails.
> > https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang
> > talks about a "... well-known ports that are used by services and
> > applications...", but I do not know where to set that (for a Cygwin
> > process).

This is about dynamic port binding, not about using a port below
1025 statically. The ports below 1025 are not available for
dynamic port binding, not even as a setting. But that's not what
you're trying to do anyway.

> > Does anyone know what is going on ? Is there a way around this ?
>
> How can Windows sshd bind() to port 22? How do they do that, and maybe
> that is a solution?

It just works.

There is no admin-only restricion on Windows for ports < 1024 either.

If the sshd_config file and the ssh hostkeys under /etc belong to your
own non-admin account, you can simply run sshd on port 22 just for
yourself on the commandline (/usr/sbin/sshd -D) and login to your own
account from another commandline.

From what you tell, you have a local problem on your machine. It has
nothing to do with the implementation of OpenSSH, nor with port range
permissions on Windows. I'd blame the firewall.

Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev