SSHトンネルはOS X El Capitanでツンデレになっちゃう

More than 3 years have passed since last update.

昔々、SSHトンネルを整備する時、

ssh -N -p 32200 -c 3des ユーザー@サーバーのip -L ローカルで使用するポート/目的サーバのアドレス/目的サーバで待ち受けてるポート番号 -N -f -o ServerAliveInterval=60

などのやり方で行っていたが、本日、OS X El Capitanにアップグレードしたら、そのコマンドが、Bad local forwarding specificationというエラーが出てきた。

困る。実にこまる。なんだその突然な機能喪失。アップルめ。

そして絶望の中にman sshに尋ねた。以下の通りである。

NAME

ssh -- OpenSSH SSH client (remote login program)

SYNOPSIS

ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11][-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q cipher | cipher-auth | mac | kex | key | protocol-version] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]

確かに、[-L [bind_address:]port:host:hostport]が書いている。じゃ、その風にコマンドを編集して試してみよう。あら、成功。

ssh -N -p 32200 -c 3des ユーザー@サーバーのip -L ローカルで使用するポート:目的サーバのアドレス:目的サーバで待ち受けてるポート番号 -N -f -o ServerAliveInterval=60

問題が解決していたが、原因を調べていた。調べとはいえ、推測にすぎないだろう。

OS X El Capitanが搭載しているsshは、ssh -Vで調べたら、OpenSSH_6.9p1, LibreSSL 2.1.7と書いている。そのバージョンのmanはそう書いている。


-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating

a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the con-

nection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be

specified in the configuration file. IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward

privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to

bind the connection to a specific address. The bind_address of `localhost'' indicates that the listening port be bound for local use only, while an

empty address or
*' indicates that the port should be available from all interfaces.


その前のバージョンはそんな厳しくないようだ。例えば、Debian 7OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007とか、そんな書き方は例に見える。


-L [bind_address:]port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to

listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the

secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6

addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can

forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind

the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port be bound for local use only, while an empty address or

'*' indicates that the port should be available from all interfaces.