With Red Hat Linux 7+errata for both client and server, remote port forwarding only works if the server has 'Protocol 1' in /etc/ssh/sshd_config. It doesn't seem to work with protocol 2. Is this just omitted from the documentation, or is it supposed to work (hope so!)?
This hasn't been implemented yet. There has been a patch on openssh-unix-dev list sometime ago though.
FWIW, this has been implemented (based on the abovementioned patch) in the latest OpenSSH snapshots.
This is fixed in the released openssh-2.5.1p1
2.5.1p1 is (will be) in rawhide.
This is broken again in openssh-2.9p2-3 from rawhide.
Fixed in OpenSSH CVS by this, (I think): revision 1.87 date: 2001/05/10 23:24:49; author: mouring; state: Exp; lines: +4 -3 - markus.org 2001/05/09 22:51:57 [channels.c] fix -R for protocol 2, noticed by greg. bug was introduced with experimental dynamic forwarding. Index: channels.c =================================================================== RCS file: /cvs/openssh_cvs/channels.c,v retrieving revision 1.86 retrieving revision 1.87 diff -u -r1.86 -r1.87 --- channels.c 2001/05/08 20:07:40 1.86 +++ channels.c 2001/05/10 23:24:49 1.87 @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.114 2001/05/08 19:17:30 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.115 2001/05/09 22:51:57 markus Exp $"); #include <openssl/rsa.h> #include <openssl/dsa.h> @@ -771,8 +771,9 @@ rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? "forwarded-tcpip" : "direct-tcpip"; - nextstate = (c->host_port == 0) ? SSH_CHANNEL_DYNAMIC : - SSH_CHANNEL_OPENING; + nextstate = (c->host_port == 0 && + c->type != SSH_CHANNEL_RPORT_LISTENER) ? + SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING; addrlen = sizeof(addr); newsock = accept(c->sock, &addr, &addrlen);