[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #29 from Damien Miller --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Taylor R changed: What|Removed |Added CC||tayt...@gmail.com --- Comment #28 from Taylor R --- Now if only -R0 would pull from these ports specified in PermitListen. PermitListen is halfway to what I'm looking to do. Attempting to brush up on my C enough to craft a solution in the source files. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #27 from Damien Miller --- ... and I just added support for bare port numbers in permitlisten/PermitListen: commit 80e199d6175904152aafc5c297096c3e18297691 (HEAD -> master) Author: d...@openbsd.org Date: Tue Jun 19 03:02:17 2018 + upstream: test PermitListen with bare port numbers OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3 commit 87ddd676da0f3abd08b778b12b53b91b670dc93c Author: d...@openbsd.org Date: Tue Jun 19 02:59:41 2018 + upstream: allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 8080 is equivalent to: PermitListen *: *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #26 from Martin Häcker --- -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Damien Miller changed: What|Removed |Added Status|ASSIGNED|RESOLVED Blocks||2852 Resolution|--- |FIXED --- Comment #25 from Damien Miller --- I've committed a variant of the patch that names the directive PermitListen and added a permitlisten directive for authorized_keys. This will be in the OpenSSH 7.8 release, due within the next few months. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Damien Millerchanged: What|Removed |Added CC||biagion...@gmail.com --- Comment #24 from Damien Miller --- *** Bug 2751 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #23 from Atony Antony--- I just found out that my patch incomplete. it need more work. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #22 from Atony Antony--- Created attachment 3153 --> https://bugzilla.mindrot.org/attachment.cgi?id=3153=edit parse authorized_keys option permitremoteopen="port" this is great. my first attempt to add parsing authrorized_keys permitremote="port"option. It is also updated at https://github.com/antonyantony/openssh thanks. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Damien Millerchanged: What|Removed |Added Attachment #2436|0 |1 is obsolete|| Attachment #2517|0 |1 is obsolete|| Attachment #3054|0 |1 is obsolete|| Status|NEW |ASSIGNED Assignee|unassigned-b...@mindrot.org |d...@mindrot.org --- Comment #21 from Damien Miller --- Created attachment 3152 --> https://bugzilla.mindrot.org/attachment.cgi?id=3152=edit PermitRemoteOpen directive This is an implementation of PermitRemoteOpen, including regress tests and a small refactoring of the permitopen permissions to enable more sharing of code. TODO: authorized_keys permitremoteopen, PermitRemoteOpen="123" (i.e. bare port number), manual pages. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 ms.huan.z...@gmail.com changed: What|Removed |Added CC||ms.huan.z...@gmail.com --- Comment #20 from ms.huan.z...@gmail.com --- Sadly to see almost 6 years past without final decision. But I'm still looking forwarding to having the feature to close the security loophole in my case. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 william.mar...@power-lan.com changed: What|Removed |Added CC||william.mar...@power-lan.co ||m --- Comment #19 from william.mar...@power-lan.com --- I have the same request too. Can you merge the patch ? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #18 from b...@dhampir.no --- I have this exact same use case in the duped bug. Please integrate? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 b...@dhampir.no changed: What|Removed |Added CC||b...@dhampir.no --- Comment #17 from b...@dhampir.no --- *** Bug 2842 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #16 from Martin Häcker--- Maybe they need all he energy they have to move to a better integrated issue tracker and code hosting service that also tracks pull requests as a first class object? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #15 from er...@rohlicek.at --- Not sure why the maintainers let a security-enhancing small patch rot here for several years. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #14 from bygon_wiggle--- Are there plans to merge the patch (https://github.com/antonyantony/openssh/) back into openssh? I did not find a open or closed pull request with this patch in https://github.com/openssh/openssh-portable -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #13 from Atony Antony--- Created attachment 3054 --> https://bugzilla.mindrot.org/attachment.cgi?id=3054=edit 7.5p1 permitremoteopen patch up request to update the here is one for 7.5p1 If you need a patch for CentOS 7.3+ drop me a line. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #12 from er...@rohlicek.at --- Greetings, I can also only re-affirm the usefulness of such a restriction possibility. Primary concern here is restriction on which listen ports the client can bind to. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 rgmchanged: What|Removed |Added CC||ssh@spamgourmet.com --- Comment #11 from rgm --- I'd love this functionality, please consider for inclusion in OpenSSH 7.6. Is there something different or additional you'd like to see in the patch before you'll include it? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #10 from er...@rohlicek.at --- This would also be highly beneficial for the local setup here. PermitOpen supports local portforward restrictions, but remote PFs cannot be restricted in vanialla OpenSSH at the moment. Please incorporate patch for restricting *remote* port forwards as well. Currently have to do this the clunky way using SELinux or similar to restrict which users may listen on which ports. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 er...@rohlicek.at changed: What|Removed |Added CC||er...@rohlicek.at -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #9 from Jean-Noel COUERON--- Please add this feature that's exactly what i need. sincerely Jean-Noel -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Jean-Noel COUERONchanged: What|Removed |Added CC||jn.coue...@power-lan.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Sascha Silbechanged: What|Removed |Added CC||sascha-openssh-bugs@silbe.o ||rg -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Peter Trippchanged: What|Removed |Added CC||pe...@chartio.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Peter �strandchanged: What|Removed |Added CC||astr...@lysator.liu.se -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Robert rhb...@rbu.sh changed: What|Removed |Added CC||rhb...@rbu.sh -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Martin Häcker spamfaen...@gmx.de changed: What|Removed |Added CC||spamfaen...@gmx.de -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #8 from Martin Häcker spamfaen...@gmx.de --- I would like to add that we identified a possible security risk by not being able to restrict the remote port forwarding. Our use case is that we want to give one customer the ability to safely (via ssh tunnel) access a service that is only accessible locally on a machine, but noticed that if we allow him to locally (-L) forward a port, he can also use ssh to bind to any other port via -R. The problem with this is that ssh by default is perfectly happy to bind to ipv6 addresses, even for ports where the ipv4 address is already bound (8080 for some web server for example). Now other more modern tools (e.g. apache) could try to connect to the newly opened ipv6 port instead of the original service, if they are configured to use symbolic names like 'localhost' I don't think this is a big risk, but certainly very unexpected for us. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Marcus Popp m...@mpopp.eu changed: What|Removed |Added CC||m...@mpopp.eu --- Comment #7 from Marcus Popp m...@mpopp.eu --- *** Bug 2347 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 --- Comment #5 from Atony Antony ant...@phenome.org --- Created attachment 2517 -- https://bugzilla.mindrot.org/attachment.cgi?id=2517action=edit tested on 6.7p1 and applies on cvs current too. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 ja...@coppermoth.com changed: What|Removed |Added CC||ja...@coppermoth.com --- Comment #4 from ja...@coppermoth.com --- This patch seems exactly what I need (I had just posted a message to -devs and had started to investigate writing my own patch). I will apply and verify that it works for me (I would want to specify the restricted port on a per-user basis) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Atony Antony ant...@phenome.org changed: What|Removed |Added CC||ant...@phenome.org --- Comment #3 from Atony Antony ant...@phenome.org --- Created attachment 2436 -- https://bugzilla.mindrot.org/attachment.cgi?id=2436action=edit [PATCH] 6.6p1-permitremoteopen I have been wokring on a similar idea. See the attached patch. It works on Linux (6.6p1). It also seems to apply on OpenBSD version 6.4,6.5. https://github.com/antonyantony/openssh/ -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Lluís Gili tictac...@gmail.com changed: What|Removed |Added CC||tictac...@gmail.com -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2038] permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Damien Miller d...@mindrot.org changed: What|Removed |Added CC||d...@mindrot.org --- Comment #1 from Damien Miller d...@mindrot.org --- Some options: 1. Separate option PermitROpen 2000 2001 2002 3000-3999 2. Reuse PermitOpen, but treat numbers without ':' as -R port numbers PermitOpen 127.0.0.1:1234 2000 2001 2002 3000-3999 The advantage of (1) is that we can extend it to allow selection of bind address, but (2) can't do this... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs