[Bug 2038] permitopen functionality but for remote forwards

2021-04-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Damien Miller  changed:

   What|Removed |Added

 Status|RESOLVED|CLOSED

--- Comment #29 from Damien Miller  ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2019-03-04 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Taylor R  changed:

   What|Removed |Added

 CC||tayt...@gmail.com

--- Comment #28 from Taylor R  ---
Now if only -R0 would pull from these ports specified in PermitListen.
PermitListen is halfway to what I'm looking to do. Attempting to brush
up on my C enough to craft a solution in the source files.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-06-18 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #27 from Damien Miller  ---
... and I just added support for bare port numbers in
permitlisten/PermitListen:

commit 80e199d6175904152aafc5c297096c3e18297691 (HEAD -> master)
Author: d...@openbsd.org 
Date:   Tue Jun 19 03:02:17 2018 +

upstream: test PermitListen with bare port numbers

OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3

commit 87ddd676da0f3abd08b778b12b53b91b670dc93c
Author: d...@openbsd.org 
Date:   Tue Jun 19 02:59:41 2018 +

upstream: allow bare port numbers to appear in PermitListen
directives,

e.g.

PermitListen  8080

is equivalent to:

PermitListen *: *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-06-07 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #26 from Martin Häcker  ---


-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-06-06 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Damien Miller  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Blocks||2852
 Resolution|--- |FIXED

--- Comment #25 from Damien Miller  ---
I've committed a variant of the patch that names the directive
PermitListen and added a permitlisten directive for authorized_keys.
This will be in the OpenSSH 7.8 release, due within the next few
months.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2852
[Bug 2852] Tracking bug for OpenSSH 7.8 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-05-24 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Damien Miller  changed:

   What|Removed |Added

 CC||biagion...@gmail.com

--- Comment #24 from Damien Miller  ---
*** Bug 2751 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-05-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #23 from Atony Antony  ---
I just found out that my patch incomplete. it need more work.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-05-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #22 from Atony Antony  ---
Created attachment 3153
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3153=edit
parse authorized_keys option permitremoteopen="port"

this is great. my first attempt to add parsing authrorized_keys
permitremote="port"option. 

It is also updated at https://github.com/antonyantony/openssh
thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-05-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Damien Miller  changed:

   What|Removed |Added

   Attachment #2436|0   |1
is obsolete||
   Attachment #2517|0   |1
is obsolete||
   Attachment #3054|0   |1
is obsolete||
 Status|NEW |ASSIGNED
   Assignee|unassigned-b...@mindrot.org |d...@mindrot.org

--- Comment #21 from Damien Miller  ---
Created attachment 3152
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3152=edit
PermitRemoteOpen directive

This is an implementation of PermitRemoteOpen, including regress tests
and a small refactoring of the permitopen permissions to enable more
sharing of code.

TODO: authorized_keys permitremoteopen, PermitRemoteOpen="123" (i.e.
bare port number), manual pages.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-04-12 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

ms.huan.z...@gmail.com changed:

   What|Removed |Added

 CC||ms.huan.z...@gmail.com

--- Comment #20 from ms.huan.z...@gmail.com ---
Sadly to see almost 6 years past without final decision. But I'm still
looking forwarding to having the feature to close the security loophole
in my case.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-03-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

william.mar...@power-lan.com changed:

   What|Removed |Added

 CC||william.mar...@power-lan.co
   ||m

--- Comment #19 from william.mar...@power-lan.com ---
I have the same request too. Can you merge the patch ?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-03-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #18 from b...@dhampir.no ---
I have this exact same use case in the duped bug. Please integrate?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-03-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

b...@dhampir.no changed:

   What|Removed |Added

 CC||b...@dhampir.no

--- Comment #17 from b...@dhampir.no ---
*** Bug 2842 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-02-01 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #16 from Martin Häcker  ---
Maybe they need all he energy they have to move to a better integrated
issue tracker and code hosting service that also tracks pull requests
as a first class object?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-02-01 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #15 from er...@rohlicek.at ---
Not sure why the maintainers let a security-enhancing small patch rot
here for several years.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2018-01-31 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #14 from bygon_wiggle  ---
Are there plans to merge the patch
(https://github.com/antonyantony/openssh/) back into openssh?

I did not find a open or closed pull request with this patch in
https://github.com/openssh/openssh-portable

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2017-09-19 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #13 from Atony Antony  ---
Created attachment 3054
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3054=edit
7.5p1 permitremoteopen patch

up request to update the here is one for 7.5p1 If you need a patch for
CentOS 7.3+ drop me a line.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2017-06-23 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #12 from er...@rohlicek.at ---
Greetings, I can also only re-affirm the usefulness of such a
restriction possibility.

Primary concern here is restriction on which listen ports the client
can bind to.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2017-06-23 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

rgm  changed:

   What|Removed |Added

 CC||ssh@spamgourmet.com

--- Comment #11 from rgm  ---
I'd love this functionality, please consider for inclusion in OpenSSH
7.6.  Is there something different or additional you'd like to see in
the patch before you'll include it?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-12-27 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #10 from er...@rohlicek.at ---
This would also be highly beneficial for the local setup here.

PermitOpen supports local portforward restrictions, but remote PFs
cannot be restricted in vanialla OpenSSH at the moment.

Please incorporate patch for restricting *remote* port forwards as
well. 

Currently have to do this the clunky way using SELinux or similar to
restrict which users may listen on which ports.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-12-27 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

er...@rohlicek.at changed:

   What|Removed |Added

 CC||er...@rohlicek.at

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-11-03 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #9 from Jean-Noel COUERON  ---
Please add this feature that's exactly what i need.

sincerely

Jean-Noel

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-11-03 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Jean-Noel COUERON  changed:

   What|Removed |Added

 CC||jn.coue...@power-lan.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-10-19 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Sascha Silbe  changed:

   What|Removed |Added

 CC||sascha-openssh-bugs@silbe.o
   ||rg

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2016-01-11 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Peter Tripp  changed:

   What|Removed |Added

 CC||pe...@chartio.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2015-11-18 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Peter �strand  changed:

   What|Removed |Added

 CC||astr...@lysator.liu.se

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2015-05-11 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Robert rhb...@rbu.sh changed:

   What|Removed |Added

 CC||rhb...@rbu.sh

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2015-05-11 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Martin Häcker spamfaen...@gmx.de changed:

   What|Removed |Added

 CC||spamfaen...@gmx.de

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2015-05-11 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #8 from Martin Häcker spamfaen...@gmx.de ---
I would like to add that we identified a possible security risk by not
being able to restrict the remote port forwarding.

Our use case is that we want to give one customer the ability to safely
(via ssh tunnel) access a service that is only accessible locally on a
machine, but noticed that if we allow him to locally (-L) forward a
port, he can also use ssh to bind to any other port via -R.

The problem with this is that ssh by default is perfectly happy to bind
to ipv6 addresses, even for ports where the ipv4 address is already
bound (8080 for some web server for example).

Now other more modern tools (e.g. apache) could try to connect to the
newly opened ipv6 port instead of the original service, if they are
configured to use symbolic names like 'localhost'

I don't think this is a big risk, but certainly very unexpected for us.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2015-02-02 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Marcus Popp m...@mpopp.eu changed:

   What|Removed |Added

 CC||m...@mpopp.eu

--- Comment #7 from Marcus Popp m...@mpopp.eu ---
*** Bug 2347 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2014-12-15 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

--- Comment #5 from Atony Antony ant...@phenome.org ---
Created attachment 2517
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2517action=edit
tested on 6.7p1 and applies on cvs current too.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2014-06-19 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

ja...@coppermoth.com changed:

   What|Removed |Added

 CC||ja...@coppermoth.com

--- Comment #4 from ja...@coppermoth.com ---
This patch seems exactly what I need (I had just posted a message to
-devs and had started to investigate writing my own patch).

I will apply and verify that it works for me (I would want to specify
the restricted port on a per-user basis)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2014-05-15 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Atony Antony ant...@phenome.org changed:

   What|Removed |Added

 CC||ant...@phenome.org

--- Comment #3 from Atony Antony ant...@phenome.org ---
Created attachment 2436
  -- https://bugzilla.mindrot.org/attachment.cgi?id=2436action=edit
[PATCH] 6.6p1-permitremoteopen

I have been wokring on a similar idea. See the attached patch. It works
on Linux (6.6p1). It also seems to apply on OpenBSD version 6.4,6.5.
https://github.com/antonyantony/openssh/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2013-01-02 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Lluís Gili tictac...@gmail.com changed:

   What|Removed |Added

 CC||tictac...@gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2038] permitopen functionality but for remote forwards

2012-09-06 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2038

Damien Miller d...@mindrot.org changed:

   What|Removed |Added

 CC||d...@mindrot.org

--- Comment #1 from Damien Miller d...@mindrot.org ---
Some options:

1. Separate option

PermitROpen 2000 2001 2002 3000-3999

2. Reuse PermitOpen, but treat numbers without ':' as -R port numbers

PermitOpen 127.0.0.1:1234 2000 2001 2002 3000-3999

The advantage of (1) is that we can extend it to allow selection of
bind address, but (2) can't do this...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs