Bug 1949

Summary: PermitOpen none option
Product: Portable OpenSSH Reporter: Loganaden Velvindron <loganaden>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: dtucker
Priority: P2    
Version: 5.9p1   
Hardware: All   
OS: OpenBSD   
Bug Depends on:    
Bug Blocks: 1986    
Attachments:
Description Flags
permitopen_none option diff
none
permitOpen none with a single socket
none
permitopen none with sshd -T support
djm: ok+
OpenBSD sshd permitopen diff
none
PermitOpen None diff for native OpenSSH none

Description Loganaden Velvindron 2011-11-06 19:51:23 AEDT 
Created attachment 2104 [details]
permitopen_none option diff

From debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543683

Package: openssh-server
Version: 1:5.1p1-7
Severity: wishlist

I'm trying to setup a reverse SSH box (i.e. one where people stuck
behind NAT can SSH in and initiate a tunnel back to their machine).
They use this something like this:

  ssh login@box -R 2000:localhost:22

I'm trying to lock this down as far as possible - in particular I'd
like to disable AllowTcpForwarding, however if I do this it prevents
both local _and_ remote tunnels.

Leaving AllowTcpForwarding open and setting "PermitOpen
127.0.0.1:65535" gets close - all the reverse tunnels work, but the
only local tunnel that will work is "ssh login@box -L
xxxx:localhost:65535".   

I'd like to use "PermitOpen none" (or just blank) however sshd doesn't
allow this (just checked the source code).

Thanks,

Adrian
-- 
Email: adrian@smop.co.uk  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org

I thought I'd give it a try.

I added a new function that populates list of allowed sockets
with NULL, and also added the permitopen none option.

Any feedback on how to improve the code would be nice :-)

//Logan
C-x-C-c
Comment 1 Loganaden Velvindron 2011-11-20 03:32:20 AEDT 
Created attachment 2108 [details]
permitOpen none with a single socket
Comment 2 Loganaden Velvindron 2011-11-20 04:55:06 AEDT 
Instead of creating a bunch of sockets with hosttoconnect to as NULL,
It's simpler to create only one.
Comment 3 Damien Miller 2011-12-02 10:59:23 AEDT 
Comment on attachment 2108 [details]
permitOpen none with a single socket

Darren is more familiar with this code than I am. The patch looks sane to me though.
Comment 4 Darren Tucker 2011-12-02 11:21:08 AEDT 
Looks OK, but I think we need to add the equivalent code to channel_print_adm_permitted_opens() so that it'll output "permitopen none" when it sees the NULL in host_to_connect.
Comment 5 Darren Tucker 2011-12-02 11:59:16 AEDT 
Created attachment 2111 [details]
permitopen none with sshd -T support
Comment 6 Loganaden Velvindron 2011-12-02 19:32:41 AEDT 
Created attachment 2112 [details]
OpenBSD sshd permitopen diff

Port of dtucker's patch for openbsd
Comment 7 Loganaden Velvindron 2011-12-08 06:03:12 AEDT 
Created attachment 2116 [details]
PermitOpen None diff for native OpenSSH

Remove a whitespace in channel_disable_adm_local_opens(void)

& add a space before none in printf() to make it more consistent.

Any comments ?
Comment 8 Loganaden Velvindron 2012-01-05 18:30:30 AEDT 
Are there other issues that need fixing ?
Comment 9 Loganaden Velvindron 2012-01-20 05:34:24 AEDT 
ping ?
Comment 10 Loganaden Velvindron 2012-02-14 20:14:20 AEDT 
Now that the tree is unlocked, any chance this could make it to OpenSSH 6.1 ?

Patching each machine is a pain...
Comment 11 Darren Tucker 2012-03-30 10:55:34 AEDT 
thanks for the patch (and patience).  this has been committed and will be in the 6.1 release.
Comment 12 Loganaden Velvindron 2012-04-01 01:50:13 AEDT 
Awesome :-)
Thanks for finding time to looking at it !
Comment 13 Damien Miller 2016-08-02 10:41:46 AEST 
Close all resolved bugs after 7.3p1 release