Bug 2272

Summary:

Global "PermitTunnel Yes" required to connect to a tunnel

Product:

Portable OpenSSH

Reporter:

joe9mail

Component:

sshd

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

major

CC:

djm, dtucker, hasa100, joe9mail, kmk

Priority:

Version:

6.6p1

Hardware:

amd64

OS:

Linux

Attachments:

Description	Flags
Fix Match block overrides failing if global option set	none
more activep checks	dtucker: ok+

Description joe9mail 2014-09-09 17:55:43 AEST

Hello,

When a tun0 device is created with the below commands on the server:

ip tuntap add dev tun0 mode tun user sshuser group sshusers
ip link set dev tun0 up
ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2


and ssh is started with this command from the client:

ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address>

Working extract from sshd_config:

PermitTunnel yes
Match User sshuser
   PermitTunnel yes

NOT Working extract from sshd_config (below is the message):
PermitTunnel no
Match User sshuser
   PermitTunnel yes

The error message with a -v is:
debug1: Remote: Server has rejected tunnel device forwarding

Thanks
Joe

Comment 1 Damien Miller 2014-09-09 19:47:22 AEST

Yes, that's working as intended. sshd should refuse tunnel connections unless the administrator has explicitly configured it. This is already mentioned in the sshd_config manual.

Comment 2 Kevin Korb 2014-09-12 07:28:34 AEST

I don't understand how settting PermitTunnel yes in a Match block does not count as the administrator explicitly configuring tunnels (and only allowing them for certain users).

If the PermitTunnel setting within a Match block can only be used to disable tunneling for the matched criteria then I can't find that information in the man page.

Comment 3 Sami Hartikainen 2014-09-24 18:43:31 AEST

(In reply to Damien Miller from comment #1)
> Yes, that's working as intended. sshd should refuse tunnel
> connections unless the administrator has explicitly configured it.
> This is already mentioned in the sshd_config manual.

sshd_config manual on Match block states:
"...keywords on the following lines override those
 set in the global section of the config file..."

I'd say the bug report is valid.

Comment 4 Sami Hartikainen 2014-09-24 18:49:22 AEST

Created attachment 2480 [details]
Fix Match block overrides failing if global option set

In addition to the PermitTunnel option, this patch fixes the issue with RekeyLimit (reason being the same).

It looks like the StreamLocalBindMask may also be affected similarly. As the option in undocumented, the patch does not touch it.

Comment 5 Damien Miller 2015-05-01 15:15:10 AEST

Created attachment 2614 [details]
more activep checks

Comment 6 Damien Miller 2015-05-01 17:08:14 AEST

Patch applied - this will be in openssh-6.9

Comment 7 Damien Miller 2015-08-11 23:03:06 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1