Bug 2273

Summary: The group of the tunnel device needs to match with the group of the connecting ssh user
Product: Portable OpenSSH Reporter: joe9mail
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: REOPENED ---    
Severity: normal CC: djm, joe9mail
Priority: P5    
Version: 6.6p1   
Hardware: amd64   
OS: Linux   

Description joe9mail 2014-09-09 18:02:54 AEST 
Hello,

When a tun0 device is created with the below commands on the server:

$ id sshuser
uid=100(sshuser) gid=100(sshusers) groups=100(sshusers)

$ ip tuntap add dev tun0 mode tun user sshuser group users
$ ip link set dev tun0 up
$ ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2

and ssh is started with this command from the client:

$ ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address>

The error message is:

debug1: Remote: Failed to open the tunnel device.
.
.
.
channel 0: open failed: administratively prohibited: open failed
debug1: channel 0: free: tun, nchannels 1

If the group of the tun0 device is changed from "users" to "sshusers", the above ssh connection works fine.

Thanks
Joe
Comment 1 Damien Miller 2014-09-09 19:46:12 AEST 
Generally, the user connecting must have the right privileges/permissions to open the tun device. So the tunnel device could have the same group or the same user. This is completely expected and normal.

I've added a note to the sshd_config manual page mentioning the need for the tunnel device to have appropriate permissions.
Comment 2 joe9mail 2014-09-14 11:29:10 AEST 
The user connecting through ssh (sshuser) is the owner of the device. The owner of the device has appropriate permissions on the device.

Looks like the permissions are only being checked for the group and not the user.
Comment 3 Damien Miller 2015-03-03 07:59:37 AEDT 
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Comment 4 Damien Miller 2015-03-03 08:01:09 AEDT 
Retarget to 6.9
Comment 5 Damien Miller 2015-06-05 14:03:14 AEST 
Could you please attach a debug log from the server so we can figure out what is going wrong?