Bug 3099

Summary: no name lookup (and not documented) for permitopen option
Product: Portable OpenSSH Reporter: Phil Dumont <phil>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P5    
Version: 7.2p2   
Hardware: Other   
OS: Linux   

Description Phil Dumont 2019-11-27 20:55:04 AEDT
Empirical evidence indicates that name lookup is not done when comparing the host given in the client's -L option argument and the host given in authorized_keys' permitopen option.  For example, if permitopen specifies 127.0.0.1, and ssh -L offers localhost (or vice versa), the port forward will not be permitted.

This is slightly counterintuitive.

There may be a legitimate reason why the name lookup deliberately is not done (though I'd be hard pressed to come up with such a reason).  But if so, it would be nice if the fact were documented.  It's currently not mentioned on the sshd man page.  The man page does mention no pattern matching on the host, but it doesn't say anything about no name lookup.

But if there isn't a reason for it (beyond just haven't got to it yet), please consider adding it.
Comment 1 Damien Miller 2020-01-25 17:06:29 AEDT
I've added some verbiage to the manual pages to make it clear that no hostname expansion is performed on PermitOpen/permitopen contents. This will be shipped in OpenSSH 8.2.

We don't want to add hostname expansion on this path, it's complicated enough as it is.
Comment 2 Damien Miller 2021-04-23 14:57:40 AEST
closing resolved bugs as of 8.6p1 release