Bug 3275

Summary: PermitListen does not work in Match block and permitlisten= does not work in authorized_keys file
Product: Portable OpenSSH Reporter: Evgeny <evgeny.vasilchenko>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: major CC: dtucker, evgeny.vasilchenko
Priority: P5    
Version: 8.5p1   
Hardware: amd64   
OS: Linux   

Description Evgeny 2021-03-10 19:23:43 AEDT 
* CentOS Linux release 7.9.2009 (Core)
* OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017 built from sources:
./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

1) as per https://man.openbsd.org/sshd_config.5#Match - Match block allows "PermitListen" keyword - however:

----- /etc/ssh/sshd_config -----------
Match User user
        PermitListen localhost:5555
--------------------------------------


# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details

# journalctl -xe

[...skipped...]

Mar 10 08:21:32 lbtest1 systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd.service has begun starting up.
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config: line 142: Bad configuration option: PermitListen
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config line 142: Directive 'PermitListen' is not allowed within a Match block
Mar 10 08:21:32 lbtest1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Mar 10 08:21:32 lbtest1 systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
--------------------------------------


2) The permitlisten= option does not work with or without IP address while permitopen= works fine in authorized_key file.

---/home/user/.ssh/authorized_key ----
restrict,pty,port-forwarding,permitopen="localhost:22",permitlisten="5555" ssh-rsa AAAAB3Nza
--------------------------------------


--- Remote port forwarding command and result ----
$ ssh 5555:localhost:22 user@xxx.xxx.xxx.xxx
user@xxx.xxx.xxx.xxx: Permission denied (publickey).
--------------------------------------

SSHD log file with DEBUG

------------------------
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: trying public key file /home/user/.ssh/authorized_keys
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: fd 4 clearing O_NONBLOCK
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: allow port forwarding to host localhost port 22
Mar 10 07:53:26 lbtest1 sshd[3781]: Bad options in /home/user/.ssh/authorized_keys file, line 1: permitlisten="5555" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: restore_uid: 0/0
Mar 10 07:53:26 lbtest1 sshd[3781]: Failed publickey for user from xxx.xxx.xxx.xxx port 17445 ssh2: RSA
------------------------

------------------------
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: allow port forwarding to host localhost port 22
Mar 10 07:52:32 lbtest1 sshd[3773]: Bad options in /home/user/.ssh/authorized_keys file, line 1: permitlisten="localhost:5555" ssh-rsa AAAAB3NzaC1y
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: restore_uid: 0/0
Mar 10 07:52:32 lbtest1 sshd[3773]: Failed publickey for user from xxx.xxx.xxx.xxx port 50403 ssh2: RSA
------------------------
Comment 1 Darren Tucker 2021-03-10 21:05:46 AEDT 
Are you sure you are running the new binary?  Because...

(In reply to Evgeny from comment #0)
> * OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017 built from sources:
> ./configure --with-md5-passwords --with-pam --with-selinux
> --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

by default sshd is installed in /usr/local/sbin:

$ ./configure --help
[...]
  --prefix=PREFIX   install architecture-independent files in PREFIX
                    [/usr/local]

and unless you changed the systemd unit file it's probably running the vendor supplied one in /usr/sbin.  A quick test with 8.5p1 here seems to work with the fragment you quote:

$ cat config
Match User dtucker
        PermitListen localhost:5555
$ sudo `pwd`/sshd -f `pwd`/config -ddde -p 2022 2>&1 | grep -i permit
debug3: reprocess config:2 setting PermitListen localhost:5555
Comment 2 Evgeny 2021-03-11 07:21:29 AEDT 
Darren, you are right. It was a late night for me whan I've submitted the bug and I've missed this important part.
Sorry.
Ev.
Comment 3 Darren Tucker 2021-03-11 11:05:11 AEDT 
Glad it's working now!
Comment 4 Damien Miller 2021-04-23 14:55:49 AEST 
closing resolved bugs as of 8.6p1 release