In OpenSSH 5.1 you introduced CIDR address/masklen matching for "Match address" blocks in sshd_config as well as supporting CIDR matching in ~/.ssh/authorized_keys from="..." restrictions in sshd. I wonder whether CIDR address/masklen matching will be implemented for permitopen="host:port" restrictions in sshd as well, that would be quite beneficially (at least for me, maybe others,too;-) (There was already a request for a feature like that incl a patch back in 2005) --> permitopen="net/mask:port(s)" --> permitopen="net/mask:port_range" You suggested to look into it by myself (and perhaps contribute a patch...) - I definitively would do that if I'd only speak C... Thank you - kind regards, Bert
We are freezing for the OpenSSH 5.6 release. Retargetting these bugs to the next release.
Retarget unclosed bugs from 5.7=>5.8
Created attachment 2025 [details] Feature enhancement patch for permitopen - needs code review/testing/cleanup This patch changes permitopen to use the same access logic as is available for 'from=' That is: * CIDR matches - 192.168.0.0/16 * Wildcard matches - *.example.com * Negated matches !10.0.0.0/8 Support for port ranges has been added, e.g. 127.0.0.1:* or 127.0.0.1:1-65535 The checking logic has been moved to a function which is called from connect_next which happens after DNS resolution but before the actual connect call. This is in order to allow a permitopen to www.example.com to still work when the forwarding request is made using the ip address and vice versa. Negations take precedence over other matches, so one can do something like this: PermitOpen 0.0.0.0/0:* PermitOpen !127.0.0.0/8:* Other things: Get rid of permitopen any? NOTES: I've only tested this with PermitOpen in the config file, it should work with permitopen= from an authorized_key file, but I haven't verified. I'm not great with C, and someone needs to doublecheck my work to ensure that I haven't introduced any possible buffer overflows. I understand the gotchas in general regarding buffer overflows and I think I've done everything correctly, but I lack enough experience to be confident. Some minor changes have been made to return codes given by functions in match.c and code referencing these functions has been updated. Stuff relying on those functions should be tested. channel_connect_to has been changed to simply call connect_to. It could probably be aliased with a #define but I'm not quite clear on static vs non-static functions in C. I've attempted to follow coding style, but in a few cases this has lead me to do things which seem weird. In particular multi-purposing variables seems questionable to me. I've used hpdelim to split out CIDR/port mappings, but it doesn't distinguish : from /, so if you permitopen 192.168.0.0/16 it will be parsed as 192.168.0.0, port 16, which is a bit dubious.
It would be nice if coma separated lists of hosts and ports were also supported: Ex: PermitOpen 10.5.100.34:22,443 10.5.100.2,10.5.100.20:22 Thanks.
> It would be nice if coma separated lists of hosts and ports were also > supported: > Ex: > PermitOpen 10.5.100.34:22,443 10.5.100.2,10.5.100.20:22 Space delimited lists are handled in the sshd config file already. Writing a parser that would handle the situation you suggest would be rather annoying. Additionally, handling lists of ports instead of just a port range requires significantly more complicated handling, both in data structures and access checking. I don't care about it enough to bother doing it.
Retarget unresolved bugs/features to 6.0 release
Retarget unresolved bugs/features to 6.0 release (try again - bugzilla's "change several" isn't)
did some tests, run it for a few months. works fine. thanks a lot, RyanC
Damien, Is there anything I can do to increase the likelyhood of this getting looked at and maybe included in the next release? Thanks, Ryan
The current snapshot breaks my patch. I'm working on a fix.
Retarget from 6.0 to 6.1
Retarget 6.0 => 6.1
Ryan, do you plan to create a patch for 6.0 any time soon? Thanks.
Vladimir, I'm not currently using OpenSSH 6.0 or higher anywhere that I need this functionality, so forward-porting the patch (which, due to some structural changes in the code, will be non-trivial) is low on my list of priorities - between work, various personal projects and social obligations I don't have a lot of free time. However, if I could get some feedback from Damien as to what I would need to do to get this patch merged, I would be happy to make the time to spend a weekend forward-porting the patch. I don't want to have to maintain it as a separate patch, and I don't like having to apply custom patches and repackage software that I use. Damien? -Ryan
Retarget uncompleted bugs from 6.1 => 6.2
Retarget bugs from 6.1 => 6.2
retarget to openssh-6.3
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
Retarget incomplete bugs / feature requests to 6.6 release
Retarget to 6.7 release, since 6.6 was mostly bugfixing.
Remove from 6.6 tracking bug
Retarget incomplete bugs to 6.8 release.
These bugs are no longer targeted at the imminent 6.7 release
Ryan, have you looked at patching version 6? :)
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Retarget to 6.9
Retarget pending bugs to openssh-7.1
Pull this off list for 7.2
FWIW I have a rather compact and simple libcidr that I use in a PAM module if it's useful, just ping me.