Bug 1949 - PermitOpen none option
Summary: PermitOpen none option
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.9p1
Hardware: All OpenBSD
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_6_1
  Show dependency treegraph
 
Reported: 2011-11-06 19:51 AEDT by Loganaden Velvindron
Modified: 2016-08-02 10:41 AEST (History)
1 user (show)

See Also:

Attachments
permitopen_none option diff (2.01 KB, application/octet-stream)
2011-11-06 19:51 AEDT, Loganaden Velvindron 		no flags Details
permitOpen none with a single socket (1.98 KB, patch)
2011-11-20 03:32 AEDT, Loganaden Velvindron 		no flags Details | Diff
permitopen none with sshd -T support (2.40 KB, patch)
2011-12-02 11:59 AEDT, Darren Tucker 		djm: ok+
Details | Diff
OpenBSD sshd permitopen diff (2.50 KB, patch)
2011-12-02 19:32 AEDT, Loganaden Velvindron 		no flags Details | Diff
PermitOpen None diff for native OpenSSH (2.50 KB, patch)
2011-12-08 06:03 AEDT, Loganaden Velvindron 		no flags Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Loganaden Velvindron 2011-11-06 19:51:23 AEDT 
Created attachment 2104 [details]
permitopen_none option diff

From debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543683

Package: openssh-server
Version: 1:5.1p1-7
Severity: wishlist

I'm trying to setup a reverse SSH box (i.e. one where people stuck
behind NAT can SSH in and initiate a tunnel back to their machine).
They use this something like this:

  ssh login@box -R 2000:localhost:22

I'm trying to lock this down as far as possible - in particular I'd
like to disable AllowTcpForwarding, however if I do this it prevents
both local _and_ remote tunnels.

Leaving AllowTcpForwarding open and setting "PermitOpen
127.0.0.1:65535" gets close - all the reverse tunnels work, but the
only local tunnel that will work is "ssh login@box -L
xxxx:localhost:65535".   

I'd like to use "PermitOpen none" (or just blank) however sshd doesn't
allow this (just checked the source code).

Thanks,

Adrian
-- 
Email: adrian@smop.co.uk  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org

I thought I'd give it a try.

I added a new function that populates list of allowed sockets
with NULL, and also added the permitopen none option.

Any feedback on how to improve the code would be nice :-)

//Logan
C-x-C-c
Comment 1 Loganaden Velvindron 2011-11-20 03:32:20 AEDT 
Created attachment 2108 [details]
permitOpen none with a single socket
Comment 2 Loganaden Velvindron 2011-11-20 04:55:06 AEDT 
Instead of creating a bunch of sockets with hosttoconnect to as NULL,
It's simpler to create only one.
Comment 3 Damien Miller 2011-12-02 10:59:23 AEDT 
Comment on attachment 2108 [details]
permitOpen none with a single socket

Darren is more familiar with this code than I am. The patch looks sane to me though.
Comment 4 Darren Tucker 2011-12-02 11:21:08 AEDT 
Looks OK, but I think we need to add the equivalent code to channel_print_adm_permitted_opens() so that it'll output "permitopen none" when it sees the NULL in host_to_connect.
Comment 5 Darren Tucker 2011-12-02 11:59:16 AEDT 
Created attachment 2111 [details]
permitopen none with sshd -T support
Comment 6 Loganaden Velvindron 2011-12-02 19:32:41 AEDT 
Created attachment 2112 [details]
OpenBSD sshd permitopen diff

Port of dtucker's patch for openbsd
Comment 7 Loganaden Velvindron 2011-12-08 06:03:12 AEDT 
Created attachment 2116 [details]
PermitOpen None diff for native OpenSSH

Remove a whitespace in channel_disable_adm_local_opens(void)

& add a space before none in printf() to make it more consistent.

Any comments ?
Comment 8 Loganaden Velvindron 2012-01-05 18:30:30 AEDT 
Are there other issues that need fixing ?
Comment 9 Loganaden Velvindron 2012-01-20 05:34:24 AEDT 
ping ?
Comment 10 Loganaden Velvindron 2012-02-14 20:14:20 AEDT 
Now that the tree is unlocked, any chance this could make it to OpenSSH 6.1 ?

Patching each machine is a pain...
Comment 11 Darren Tucker 2012-03-30 10:55:34 AEDT 
thanks for the patch (and patience).  this has been committed and will be in the 6.1 release.
Comment 12 Loganaden Velvindron 2012-04-01 01:50:13 AEDT 
Awesome :-)
Thanks for finding time to looking at it !
Comment 13 Damien Miller 2016-08-02 10:41:46 AEST 
Close all resolved bugs after 7.3p1 release