i have a very similar use case to bug 1949 where i would like to create a reverse ssh box using: ssh login@box -R 2000:localhost:22 however i would like to be able to specify on the remote server what port/s are able to be forwarded back to the client e.g. only 2000 in this case. this might be accomplished in the same way that permitOpen is used to limit the local forwards allowable on the server: in the sshd_config and/or in the authorized_keys file. in my case the remote server would be a backup machine that allows remote backups from the field, even from behind firewalls, but trusting the client the least amount possible. in the server configuration all the client would be allowed to do is connect to the server and forward a predetermined (set of) port/s back to itself, by which the server could then initiate a remote backup. sincerely, proctor
Some options: 1. Separate option PermitROpen 2000 2001 2002 3000-3999 2. Reuse PermitOpen, but treat numbers without ':' as -R port numbers PermitOpen 127.0.0.1:1234 2000 2001 2002 3000-3999 The advantage of (1) is that we can extend it to allow selection of bind address, but (2) can't do this...
(In reply to comment #1) > Some options: > > 1. Separate option > > PermitROpen 2000 2001 2002 3000-3999 > > 2. Reuse PermitOpen, but treat numbers without ':' as -R port numbers > > PermitOpen 127.0.0.1:1234 2000 2001 2002 3000-3999 > > The advantage of (1) is that we can extend it to allow selection of > bind address, but (2) can't do this... from my point of view either one of these solutions would be _very_ welcome. although i don't require it at this moment, i can certainly imagine scenarios where control over bind address would be valuable. are there any drawbacks to option one? sincerely, proctor
Created attachment 2436 [details] [PATCH] 6.6p1-permitremoteopen I have been wokring on a similar idea. See the attached patch. It works on Linux (6.6p1). It also seems to apply on OpenBSD version 6.4,6.5. https://github.com/antonyantony/openssh/
This patch seems exactly what I need (I had just posted a message to -devs and had started to investigate writing my own patch). I will apply and verify that it works for me (I would want to specify the restricted port on a per-user basis)
Created attachment 2517 [details] tested on 6.7p1 and applies on cvs current too.
What needs to happen to get this patch into master? I have been using this and it seems a sensible, low risk addition
*** Bug 2347 has been marked as a duplicate of this bug. ***
I would like to add that we identified a possible security risk by not being able to restrict the remote port forwarding. Our use case is that we want to give one customer the ability to safely (via ssh tunnel) access a service that is only accessible locally on a machine, but noticed that if we allow him to locally (-L) forward a port, he can also use ssh to bind to any other port via -R. The problem with this is that ssh by default is perfectly happy to bind to ipv6 addresses, even for ports where the ipv4 address is already bound (8080 for some web server for example). Now other more modern tools (e.g. apache) could try to connect to the newly opened ipv6 port instead of the original service, if they are configured to use symbolic names like 'localhost' I don't think this is a big risk, but certainly very unexpected for us.
Please add this feature that's exactly what i need. sincerely Jean-Noel
This would also be highly beneficial for the local setup here. PermitOpen supports local portforward restrictions, but remote PFs cannot be restricted in vanialla OpenSSH at the moment. Please incorporate patch for restricting *remote* port forwards as well. Currently have to do this the clunky way using SELinux or similar to restrict which users may listen on which ports.
I'd love this functionality, please consider for inclusion in OpenSSH 7.6. Is there something different or additional you'd like to see in the patch before you'll include it?
Greetings, I can also only re-affirm the usefulness of such a restriction possibility. Primary concern here is restriction on which listen ports the client can bind to.
Created attachment 3054 [details] 7.5p1 permitremoteopen patch up request to update the here is one for 7.5p1 If you need a patch for CentOS 7.3+ drop me a line.
Are there plans to merge the patch (https://github.com/antonyantony/openssh/) back into openssh? I did not find a open or closed pull request with this patch in https://github.com/openssh/openssh-portable
Not sure why the maintainers let a security-enhancing small patch rot here for several years.
Maybe they need all he energy they have to move to a better integrated issue tracker and code hosting service that also tracks pull requests as a first class object?
*** Bug 2842 has been marked as a duplicate of this bug. ***
I have this exact same use case in the duped bug. Please integrate?
I have the same request too. Can you merge the patch ?
Sadly to see almost 6 years past without final decision. But I'm still looking forwarding to having the feature to close the security loophole in my case.
Created attachment 3152 [details] PermitRemoteOpen directive This is an implementation of PermitRemoteOpen, including regress tests and a small refactoring of the permitopen permissions to enable more sharing of code. TODO: authorized_keys permitremoteopen, PermitRemoteOpen="123" (i.e. bare port number), manual pages.
Created attachment 3153 [details] parse authorized_keys option permitremoteopen="port" this is great. my first attempt to add parsing authrorized_keys permitremote="port"option. It is also updated at https://github.com/antonyantony/openssh thanks.
I just found out that my patch incomplete. it need more work.
*** Bug 2751 has been marked as a duplicate of this bug. ***
I've committed a variant of the patch that names the directive PermitListen and added a permitlisten directive for authorized_keys. This will be in the OpenSSH 7.8 release, due within the next few months.
🎉
... and I just added support for bare port numbers in permitlisten/PermitListen: commit 80e199d6175904152aafc5c297096c3e18297691 (HEAD -> master) Author: djm@openbsd.org <djm@openbsd.org> Date: Tue Jun 19 03:02:17 2018 +0000 upstream: test PermitListen with bare port numbers OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3 commit 87ddd676da0f3abd08b778b12b53b91b670dc93c Author: djm@openbsd.org <djm@openbsd.org> Date: Tue Jun 19 02:59:41 2018 +0000 upstream: allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
Now if only -R0 would pull from these ports specified in PermitListen. PermitListen is halfway to what I'm looking to do. Attempting to brush up on my C enough to craft a solution in the source files.
closing resolved bugs as of 8.6p1 release