Bug 2582 - [PATCH] Allow PermitOpen to use a wildcard hostname with a fixed port
Summary: [PATCH] Allow PermitOpen to use a wildcard hostname with a fixed port
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.2p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_3
  Show dependency treegraph
 
Reported: 2016-06-06 07:18 AEST by AG
Modified: 2016-12-09 12:21 AEDT (History)
3 users (show)

See Also:

Attachments
Patch for PermitOpen hostname wildcard feature (1.06 KB, patch)
2016-06-06 07:18 AEST, AG 		no flags Details | Diff
Wildcard with documentation and clean up (1.41 KB, patch)
2016-06-16 23:09 AEST, Jakub Jelen 		no flags Details | Diff
Fixed copy-paste error, better wording of documentation (1.56 KB, patch)
2016-06-30 00:33 AEST, Jakub Jelen 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description AG 2016-06-06 07:18:12 AEST 
Created attachment 2826 [details]
Patch for PermitOpen hostname wildcard feature

Added FWD_PERMIT_ANY_HOST to add the ability to use an asterisk to
    mean any hostname matches in a PermitOpen rule. This is simple and
    looks like this:
    
    PermitOpen *:443
    
    One use case here is when OpenSSH is used to broker connectivity to
    a specific TCP based service in a trusted network when the client
    is in an untrusted network. This allows a simple configuration that
    can allow all forwards to service X without the need to provide a
    large list of every server on the trusted network in the sshd_config
    file. Doing doing so is impractical when the trusted network is
    larger than a few hosts as a large list of hosts in sshd_config
    would be unwieldy and would need to be updated constantly if the
    trusted network changes often.
    
    This is a real use case for me- I need to provide this type of
    access to several thousand systems. In any given week there
    might be 2-3 new servers and there might be 2-3 servers that have
    been decommissioned.
    
    This patch is a huge improvement over allowing all ports to all
    hosts, which is all that I can do at this point without having
    a huge management headache. I was very surprised this wasn't
    supported alongside FWD_PERMIT_ANY_PORT. It's a simple enough
    change. I wonder if there was any debate on this or if it just
    slipped through the cracks as an uncommon use case?
    
    Note that this doesn't go down the more complex road of allowing
    more finegrained cases. The '*' is NOT actually a pattern, it is
    a symbol that means any host. Using *.bah.org will not work and
    is not intended to work.
Comment 1 AG 2016-06-06 07:19:50 AEST 
You can view the patch in a browser @ https://github.com/openssh/openssh-portable/pull/44
Comment 2 AG 2016-06-11 05:57:56 AEST 
Oh just to be clear- I have a PAM stack for custom multi factor auth. An HTTPS/CONNECT proxy doesn't help me here. Just realized that might not have been made clear
Comment 3 Jakub Jelen 2016-06-16 23:09:52 AEST 
Created attachment 2834 [details]
Wildcard with documentation and clean up

Proposed patch with cleaned up whitespace changes and documentation (which is by the way missing also for the port), as pointed out by Adam.
Comment 4 Jakub Jelen 2016-06-30 00:33:01 AEST 
Created attachment 2845 [details]
Fixed copy-paste error, better wording of documentation
Comment 5 Darren Tucker 2016-07-19 21:39:45 AEST 
Thanks.  The patch has been applied and will be in the 7.3 release.
Comment 6 Damien Miller 2016-12-09 12:21:20 AEDT 
Bulk mark issues CLOSED in 7.3 release