Bug 2711 - Patch to add permitgwport and restrict permitopen to be a default deny
Summary: Patch to add permitgwport and restrict permitopen to be a default deny
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.2p2
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-05 13:33 AEST by Devin Nate
Modified: 2021-04-23 15:00 AEST (History)
1 user (show)

See Also:


Attachments
Patch (4.94 KB, application/octet-stream)
2017-05-05 13:33 AEST, Devin Nate
no flags Details
Patch (4.94 KB, patch)
2017-05-05 13:34 AEST, Devin Nate
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Devin Nate 2017-05-05 13:33:23 AEST
Created attachment 2975 [details]
Patch

This is a patch to:

1. Allow the authorized_keys file to include a new option, permitgwport="portnum". This allows the server to control what ports a ssh client may open using ssh -R. If there is no permitgwport, then the client may not open any ports using ssh -R.

2. Require that authorized_keys file has a permitopen option for each ssh -L port forwarding the client will request. In particular, if there are no permitopen statements, do not allow any ports to be opened (default deny), which is different from normal sshd behaviour which will allow any ports be opened if there is no permitopen option.

Thanks,
Comment 1 Devin Nate 2017-05-05 13:34:53 AEST
Created attachment 2976 [details]
Patch
Comment 2 Damien Miller 2018-12-07 15:29:00 AEDT
We added PermitListen to openssh-7.8 that works similarly
Comment 3 Damien Miller 2021-04-23 15:00:58 AEST
closing resolved bugs as of 8.6p1 release