2711 – Patch to add permitgwport and restrict permitopen to be a default deny

Bug 2711 - Patch to add permitgwport and restrict permitopen to be a default deny

Summary: Patch to add permitgwport and restrict permitopen to be a default deny

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	7.2p2
Hardware:	All All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-05-05 13:33 AEST by Devin Nate
Modified:	2021-04-23 15:00 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (4.94 KB, application/octet-stream) 2017-05-05 13:33 AEST, Devin Nate	no flags	Details
Patch (4.94 KB, patch) 2017-05-05 13:34 AEST, Devin Nate	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Devin Nate 2017-05-05 13:33:23 AEST

Created attachment 2975 [details]
Patch

This is a patch to:

1. Allow the authorized_keys file to include a new option, permitgwport="portnum". This allows the server to control what ports a ssh client may open using ssh -R. If there is no permitgwport, then the client may not open any ports using ssh -R.

2. Require that authorized_keys file has a permitopen option for each ssh -L port forwarding the client will request. In particular, if there are no permitopen statements, do not allow any ports to be opened (default deny), which is different from normal sshd behaviour which will allow any ports be opened if there is no permitopen option.

Thanks,

Comment 1 Devin Nate 2017-05-05 13:34:53 AEST

Created attachment 2976 [details]
Patch

Comment 2 Damien Miller 2018-12-07 15:29:00 AEDT

We added PermitListen to openssh-7.8 that works similarly

Comment 3 Damien Miller 2021-04-23 15:00:58 AEST

closing resolved bugs as of 8.6p1 release