Bug 2842 - PermitListen, like PermitOpen but for -R (remote port forwarding)
Summary: PermitListen, like PermitOpen but for -R (remote port forwarding)
Status: CLOSED DUPLICATE of bug 2038
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.6p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-22 01:22 AEDT by bolt
Modified: 2021-04-23 14:59 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description bolt 2018-03-22 01:22:34 AEDT 
I made a setup where several road warriors (varying IP's) connect to home base and forward one port each to their local SSH ports, i.e:
"ssh rw1002@homebase -n -N -R 5002:localhost:22"
"ssh rw1003@homebase -n -N -R 5003:localhost:22"

I can not find an option to restrict user rw1002 from forwarding port 5003, or for that matter stealing port 1080 or 8080 or whatever else local services might be configured to use if they're not running at the time. Several important things use ports >=1024 these days.

PermitOpen restricts destinations for forwarding with -L
I'm missing a similar option for -R

Example:
Match User rw1002
    PermitListen 5002
Match User rw1003
    PermitListen 0.0.0.0:5003
Match User rw1004
    PermitListen localhost:5004

Similarly, having the option to do this in authorized_keys files would, I think, be awesome.
Comment 1 Jakub Jelen 2018-03-22 02:46:25 AEDT 
Isn't this solved by the patch proposed in the bug #2038 ?
Comment 2 bolt 2018-03-22 05:30:34 AEDT 
It does indeed seem like that would take care of this issue.
My search-fu needs more practice, it would seem.

Thanks.

*** This bug has been marked as a duplicate of bug 2038 ***
Comment 3 Damien Miller 2021-04-23 14:59:56 AEST 
closing resolved bugs as of 8.6p1 release