Bug 2846 - PermitOpen rule in sshd_config is not case insensitive
Summary: PermitOpen rule in sshd_config is not case insensitive
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.6p1
Hardware: Other Linux
: P5 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-27 07:39 AEDT by paebbels
Modified: 2021-07-02 15:59 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description paebbels 2018-03-27 07:39:12 AEDT 
The PermitOpen rule in sshd_config holds a list of TCP endpoints and port number tuples delimited by a space character. The endpoint can be specified as IP address or FQDN. FQDN are case insensitive, but sshd performs a case sensitiv check.


The sshd configuration in sshd_config:

PermitOpen=gitlab.company.de:80 lynq.company.de:3121


Here is the ssh client call:

ssh -L 3121:Lynq.company.de:3121 remote.company.de


Solution:
Perform a case insensitive check.
Comment 1 Damien Miller 2018-04-06 13:32:15 AEST 
It would be better to compare FQDNs case-insensitively. There are some corner cases that make implementation a bit more tricky:

The same ForwardPermission members are used for FQDNs, addresses (which are treated as strings anyway) and Unix domain socket paths.

FQDNs are the only ones of these that should be simply compared case-insensitively. Paths are obviously case-sensitive, but surprisingly addresses can be too: IPv6 addresses may have an interface scope that is case-sensitive on some platforms. See bug #2763 for an example of this.

IMO the best way to approach this would be when we are parsing the configuration by doing something similar to what ssh does with hostnames.

If it's a Unix domain socket path, leave it alone.

If it looks like address, give it a round-trip through getaddrinfo w/AI_NUMERICHOST and getnameinfo. To render it as a canonical string.

Otherwise, it's a fqdn and lowercase it.
Comment 2 Damien Miller 2018-08-10 11:38:00 AEST 
Retarget remaining bugs planned for 7.8 release to 7.9
Comment 3 Damien Miller 2018-08-10 11:38:22 AEST 
Retarget remaining bugs planned for 7.8 release to 7.9
Comment 4 Damien Miller 2018-10-19 17:13:35 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 5 Damien Miller 2018-10-19 17:14:44 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 6 Damien Miller 2018-10-19 17:15:48 AEDT 
Retarget unfinished bugs to OpenSSH 8.0
Comment 7 Damien Miller 2019-04-03 10:10:32 AEDT 
Retarget outstanding bugs at next release
Comment 8 Damien Miller 2019-10-09 15:07:26 AEDT 
Retarget these bugs to 8.2 release
Comment 9 Damien Miller 2020-02-04 11:44:21 AEDT 
Prepare for 8.2 release; retarget bugs
Comment 10 Damien Miller 2020-05-08 13:39:20 AEST 
Retarget bugs to 8.4 release
Comment 11 Damien Miller 2021-04-23 14:50:15 AEST 
retarget after 8.6p1 release
Comment 12 Damien Miller 2021-07-02 15:59:38 AEST 
actually, this is really fiddly to do properly.

We can't reliably roundtrip through getaddrinfo/getnameinfo because the PermitOpen directives may refer to addresses scoped to interfaces that may happen not to be available at the time of sshd_config parsing (e.g. some sort of ephemeral tunnel interface). Attempting to scrub these addresses this way could cause them to be incorrectly rejected.

So a better heuristic would be to detect the hostname case (i.e. not path and not address) and only lowercase those. We'd also need to do the same to hostnames coming in for forwarding requests, subject to similar rules.