Bug 3099 - no name lookup (and not documented) for permitopen option
Summary: no name lookup (and not documented) for permitopen option
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.2p2
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-27 20:55 AEDT by Phil Dumont
Modified: 2021-04-23 14:57 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Dumont 2019-11-27 20:55:04 AEDT 
Empirical evidence indicates that name lookup is not done when comparing the host given in the client's -L option argument and the host given in authorized_keys' permitopen option.  For example, if permitopen specifies 127.0.0.1, and ssh -L offers localhost (or vice versa), the port forward will not be permitted.

This is slightly counterintuitive.

There may be a legitimate reason why the name lookup deliberately is not done (though I'd be hard pressed to come up with such a reason).  But if so, it would be nice if the fact were documented.  It's currently not mentioned on the sshd man page.  The man page does mention no pattern matching on the host, but it doesn't say anything about no name lookup.

But if there isn't a reason for it (beyond just haven't got to it yet), please consider adding it.
Comment 1 Damien Miller 2020-01-25 17:06:29 AEDT 
I've added some verbiage to the manual pages to make it clear that no hostname expansion is performed on PermitOpen/permitopen contents. This will be shipped in OpenSSH 8.2.

We don't want to add hostname expansion on this path, it's complicated enough as it is.
Comment 2 Damien Miller 2021-04-23 14:57:40 AEST 
closing resolved bugs as of 8.6p1 release