* CentOS Linux release 7.9.2009 (Core) * OpenSSH_8.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017 built from sources: ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh 1) as per https://man.openbsd.org/sshd_config.5#Match - Match block allows "PermitListen" keyword - however: ----- /etc/ssh/sshd_config ----------- Match User user PermitListen localhost:5555 -------------------------------------- # systemctl restart sshd Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details # journalctl -xe [...skipped...] Mar 10 08:21:32 lbtest1 systemd[1]: Starting OpenSSH server daemon... -- Subject: Unit sshd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit sshd.service has begun starting up. Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config: line 142: Bad configuration option: PermitListen Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config line 142: Directive 'PermitListen' is not allowed within a Match block Mar 10 08:21:32 lbtest1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a Mar 10 08:21:32 lbtest1 systemd[1]: Failed to start OpenSSH server daemon. -- Subject: Unit sshd.service has failed -------------------------------------- 2) The permitlisten= option does not work with or without IP address while permitopen= works fine in authorized_key file. ---/home/user/.ssh/authorized_key ---- restrict,pty,port-forwarding,permitopen="localhost:22",permitlisten="5555" ssh-rsa AAAAB3Nza -------------------------------------- --- Remote port forwarding command and result ---- $ ssh 5555:localhost:22 user@xxx.xxx.xxx.xxx user@xxx.xxx.xxx.xxx: Permission denied (publickey). -------------------------------------- SSHD log file with DEBUG ------------------------ Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: trying public key file /home/user/.ssh/authorized_keys Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: fd 4 clearing O_NONBLOCK Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: allow port forwarding to host localhost port 22 Mar 10 07:53:26 lbtest1 sshd[3781]: Bad options in /home/user/.ssh/authorized_keys file, line 1: permitlisten="5555" ssh-rsa AAAAB3NzaC1yc2EAAAADAQ Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: restore_uid: 0/0 Mar 10 07:53:26 lbtest1 sshd[3781]: Failed publickey for user from xxx.xxx.xxx.xxx port 17445 ssh2: RSA ------------------------ ------------------------ Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: allow port forwarding to host localhost port 22 Mar 10 07:52:32 lbtest1 sshd[3773]: Bad options in /home/user/.ssh/authorized_keys file, line 1: permitlisten="localhost:5555" ssh-rsa AAAAB3NzaC1y Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: restore_uid: 0/0 Mar 10 07:52:32 lbtest1 sshd[3773]: Failed publickey for user from xxx.xxx.xxx.xxx port 50403 ssh2: RSA ------------------------
Are you sure you are running the new binary? Because... (In reply to Evgeny from comment #0) > * OpenSSH_8.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017 built from sources: > ./configure --with-md5-passwords --with-pam --with-selinux > --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh by default sshd is installed in /usr/local/sbin: $ ./configure --help [...] --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] and unless you changed the systemd unit file it's probably running the vendor supplied one in /usr/sbin. A quick test with 8.5p1 here seems to work with the fragment you quote: $ cat config Match User dtucker PermitListen localhost:5555 $ sudo `pwd`/sshd -f `pwd`/config -ddde -p 2022 2>&1 | grep -i permit debug3: reprocess config:2 setting PermitListen localhost:5555
Darren, you are right. It was a late night for me whan I've submitted the bug and I've missed this important part. Sorry. Ev.
Glad it's working now!
closing resolved bugs as of 8.6p1 release