Hello, I am raising this as "security" because I am unsure if this is a bug or a feature. Sorry in advance if it's not a bug. In short, I am struggling to restrict which hosts can be reached when using dynamic reverse forwarding. It seems that the PermitRemoteOpen option doesn't work as expected. The documentation mentions : ``` RemoteForward: ... When acting as a SOCKS proxy, the destination of the connection can be restricted by PermitRemoteOpen. ``` Unrestricted works as expected ``` $ ssh -R 33000 $$ curl --socks5 localhost:33000 https://www.google.com -I HTTP/1.1 200 OK ``` Prohibiting all forwarding requests every hosts works as expected ``` $ ssh -R 33000 -o PermitRemoteOpen none $$ curl --socks5 localhost:33000 www.google.com -I curl: (97) connection to proxy closed ``` Restricting access to t work ``` $ ssh -R 33000 -o PermitRemoteOpen example.com:443 $$ curl --socks5 localhost:33000 www.google.com -I HTTP/1.1 200 OK <--- this should fail! ```
Created attachment 3647 [details] don't consume first PermitRemoteOpen argument It's a bug. The parsing code for PermitRemoteOpen erroneously consumes its first argument to look for the special "any/none" keywords and doesn't record it if it isn't one of those. We will be flagging this as a security bug in the next release. Workaround: specify the first PermitRemoteOpen argument twice. A separate problem is that we don't current have regression tests for PermitRemoteOpen
This has been applied and will be in OpenSSH 9.2 - thanks!
OpenSSH 9.3 has been released. Close resolved bugs