openssh bugs - Aug 2008 - [Bug 1513] New: CIDR address/masklen matching support for permitopen=

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

           Summary: CIDR address/masklen matching support for permitopen        
Product: Portable OpenSSH
           Version: 5.1p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: 238749328749 at gmx.de


In OpenSSH 5.1 you introduced CIDR address/masklen matching for "Match
address" blocks in sshd_config as well as supporting CIDR matching in
~/.ssh/authorized_keys from="..." restrictions in sshd.

I wonder whether CIDR address/masklen matching will be implemented for
permitopen="host:port" restrictions in sshd as well, that would be
quite beneficially (at least for me, maybe others,too;-) (There was
already a request for a feature like that incl a patch back in 2005)

--> permitopen="net/mask:port(s)"
--> permitopen="net/mask:port_range"

You suggested to look into it by myself (and perhaps contribute a
patch...) - I definitively would do that if I'd only speak C...


Thank you - kind regards,

Bert

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
We are freezing for the OpenSSH 5.6 release. Retargetting these bugs to
the next release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1708                        |1803

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1803                        |

--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-01-24 12:30:54
EST ---
Retarget unclosed bugs from 5.7=>5.8

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1845

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #3 from RyanC <kvhwyucjkp at snkmail.com> 2011-03-29 08:49:02
EST ---
Created attachment 2025
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2025
Feature enhancement patch for permitopen - needs code
review/testing/cleanup

This patch changes permitopen to use the same access logic as is
available for 'from='

That is:

* CIDR matches - 192.168.0.0/16
* Wildcard matches - *.example.com
* Negated matches !10.0.0.0/8

Support for port ranges has been added, e.g.

127.0.0.1:* or 127.0.0.1:1-65535

The checking logic has been moved to a function which is called from
connect_next which happens after DNS resolution but before the actual
connect call.  This is in order to allow a permitopen to
www.example.com to still work when the forwarding request is made using
the ip address and vice versa.

Negations take precedence over other matches, so one can do something
like this:
PermitOpen 0.0.0.0/0:*
PermitOpen !127.0.0.0/8:*

Other things:

Get rid of permitopen any?

NOTES:

I've only tested this with PermitOpen in the config file, it should
work with permitopen= from an authorized_key file, but I haven't
verified.

I'm not great with C, and someone needs to doublecheck my work to
ensure that I haven't introduced any possible buffer overflows.  I
understand the gotchas in general regarding buffer overflows and I
think I've done everything correctly, but I lack enough experience to
be confident.

Some minor changes have been made to return codes given by functions in
match.c and code referencing these functions has been updated.  Stuff
relying on those functions should be tested.

channel_connect_to has been changed to simply call connect_to.  It
could probably be aliased with a #define but I'm not quite clear on
static vs non-static functions in C.

I've attempted to follow coding style, but in a few cases this has lead
me to do things which seem weird.  In particular multi-purposing
variables seems questionable to me.

I've used hpdelim to split out CIDR/port mappings, but it doesn't
distinguish : from /, so if you permitopen 192.168.0.0/16 it will be
parsed as 192.168.0.0, port 16, which is a bit dubious.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

vladimir at arobas.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vladimir at arobas.net

--- Comment #4 from vladimir at arobas.net 2011-03-30 00:07:32 EST ---
It would be nice if coma separated lists of hosts and ports were also
supported:
Ex:

PermitOpen 10.5.100.34:22,443 10.5.100.2,10.5.100.20:22

Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

RyanC <kvhwyucjkp at snkmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kvhwyucjkp at snkmail.com

--- Comment #5 from RyanC <kvhwyucjkp at snkmail.com> 2011-03-30 06:51:29
EST ---
> It would be nice if coma separated lists of hosts and ports were also
> supported:
> Ex:
> PermitOpen 10.5.100.34:22,443 10.5.100.2,10.5.100.20:22
Space delimited lists are handled in the sshd config file already.

Writing a parser that would handle the situation you suggest would be
rather annoying.  Additionally, handling lists of ports instead of just
a port range requires significantly more complicated handling, both in
data structures and access checking.  I don't care about it enough to
bother doing it.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930

--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:23
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #7 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:35
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |

--- Comment #8 from Damien Miller <djm at mindrot.org> 2011-09-06 10:39:11
EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #9 from VP <vladimir at arobas.net> 2011-12-02 02:06:14 EST
---
did some tests, run it for a few months. works fine. thanks a lot,
RyanC

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #10 from RyanC <kvhwyucjkp at snkmail.com> 2011-12-02 03:59:54
EST ---
Damien,

Is there anything I can do to increase the likelyhood of this getting
looked at and maybe included in the next release?

Thanks,
Ryan

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #11 from RyanC <kvhwyucjkp at snkmail.com> 2011-12-02 05:02:08
EST ---
The current snapshot breaks my patch.  I'm working on a fix.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986

--- Comment #12 from Damien Miller <djm at mindrot.org> 2012-02-24
10:34:33 EST ---
Retarget from 6.0 to 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1930                        |

--- Comment #13 from Damien Miller <djm at mindrot.org> 2012-02-24
10:38:13 EST ---
Retarget 6.0 => 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #14 from VP <vladimir at arobas.net> 2012-04-26 00:16:22 EST
---
Ryan,
do you plan to create a patch for 6.0 any time soon?

Thanks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #15 from RyanC <kvhwyucjkp at snkmail.com> 2012-04-26 04:45:49
EST ---
Vladimir,

I'm not currently using OpenSSH 6.0 or higher anywhere that I need this
functionality, so forward-porting the patch (which, due to some
structural changes in the code, will be non-trivial) is low on my list
of priorities - between work, various personal projects and social
obligations I don't have a lot of free time.

However, if I could get some feedback from Damien as to what I would
need to do to get this patch merged, I would be happy to make the time
to spend a weekend forward-porting the patch. I don't want to have to
maintain it as a separate patch, and I don't like having to apply
custom patches and repackage software that I use.

Damien?

-Ryan

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.