bugzilla-daemon at mindrot.org
2014-Sep-09 07:55 UTC
[Bug 2272] New: Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Bug ID: 2272
Summary: Global "PermitTunnel Yes" required to connect to a
tunnel
Product: Portable OpenSSH
Version: 6.6p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: joe9mail at gmail.com
Hello,
When a tun0 device is created with the below commands on the server:
ip tuntap add dev tun0 mode tun user sshuser group sshusers
ip link set dev tun0 up
ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
and ssh is started with this command from the client:
ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address>
Working extract from sshd_config:
PermitTunnel yes
Match User sshuser
PermitTunnel yes
NOT Working extract from sshd_config (below is the message):
PermitTunnel no
Match User sshuser
PermitTunnel yes
The error message with a -v is:
debug1: Remote: Server has rejected tunnel device forwarding
Thanks
Joe
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-09 07:56 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
joe9mail at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joe9mail at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-09 09:47 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Yes, that's working as intended. sshd should refuse tunnel connections
unless the administrator has explicitly configured it. This is already
mentioned in the sshd_config manual.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-11 21:28 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Kevin Korb <kmk at sanitarium.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |kmk at sanitarium.net
Resolution|WORKSFORME |---
--- Comment #2 from Kevin Korb <kmk at sanitarium.net> ---
I don't understand how settting PermitTunnel yes in a Match block does
not count as the administrator explicitly configuring tunnels (and only
allowing them for certain users).
If the PermitTunnel setting within a Match block can only be used to
disable tunneling for the matched criteria then I can't find that
information in the man page.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-24 08:43 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Sami Hartikainen <hasa100 at hotmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hasa100 at hotmail.com
--- Comment #3 from Sami Hartikainen <hasa100 at hotmail.com> ---
(In reply to Damien Miller from comment #1)> Yes, that's working as intended. sshd should refuse tunnel
> connections unless the administrator has explicitly configured it.
> This is already mentioned in the sshd_config manual.
sshd_config manual on Match block states:
"...keywords on the following lines override those
set in the global section of the config file..."
I'd say the bug report is valid.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Sep-24 08:49 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272 --- Comment #4 from Sami Hartikainen <hasa100 at hotmail.com> --- Created attachment 2480 --> https://bugzilla.mindrot.org/attachment.cgi?id=2480&action=edit Fix Match block overrides failing if global option set In addition to the PermitTunnel option, this patch fixes the issue with RekeyLimit (reason being the same). It looks like the StreamLocalBindMask may also be affected similarly. As the option in undocumented, the patch does not touch it. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-01 05:15 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2480|0 |1
is obsolete| |
Status|REOPENED |ASSIGNED
CC| |dtucker at zip.com.au
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
Attachment #2614| |ok?(dtucker at zip.com.au)
Flags| |
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 2614
--> https://bugzilla.mindrot.org/attachment.cgi?id=2614&action=edit
more activep checks
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-01 05:44 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2614|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-May-01 07:08 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Patch applied - this will be in openssh-6.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Aug-11 13:03 UTC
[Bug 2272] Global "PermitTunnel Yes" required to connect to a tunnel
https://bugzilla.mindrot.org/show_bug.cgi?id=2272
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 2273] New: The group of the tunnel device needs to match with the group of the connecting ssh user
- [Bug 2336] New: Expose dynamic port for -R 0:... via environment
- [Bug 2081] New: extend the parameters to the AuthorizedKeysCommand
- OpenSSH-Client without reverse tunnel ability
- [Bug 2324] New: remote port forward w/ empty bind_address via multiplexed connection: doc violation