openssh bugs - Dec 2022 - [Bug 3515] New: PermitRemoteOpen not behaving as expected

https://bugzilla.mindrot.org/show_bug.cgi?id=3515

            Bug ID: 3515
           Summary: PermitRemoteOpen not behaving as expected
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: georges.chaudy at grafana.com

Hello,

I am raising this as "security" because I am unsure if this is a bug
or
a feature. Sorry in advance if it's not a bug.

In short, I am struggling to restrict which hosts can be reached when
using dynamic reverse forwarding. It seems that the PermitRemoteOpen
option doesn't work as expected.

The documentation mentions :
```
RemoteForward: ... When acting as a SOCKS proxy, the destination of the
connection can be restricted by PermitRemoteOpen.
```

Unrestricted works as expected
```
$ ssh -R 33000
$$ curl --socks5 localhost:33000 https://www.google.com -I
HTTP/1.1 200 OK
```

Prohibiting all forwarding requests every hosts works as expected
```
$ ssh -R 33000 -o PermitRemoteOpen none
$$ curl --socks5 localhost:33000 www.google.com -I
curl: (97) connection to proxy closed
```

Restricting access to t work
```
$ ssh -R 33000 -o PermitRemoteOpen example.com:443
$$ curl --socks5 localhost:33000 www.google.com -I
HTTP/1.1 200 OK <--- this should fail!
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3647|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3647
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3647&action=edit
don't consume first PermitRemoteOpen argument

It's a bug. The parsing code for PermitRemoteOpen erroneously consumes
its first argument to look for the special "any/none" keywords and
doesn't record it if it isn't one of those.

We will be flagging this as a security bug in the next release.

Workaround: specify the first PermitRemoteOpen argument twice.

A separate problem is that we don't current have regression tests for
PermitRemoteOpen

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3515

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3647|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Blocks|                            |3480
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This has been applied and will be in OpenSSH 9.2 - thanks!


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3515

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.