bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-10 13:36 UTC
[Bug 1857] New: [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Summary: [RFE] restrict port forwarding to localhost
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: ossman at cendio.se
In a nutshell, I'd very much like to see something like GatewayPort for
PermitOpen, restricting clients to just services on the machine with
sshd.
Currently PermitOpen can only do this if you also specify a certain
port. I'd like to allow any port (it is dynamically selected), but
prevent people from using the sshd machine as a springboard to other
machines. The users will not get a shell, instead ssh is essentially a
VPN layer to get access to more insecure network services on the
machine.
Bug 1513 might be related, although the focus there is on networks
instead of ports. My usecase is limited to restricting to localhost.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-15 04:24 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2011-02-15
15:24:33 EST ---
Created attachment 1997
--> https://bugzilla.mindrot.org/attachment.cgi?id=1997
Add port wildcard to permitopen ("permitopen localhost:*")
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-15 04:25 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
Blocks| |1845
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:34 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1930
--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:20
EST ---
Retarget unresolved bugs/features to 6.0 release
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:36 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857 --- Comment #3 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:32 EST --- Retarget unresolved bugs/features to 6.0 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 00:39 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|1845 |
--- Comment #4 from Damien Miller <djm at mindrot.org> 2011-09-06 10:39:08
EST ---
Retarget unresolved bugs/features to 6.0 release
(try again - bugzilla's "change several" isn't)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-23 00:23 UTC
[Bug 1857] [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2011-09-23
10:23:22 EST ---
This has been added and will be in the 6.0 release.
Thanks.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1513] New: CIDR address/masklen matching support for permitopen=
- [Bug 1857] [RFE] restrict port forwarding to localhost
- Restrict port forwarding on server
- [PATCH] global port forwarding restriction
- [Bug 2846] New: PermitOpen rule in sshd_config is not case insensitive