openssh bugs - Nov 2011 - [Bug 1949] New: PermitOpen none option

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

             Bug #: 1949
           Summary: PermitOpen none option
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: OpenBSD
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: loganaden at gmail.com


Created attachment 2104
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2104
permitopen_none option diff
>From debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543683

Package: openssh-server
Version: 1:5.1p1-7
Severity: wishlist

I'm trying to setup a reverse SSH box (i.e. one where people stuck
behind NAT can SSH in and initiate a tunnel back to their machine).
They use this something like this:

  ssh login at box -R 2000:localhost:22

I'm trying to lock this down as far as possible - in particular I'd
like to disable AllowTcpForwarding, however if I do this it prevents
both local _and_ remote tunnels.

Leaving AllowTcpForwarding open and setting "PermitOpen
127.0.0.1:65535" gets close - all the reverse tunnels work, but the
only local tunnel that will work is "ssh login at box -L
xxxx:localhost:65535".   

I'd like to use "PermitOpen none" (or just blank) however sshd
doesn't
allow this (just checked the source code).

Thanks,

Adrian
-- 
Email: adrian at smop.co.uk  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org

I thought I'd give it a try.

I added a new function that populates list of allowed sockets
with NULL, and also added the permitopen none option.

Any feedback on how to improve the code would be nice :-)

//Logan
C-x-C-c

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #1 from Loganaden Velvindron <loganaden at gmail.com>
2011-11-20 03:32:20 EST ---
Created attachment 2108
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2108
permitOpen none with a single socket

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #2 from Loganaden Velvindron <loganaden at gmail.com>
2011-11-20 04:55:06 EST ---
Instead of creating a bunch of sockets with hosttoconnect to as NULL,
It's simpler to create only one.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2108|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-12-02 10:59:23
EST ---
Comment on attachment 2108
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2108
permitOpen none with a single socket

Darren is more familiar with this code than I am. The patch looks sane
to me though.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2011-12-02
11:21:08 EST ---
Looks OK, but I think we need to add the equivalent code to
channel_print_adm_permitted_opens() so that it'll output "permitopen
none" when it sees the NULL in host_to_connect.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2104|0                           |1
        is obsolete|                            |
   Attachment #2108|0                           |1
        is obsolete|                            |
   Attachment #2108|ok?(dtucker at zip.com.au)     |
              Flags|                            |

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2011-12-02
11:59:16 EST ---
Created attachment 2111
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2111
permitopen none with sshd -T support

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #6 from Loganaden Velvindron <loganaden at gmail.com>
2011-12-02 19:32:41 EST ---
Created attachment 2112
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2112
OpenBSD sshd permitopen diff

Port of dtucker's patch for openbsd

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2111|                            |ok+
              Flags|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Loganaden Velvindron <loganaden at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2112|0                           |1
        is obsolete|                            |

--- Comment #7 from Loganaden Velvindron <loganaden at gmail.com>
2011-12-08 06:03:12 EST ---
Created attachment 2116
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2116
PermitOpen None diff for native OpenSSH

Remove a whitespace in channel_disable_adm_local_opens(void)

& add a space before none in printf() to make it more consistent.

Any comments ?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #8 from Loganaden Velvindron <loganaden at gmail.com>
2012-01-05 18:30:30 EST ---
Are there other issues that need fixing ?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #9 from Loganaden Velvindron <loganaden at gmail.com>
2012-01-20 05:34:24 EST ---
ping ?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #10 from Loganaden Velvindron <loganaden at gmail.com>
2012-02-14 20:14:20 EST ---
Now that the tree is unlocked, any chance this could make it to OpenSSH
6.1 ?

Patching each machine is a pain...

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #11 from Darren Tucker <dtucker at zip.com.au> 2012-03-30
10:55:34 EST ---
thanks for the patch (and patience).  this has been committed and will
be in the 6.1 release.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1949

--- Comment #12 from Loganaden Velvindron <loganaden at gmail.com>
2012-04-01 01:50:13 EST ---
Awesome :-)
Thanks for finding time to looking at it !

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.