openssh bugs - Sep 2014 - [Bug 2273] New: The group of the tunnel device needs to match with the group of the connecting ssh user

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

            Bug ID: 2273
           Summary: The group of the tunnel device needs to match with the
                    group of the connecting ssh user
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: joe9mail at gmail.com

Hello,

When a tun0 device is created with the below commands on the server:

$ id sshuser
uid=100(sshuser) gid=100(sshusers) groups=100(sshusers)

$ ip tuntap add dev tun0 mode tun user sshuser group users
$ ip link set dev tun0 up
$ ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2

and ssh is started with this command from the client:

$ ssh -NTC -w 0:0 -o Tunnel=point-to-point sshuser@<ip-address>

The error message is:

debug1: Remote: Failed to open the tunnel device.
.
.
.
channel 0: open failed: administratively prohibited: open failed
debug1: channel 0: free: tun, nchannels 1

If the group of the tun0 device is changed from "users" to
"sshusers",
the above ssh connection works fine.

Thanks
Joe

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

joe9mail at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joe9mail at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2266
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Generally, the user connecting must have the right
privileges/permissions to open the tun device. So the tunnel device
could have the same group or the same user. This is completely expected
and normal.

I've added a note to the sshd_config manual page mentioning the need
for the tunnel device to have appropriate permissions.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

joe9mail at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #2 from joe9mail at gmail.com ---
The user connecting through ssh (sshuser) is the owner of the device.
The owner of the device has appropriate permissions on the device.

Looks like the permissions are only being checked for the group and not
the user.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2266                        |

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH 6.8 is approaching release and closed for major work. Retarget
these bugs for the next release.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2360

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Retarget to 6.9

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2273

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|2360                        |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Could you please attach a debug log from the server so we can figure
out what is going wrong?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.