openssh bugs - May 2017 - [Bug 2711] New: Patch to add permitgwport and restrict permitopen to be a default deny

https://bugzilla.mindrot.org/show_bug.cgi?id=2711

            Bug ID: 2711
           Summary: Patch to add permitgwport and restrict permitopen to
                    be a default deny
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: devin.nate at qhrtech.com

Created attachment 2975
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2975&action=edit
Patch

This is a patch to:

1. Allow the authorized_keys file to include a new option,
permitgwport="portnum". This allows the server to control what ports a
ssh client may open using ssh -R. If there is no permitgwport, then the
client may not open any ports using ssh -R.

2. Require that authorized_keys file has a permitopen option for each
ssh -L port forwarding the client will request. In particular, if there
are no permitopen statements, do not allow any ports to be opened
(default deny), which is different from normal sshd behaviour which
will allow any ports be opened if there is no permitopen option.

Thanks,

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2711

Devin Nate <devin.nate at qhrtech.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2975|0                           |1
        is obsolete|                            |

--- Comment #1 from Devin Nate <devin.nate at qhrtech.com> ---
Created attachment 2976
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2976&action=edit
Patch

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2711

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
We added PermitListen to openssh-7.8 that works similarly

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2711

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.