openssh bugs - May 2017 - [Bug 2716] New: [PATCH] Add "permitlisten" support for -R style forward

https://bugzilla.mindrot.org/show_bug.cgi?id=2716

            Bug ID: 2716
           Summary: [PATCH] Add "permitlisten" support for -R style
                    forward
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: philipp.heckel at gmail.com

Created attachment 2977
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2977&action=edit
Add "permitlisten" support for -R style forward

Hi there,

my apologies for duplicating this message here. I saw too late that
there is also a public bug tracker.

This patch adds support for per-key restriction of -R style forwards
via a "permitlisten"-option in the authorized_keys file -- similar to
the "permitopen"-option for -L style forwards.

This is desirable if you want to have restricted accounts/keys that
can only be used for -R style forwards on certain ports.

With this example authorized_keys file:
  restrict,permitlisten="localhost:8080" ssh-rsa AAAAB3Nza...

This is allowed:
$ ssh -R 8080:localhost:80 root at localhost -N

While this is not allowed (note port 8081):
$ ssh -R 8081:localhost:80 root at localhost -N
Error: remote port forwarding failed for listen port 8081

This is a preliminary patch (no support for a servconf option
"PermitListen" yet), because I wanted to get early feedback before
continuing. 

Do you think this approach is correct? Would this be a desirable
feature? Is "permitlisten" the correct name for this? Or would 
"permitropen", "permitremoteopen" be better suited?

Best,
Philipp Heckel

WIP branch/pull:
https://github.com/openssh/openssh-portable/pull/65

Mailing list:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-May/036000.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2716

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
PermitListen (configuration directive) and a permitlisten
authorized_keys directive were added in OpenSSH 7.8

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2716

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.