openssh bugs - Mar 2018 - [Bug 2842] New: PermitListen, like PermitOpen but for -R (remote port forwarding)

https://bugzilla.mindrot.org/show_bug.cgi?id=2842

            Bug ID: 2842
           Summary: PermitListen, like PermitOpen but for -R (remote port
                    forwarding)
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bolt at dhampir.no

I made a setup where several road warriors (varying IP's) connect to
home base and forward one port each to their local SSH ports, i.e:
"ssh rw1002 at homebase -n -N -R 5002:localhost:22"
"ssh rw1003 at homebase -n -N -R 5003:localhost:22"

I can not find an option to restrict user rw1002 from forwarding port
5003, or for that matter stealing port 1080 or 8080 or whatever else
local services might be configured to use if they're not running at the
time. Several important things use ports >=1024 these days.

PermitOpen restricts destinations for forwarding with -L
I'm missing a similar option for -R

Example:
Match User rw1002
    PermitListen 5002
Match User rw1003
    PermitListen 0.0.0.0:5003
Match User rw1004
    PermitListen localhost:5004

Similarly, having the option to do this in authorized_keys files would,
I think, be awesome.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2842

bolt at dhampir.no changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bolt at dhampir.no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2842

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Isn't this solved by the patch proposed in the bug #2038 ?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2842

bolt at dhampir.no changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|NEW                         |RESOLVED

--- Comment #2 from bolt at dhampir.no ---
It does indeed seem like that would take care of this issue.
My search-fu needs more practice, it would seem.

Thanks.

*** This bug has been marked as a duplicate of bug 2038 ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2842

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.