bugzilla-daemon at bugzilla.mindrot.org
2018-Mar-26 20:39 UTC
[Bug 2846] New: PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Bug ID: 2846 Summary: PermitOpen rule in sshd_config is not case insensitive Product: Portable OpenSSH Version: 7.6p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: paebbels at gmail.com The PermitOpen rule in sshd_config holds a list of TCP endpoints and port number tuples delimited by a space character. The endpoint can be specified as IP address or FQDN. FQDN are case insensitive, but sshd performs a case sensitiv check. The sshd configuration in sshd_config: PermitOpen=gitlab.company.de:80 lynq.company.de:3121 Here is the ssh client call: ssh -L 3121:Lynq.company.de:3121 remote.company.de Solution: Perform a case insensitive check. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Apr-06 03:32 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2852 CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- It would be better to compare FQDNs case-insensitively. There are some corner cases that make implementation a bit more tricky: The same ForwardPermission members are used for FQDNs, addresses (which are treated as strings anyway) and Unix domain socket paths. FQDNs are the only ones of these that should be simply compared case-insensitively. Paths are obviously case-sensitive, but surprisingly addresses can be too: IPv6 addresses may have an interface scope that is case-sensitive on some platforms. See bug #2763 for an example of this. IMO the best way to approach this would be when we are parsing the configuration by doing something similar to what ssh does with hostnames. If it's a Unix domain socket path, leave it alone. If it looks like address, give it a round-trip through getaddrinfo w/AI_NUMERICHOST and getnameinfo. To render it as a canonical string. Otherwise, it's a fqdn and lowercase it. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:38 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2893 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget remaining bugs planned for 7.8 release to 7.9 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:38 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Retarget remaining bugs planned for 7.8 release to 7.9 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Aug-10 01:38 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2852 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2852 [Bug 2852] Tracking bug for OpenSSH 7.8 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:13 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 --- Comment #4 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:14 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:15 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2893 | --- Comment #6 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Apr-02 23:09 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2988 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Apr-02 23:10 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2915 | --- Comment #7 from Damien Miller <djm at mindrot.org> --- Retarget outstanding bugs at next release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-09 04:06 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3079 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-09 04:07 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 --- Comment #8 from Damien Miller <djm at mindrot.org> --- Retarget these bugs to 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-09 04:08 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2988 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:44 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3117 --- Comment #9 from Damien Miller <djm at mindrot.org> --- Prepare for 8.2 release; retarget bugs Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:45 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3079 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:38 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:39 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3117 | --- Comment #10 from Damien Miller <djm at mindrot.org> --- Retarget bugs to 8.4 release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.3 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:49 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-02 04:52 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3162 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:49 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3217 |3270 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:49 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3302 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:50 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 --- Comment #11 from Damien Miller <djm at mindrot.org> --- retarget after 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:51 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3270 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3270 [Bug 3270] Tracking bug for 8.6 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jul-02 05:59 UTC
[Bug 2846] PermitOpen rule in sshd_config is not case insensitive
https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3302 | --- Comment #12 from Damien Miller <djm at mindrot.org> --- actually, this is really fiddly to do properly. We can't reliably roundtrip through getaddrinfo/getnameinfo because the PermitOpen directives may refer to addresses scoped to interfaces that may happen not to be available at the time of sshd_config parsing (e.g. some sort of ephemeral tunnel interface). Attempting to scrub these addresses this way could cause them to be incorrectly rejected. So a better heuristic would be to detect the hostname case (i.e. not path and not address) and only lowercase those. We'd also need to do the same to hostnames coming in for forwarding requests, subject to similar rules. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3302 [Bug 3302] Tracking bug for openssh-8.7 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2158] New: Race condition in receiving SIGTERM
- [Bug 2687] New: Coverity scan fixes
- [Bug 2982] New: gssapi_cleanup: supported mechs should be freed via gss_release_oid_set
- [Bug 1513] New: CIDR address/masklen matching support for permitopen=
- [Bug 2439] New: New sha256-base64 SSH Fingerprints in openssh-6.8