openssh bugs - Nov 2019 - [Bug 3099] New: no name lookup (and not documented) for permitopen option

https://bugzilla.mindrot.org/show_bug.cgi?id=3099

            Bug ID: 3099
           Summary: no name lookup (and not documented) for permitopen
                    option
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: phil at solidstatescientific.com

Empirical evidence indicates that name lookup is not done when
comparing the host given in the client's -L option argument and the
host given in authorized_keys' permitopen option.  For example, if
permitopen specifies 127.0.0.1, and ssh -L offers localhost (or vice
versa), the port forward will not be permitted.

This is slightly counterintuitive.

There may be a legitimate reason why the name lookup deliberately is
not done (though I'd be hard pressed to come up with such a reason). 
But if so, it would be nice if the fact were documented.  It's
currently not mentioned on the sshd man page.  The man page does
mention no pattern matching on the host, but it doesn't say anything
about no name lookup.

But if there isn't a reason for it (beyond just haven't got to it yet),
please consider adding it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3099

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I've added some verbiage to the manual pages to make it clear that no
hostname expansion is performed on PermitOpen/permitopen contents. This
will be shipped in OpenSSH 8.2.

We don't want to add hostname expansion on this path, it's complicated
enough as it is.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.