openssh bugs - Mar 2021 - [Bug 3275] New: PermitListen does not work in Match block and permitlisten= does not work in authorized_keys file

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

            Bug ID: 3275
           Summary: PermitListen does not work in Match block and
                    permitlisten= does not work in authorized_keys file
           Product: Portable OpenSSH
           Version: 8.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: evgeny.vasilchenko at protonmail.com

* CentOS Linux release 7.9.2009 (Core)
* OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017 built from sources:
./configure --with-md5-passwords --with-pam --with-selinux
--with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

1) as per https://man.openbsd.org/sshd_config.5#Match - Match block
allows "PermitListen" keyword - however:

----- /etc/ssh/sshd_config -----------
Match User user
        PermitListen localhost:5555
--------------------------------------


# systemctl restart sshd
Job for sshd.service failed because the control process exited with
error code. See "systemctl status sshd.service" and "journalctl
-xe"
for details

# journalctl -xe

[...skipped...]

Mar 10 08:21:32 lbtest1 systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd.service has begun starting up.
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config: line 142: Bad
configuration option: PermitListen
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config line 142:
Directive 'PermitListen' is not allowed within a Match block
Mar 10 08:21:32 lbtest1 systemd[1]: sshd.service: main process exited,
code=exited, status=255/n/a
Mar 10 08:21:32 lbtest1 systemd[1]: Failed to start OpenSSH server
daemon.
-- Subject: Unit sshd.service has failed
--------------------------------------


2) The permitlisten= option does not work with or without IP address
while permitopen= works fine in authorized_key file.

---/home/user/.ssh/authorized_key ----
restrict,pty,port-forwarding,permitopen="localhost:22",permitlisten="5555"
ssh-rsa AAAAB3Nza
--------------------------------------


--- Remote port forwarding command and result ----
$ ssh 5555:localhost:22 user at xxx.xxx.xxx.xxx
user at xxx.xxx.xxx.xxx: Permission denied (publickey).
--------------------------------------

SSHD log file with DEBUG

------------------------
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: trying public key file
/home/user/.ssh/authorized_keys
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: fd 4 clearing O_NONBLOCK
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:53:26 lbtest1 sshd[3781]: Bad options in
/home/user/.ssh/authorized_keys file, line 1: permitlisten="5555"
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: restore_uid: 0/0
Mar 10 07:53:26 lbtest1 sshd[3781]: Failed publickey for user from
xxx.xxx.xxx.xxx port 17445 ssh2: RSA
------------------------

------------------------
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:52:32 lbtest1 sshd[3773]: Bad options in
/home/user/.ssh/authorized_keys file, line 1:
permitlisten="localhost:5555" ssh-rsa AAAAB3NzaC1y
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: restore_uid: 0/0
Mar 10 07:52:32 lbtest1 sshd[3773]: Failed publickey for user from
xxx.xxx.xxx.xxx port 50403 ssh2: RSA
------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

Evgeny <evgeny.vasilchenko at protonmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |evgeny.vasilchenko at protonma
                   |                            |il.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Are you sure you are running the new binary?  Because...

(In reply to Evgeny from comment #0)
> * OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017 built from sources:
> ./configure --with-md5-passwords --with-pam --with-selinux
> --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
by default sshd is installed in /usr/local/sbin:

$ ./configure --help
[...]
  --prefix=PREFIX   install architecture-independent files in PREFIX
                    [/usr/local]

and unless you changed the systemd unit file it's probably running the
vendor supplied one in /usr/sbin.  A quick test with 8.5p1 here seems
to work with the fragment you quote:

$ cat config
Match User dtucker
        PermitListen localhost:5555
$ sudo `pwd`/sshd -f `pwd`/config -ddde -p 2022 2>&1 | grep -i permit
debug3: reprocess config:2 setting PermitListen localhost:5555

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

--- Comment #2 from Evgeny <evgeny.vasilchenko at protonmail.com> ---
Darren, you are right. It was a late night for me whan I've submitted
the bug and I've missed this important part.
Sorry.
Ev.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Glad it's working now!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3275

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.