bugzilla-daemon at mindrot.org
2025-Apr-16 13:06 UTC
[Bug 3813] New: "at" port filter in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=3813
Bug ID: 3813
Summary: "at" port filter in authorized_keys
Product: Portable OpenSSH
Version: 10.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: info at xn--whnlich-90a.de
The authorized_key file can be used to restrict access for users. The
?from? option binds the incoming user to a client IP. I would like to
extend this. Please add an ?at? filter that only allows incoming users
(commands) on a specific server port. This would make it possible to
set up targeted firewall rules. Also fail2ban could be set to this.
Example: Port 22 is open as a decoy, while admin is only allowed on
port 10341.
Translated with DeepL.com (free version)
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-17 03:34 UTC
[Bug 3813] "at" port filter in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=3813
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
You can achieve this currently using "Match LocalPort" in sshd_config,
for example:
Match LocalPort 22
RefuseConnection yes
Match LocalPort 10341
ForceCommand /usr/local/bin/something
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30 23:18 UTC
[Bug 3813] "at" port filter in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=3813
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|10.0p1 |10.0p2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 3818] New: Release Notes title references "10p2", but the actual portable release appears to be "10p1"
- tunneling through stdin/stdout, source routing
- ssh(1) documentation for -L and -R
- [Bug 3816] New: regression: valid_hostname() refuses hostname with comma
- [Bug 413] New: Port forwarding: [localhost:]localport:remotehost:remoteport