similar to: [Bug 1857] New: [RFE] restrict port forwarding to localhost

https://bugzilla.mindrot.org/show_bug.cgi?id=1857 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release

https://bugzilla.mindrot.org/show_bug.cgi?id=1513 Summary: CIDR address/masklen matching support for permitopen= Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

Hi, Is there a way to restrict port forwarding on the server? I want only port 8080 on the server to be available to clients. Example when i give this command clients should be able to connect: ssh -L 30300:localhost:8080 .... When i give this for example clients should not be able to connect: ssh -L 30300:localhost:4040 .... I tried this option in config file of server: PermitOpen

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

https://bugzilla.mindrot.org/show_bug.cgi?id=2846 Bug ID: 2846 Summary: PermitOpen rule in sshd_config is not case insensitive Product: Portable OpenSSH Version: 7.6p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs

http://bugzilla.mindrot.org/show_bug.cgi?id=1267 Summary: PermitOpen - Multiple forwards don't works Product: Portable OpenSSH Version: v4.5p1 Platform: ix86 OS/Version: Cygwin on NT/2k Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=1800 Summary: PermitUserEnvironment accepting pattern of allowed userenv variables Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo:

Hi, Is it possible to restrict a client port-forwarding to one port? For example i want client X to open only port 1037 on server through port-forwarding, client Y only port 1038 and so on... How can this be possible? I use private/public keys authentication. Client version is openssh3.8p1, is windows client, and server version is latest openssh on a linux machine. Can anyone help please? Thank

https://bugzilla.mindrot.org/show_bug.cgi?id=3159 Bug ID: 3159 Summary: authorized_keys: gap in port forwarding restrictions Product: Portable OpenSSH Version: 8.0p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Summary: [RFE] Support auditing through Linux Audit subsystem Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1949 Bug #: 1949 Summary: PermitOpen none option Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: OpenBSD Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo:

https://bugzilla.mindrot.org/show_bug.cgi?id=2711 Bug ID: 2711 Summary: Patch to add permitgwport and restrict permitopen to be a default deny Product: Portable OpenSSH Version: 7.2p2 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

Dear openssh-unix-dev list, in OpenSSH 5.1 you introduced CIDR address/masklen matching for "Match address" blocks in sshd_config as well as supporting CIDR matching in ~/.ssh/authorized_keys from="..." restrictions in sshd. I wonder whether CIDR address/masklen matching will be implemented for permitopen="host:port" restrictions in sshd as well, that would be quite

Hi Phillipp, developers; I likewise just submitted a patch for similar. It i buried under the thread named OpenSSH contract development / patch. At the request of the OpenSSH dev team, I submitted our patch in the mindrot Bugzilla https://bugzilla.mindrot.org/show_bug.cgi?id=2711 Your patch, I see is available there too https://bugzilla.mindrot.org/show_bug.cgi?id=2716 Anyhow, just drawing

https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Priority: P5 Bug ID: 2038 Assignee: unassigned-bugs at mindrot.org Summary: permitopen functionality but for remote forwards Severity: enhancement Classification: Unclassified OS: Other Reporter: damonswirled at gmail.com Hardware: Other

Hi, I'm looking for the best way to include an external decision mechanism into OpenSSH, which allows it to restrict port forwarding only to destination ports which are defined in a special external control file for the authenticated session. The authenticated ssh user should only be allowed to connect to this dedicated port to tunnel a VNC session through ssh. So the server side has to

Hi! I've been trying to get password changes to work from a SuSE machine to an AD server. Authentication works fine in AD mode, so at least that bit is correct. When trying to change the password, I get PAM error 4 back. Checking in the logs, I see that winbind fails with the error NT_STATUS_PASSWORD_RESTRICTION. From Microsoft's documentation, I can read that this means that there

I have an application where a lot of end user CPE devices ssh in automatically to a central server, and are authenticated by public key, to do remote (-R) port forwarding, so we can open a connection back to a particular port on the remote device whether it's behind some NAT or firewall or whatever. I want to be certain, however, that if I open port 12345, it is connected to the correct end