similar to: openssh remote port forwarding and permitopen

I have a situation where a number of potentially hostile clients ssh to a host I control, each ssh'ing in as the same user, and each forwarding a remote port back to them. So, the authorized_keys file looks like: no-agent-forwarding,command="/bin/true",no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB....vnRWxcgaK9xXoU= client1234 at example.com

https://bugzilla.mindrot.org/show_bug.cgi?id=3159 Bug ID: 3159 Summary: authorized_keys: gap in port forwarding restrictions Product: Portable OpenSSH Version: 8.0p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs

Dear openssh-unix-dev list, in OpenSSH 5.1 you introduced CIDR address/masklen matching for "Match address" blocks in sshd_config as well as supporting CIDR matching in ~/.ssh/authorized_keys from="..." restrictions in sshd. I wonder whether CIDR address/masklen matching will be implemented for permitopen="host:port" restrictions in sshd as well, that would be quite

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was setting up sshd on a netbsd box to allow cygwin users to auto-ssh in, and be rsync'ed. I wanted to secure the install such that a compromised or stolen cygwin client could not be used to attack the sshd server. Setting shell to /usr/bin/false and using -N client side were helpful. I disabled portforwarding for the client sshkey, and

https://bugzilla.mindrot.org/show_bug.cgi?id=2711 Bug ID: 2711 Summary: Patch to add permitgwport and restrict permitopen to be a default deny Product: Portable OpenSSH Version: 7.2p2 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2347 Bug ID: 2347 Summary: permitopen doesn't work with unix domain sockets Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

https://bugzilla.mindrot.org/show_bug.cgi?id=2038 Priority: P5 Bug ID: 2038 Assignee: unassigned-bugs at mindrot.org Summary: permitopen functionality but for remote forwards Severity: enhancement Classification: Unclassified OS: Other Reporter: damonswirled at gmail.com Hardware: Other

I've just discovered the permitopen flag. We need such a feature for our poor man's VPN services, but this flag seems to be usable only if you generate your authorized_keys file from a database or something like that: keeping a long list of host/port combinations up to date for several users and keys is no fun. As announced before, we have developed a far more powerful mechanism for

https://bugzilla.mindrot.org/show_bug.cgi?id=2582 Bug ID: 2582 Summary: Allow PermitOpen to use a wildcard hostname with a fixed port Product: Portable OpenSSH Version: 7.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

http://bugzilla.mindrot.org/show_bug.cgi?id=1267 Summary: PermitOpen - Multiple forwards don't works Product: Portable OpenSSH Version: v4.5p1 Platform: ix86 OS/Version: Cygwin on NT/2k Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

On Wed, 27 Aug 2008, Damien Miller wrote: > On Tue, 26 Aug 2008, Peter Stuge wrote: > > On Fri, Aug 22, 2008 at 11:22:34AM +0200, Bert Courtin wrote: > > > I wonder whether CIDR address/masklen matching will be implemented > > > for permitopen="host:port" restrictions in sshd as well, that would > > > be quite beneficially (at least for me, maybe

https://bugzilla.mindrot.org/show_bug.cgi?id=1513 Summary: CIDR address/masklen matching support for permitopen= Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

Hi OpenSSH developers; Thank you for your amazing work. I?m emailing to see if any knowledgeable OpenSSH developer is willing to help us review / revamp some patches we have for OpenSSH, and provide advice on some of the more advanced uses of OpenSSH. This would be a for pay contract engagement. We are trying to be super respectful of the process, and are happy to be very creative ? we are

https://bugzilla.mindrot.org/show_bug.cgi?id=2335 Bug ID: 2335 Summary: Config parser accepts ip/port in ListenAddress and PermitOpen Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd

> From: Juanito <juam at posteo.net> > > If I create a tunnel like this from the client side, > > ssh -nNTv -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o IdentitiesOnly=yes -o UserKnownHostsFile=$known_hosts_file -i /etc/sshquare/id_rsa -R $port:localhost:22 $user@$host > > would it be possible on the server side to restrict $port to say 10000 > and

https://bugzilla.mindrot.org/show_bug.cgi?id=2001 Bug #: 2001 Summary: Document PermitOpen none in man page Classification: Unclassified Product: Portable OpenSSH Version: -current Platform: All OS/Version: OpenBSD Status: NEW Severity: trivial Priority: P2 Component: Documentation

Hi, I've recently run into a situation where it I want clients (or certain keys) to connect to an OpenSSH server and set up a remote port forwarding channel (-R) without allowing them to do anything else. It seems that current OpenSSH doesn't support this. I would like to suggest the following changes to the options for authorized_keys: * add a no-local-forwarding option that denies

OpenSSH 4.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,